From: Michael Tremer Date: Fri, 17 Mar 2023 13:29:52 +0000 (+0000) Subject: FHS: Check for world-writable files X-Git-Tag: 0.9.29~274 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a2f877bacdff7eabfa6781b80692fe15e68696e4;p=pakfire.git FHS: Check for world-writable files Signed-off-by: Michael Tremer --- diff --git a/Makefile.am b/Makefile.am index efd9a297e..b12b6fadb 100644 --- a/Makefile.am +++ b/Makefile.am @@ -723,7 +723,6 @@ dist_scripts_SCRIPTS = \ src/scripts/check-hardening \ src/scripts/check-interpreters \ src/scripts/check-rpaths \ - src/scripts/check-unsafe-files \ src/scripts/compress-man-pages \ src/scripts/find-prerequires \ src/scripts/find-provides \ diff --git a/src/libpakfire/build.c b/src/libpakfire/build.c index 0bf09345e..aea945e51 100644 --- a/src/libpakfire/build.c +++ b/src/libpakfire/build.c @@ -1354,7 +1354,6 @@ ERROR: } static const char* post_build_scripts[] = { - "check-unsafe-files", "check-rpaths", "check-hardening", "check-interpreters", diff --git a/src/libpakfire/fhs.c b/src/libpakfire/fhs.c index 4a84b677f..b21127fee 100644 --- a/src/libpakfire/fhs.c +++ b/src/libpakfire/fhs.c @@ -215,6 +215,23 @@ ERROR: return NULL; } +static int pakfire_fhs_check_world_writable( + struct pakfire* pakfire, struct pakfire_file* file) { + // Fetch path + const char* path = pakfire_file_get_path(file); + + // Fetch permissions + const mode_t perms = pakfire_file_get_perms(file); + + // Check that none of the executable bits are set + if ((perms & (S_IWUSR|S_IWGRP|S_IWOTH)) == (S_IWUSR|S_IWGRP|S_IWOTH)) { + DEBUG(pakfire, "%s is world-writable\n", path); + return 1; + } + + return 0; +} + static int pakfire_fhs_check_perms(struct pakfire* pakfire, const struct pakfire_fhs_check* check, struct pakfire_file* file) { // No permissions defined. Skipping check... @@ -298,6 +315,11 @@ int pakfire_fhs_check_file(struct pakfire* pakfire, struct pakfire_file* file) { if (!path) return 1; + // Check for world-writable permissions + r = pakfire_fhs_check_world_writable(pakfire, file); + if (r) + return r; + // Find a check check = pakfire_fhs_find_check(pakfire, file); if (!check) { diff --git a/src/scripts/check-unsafe-files b/src/scripts/check-unsafe-files deleted file mode 100644 index 512f5b21a..000000000 --- a/src/scripts/check-unsafe-files +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/bash -############################################################################### -# # -# Pakfire - The IPFire package management system # -# Copyright (C) 2021 Pakfire development team # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see . # -# # -############################################################################### - -error() { - echo "$@" >&2 -} - -main() { - local buildroot="${1}" - shift - - # Check if BUILDROOT exists - if [ ! -d "${buildroot}" ]; then - error "BUILDROOT does not exist" - return 1 - fi - - # Find all files that are world-writable - local -a files=( - $(find "${buildroot}" -type f -perm -2 | sort) - ) - if [ "${#files[@]}" -gt 0 ]; then - error "SECURITY NOTICE: The following files are world-writable:" - local file - for file in ${files[@]}; do - error " ${file/${buildroot}/}" - done - - return 1 - fi - - # Find all files that use set*id and are world-writable - files=( - $(find "${buildroot}" -type f \( -perm -2002 -or -perm -4002 \) | sort) - ) - if [ "${#files[@]}" -gt 0 ]; then - error "SECURITY NOTICE: The following files are world-writable:" - local file - for file in ${files[@]}; do - error " ${file/${buildroot}/}" - done - - return 1 - fi - - return 0 -} - -main "$@" || exit $?