Index: Mk/bsd.port.mk =================================================================== RCS file: /home/ncvs/ports/Mk/bsd.port.mk,v retrieving revision 1.490 diff -u -r1.490 bsd.port.mk --- Mk/bsd.port.mk 31 May 2004 18:07:57 -0000 1.490 +++ Mk/bsd.port.mk 8 Jun 2004 14:59:04 -0000 @@ -3334,10 +3334,11 @@ # 1. setugid files # 2. accept()/recvfrom() which indicates network listening capability # 3. insecure functions (gets/mktemp/tempnam/[XXX]) -# 4. startup scripts, in conjunction with 2. -# 5. world-writable files/dirs +# 4. shared libs linked directly to pthreads libs +# 5. startup scripts, in conjunction with 2. +# 6. world-writable files/dirs # - -@${RM} -f ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable ${WRKDIR}/.PLIST.objdump; \ + -@${RM} -f ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.ldd; \ ${AWK} -v prefix='${PREFIX}' ' \ match($$0, /^@cwd /) { prefix = substr($$0, RSTART + RLENGTH); next; } \ /^@/ { next; } \ @@ -3351,9 +3352,12 @@ ${TR} '\n' '\0' < ${WRKDIR}/.PLIST.flattened \ | ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f -print0 2> /dev/null \ | ${XARGS} -0 -n 1 /usr/bin/objdump -R 2> /dev/null > ${WRKDIR}/.PLIST.objdump; \ + ${GREP} '\.so' < ${WRKDIR}/.PLIST.flattened | ${TR} '\n' '\0' \ + | ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f -print0 2> /dev/null \ + | ${XARGS} -0 -n 1 /usr/bin/ldd -a 2> /dev/null > ${WRKDIR}/.PLIST.ldd; \ if \ ! ${AWK} -v audit="$${PORTS_AUDIT}" -f ${PORTSDIR}/Tools/scripts/security-check.awk \ - ${WRKDIR}/.PLIST.flattened ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable; \ + ${WRKDIR}/.PLIST.flattened ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.ldd ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable; \ then \ www_site=$$(cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} www-site); \ if [ ! -z "$${www_site}" ]; then \ Index: Tools/scripts/security-check.awk =================================================================== RCS file: /home/ncvs/ports/Tools/scripts/security-check.awk,v retrieving revision 1.1 diff -u -r1.1 security-check.awk --- Tools/scripts/security-check.awk 19 Jan 2004 22:19:00 -0000 1.1 +++ Tools/scripts/security-check.awk 8 Jun 2004 14:38:09 -0000 @@ -9,6 +9,7 @@ split("", setuid_binaries); split("", writable_files); split("", startup_scripts); + split("", pthreads_libs); header_printed = 0; } FILENAME ~ /\.flattened$/ { @@ -18,7 +19,6 @@ FILENAME ~ /\.objdump$/ { if (match($0, /: +file format [^ ]+$/)) { file = substr($0, 1, RSTART - 1); - stupid_functions = ""; next; } if (file == "") @@ -29,6 +29,16 @@ if ($3 ~ /^(accept|recvfrom)$/) network_binaries[file] = 1; } +FILENAME ~ /\.ldd$/ { + if (match($0, /:$/)) { + file = substr($0, 1, RSTART - 1); + next; + } + if (file == "") + next; + if ($1 ~ /^(libc_r|libpthread|libthr).so/) + pthreads_libs[file] = $3; +} FILENAME ~ /\.setuid$/ { setuid_binaries[$0] = 1; } FILENAME ~ /\.writable$/ { writable_files[$0] = 1; } function print_header() { @@ -79,6 +89,20 @@ if (note_printed) print ""; } + + note_printed = 0; + for (file in pthreads_libs) { + if (!note_printed) { + print_header(); + print " This port has installed the following shared libraries which are"; + print " incorrectly linked to a pthreads shared library."; + note_printed = 1; + } + printf "%s (linked to %s)\n", file, pthreads_libs[file]; + } + if (note_printed) + print ""; + note_printed = 0; for (file in writable_files) { if (!note_printed) {