src/scripts/check-hardening \
src/scripts/check-interpreters \
src/scripts/check-rpaths \
- src/scripts/check-unsafe-files \
src/scripts/compress-man-pages \
src/scripts/find-prerequires \
src/scripts/find-provides \
return NULL;
}
+static int pakfire_fhs_check_world_writable(
+ struct pakfire* pakfire, struct pakfire_file* file) {
+ // Fetch path
+ const char* path = pakfire_file_get_path(file);
+
+ // Fetch permissions
+ const mode_t perms = pakfire_file_get_perms(file);
+
+ // Check that none of the executable bits are set
+ if ((perms & (S_IWUSR|S_IWGRP|S_IWOTH)) == (S_IWUSR|S_IWGRP|S_IWOTH)) {
+ DEBUG(pakfire, "%s is world-writable\n", path);
+ return 1;
+ }
+
+ return 0;
+}
+
static int pakfire_fhs_check_perms(struct pakfire* pakfire,
const struct pakfire_fhs_check* check, struct pakfire_file* file) {
// No permissions defined. Skipping check...
if (!path)
return 1;
+ // Check for world-writable permissions
+ r = pakfire_fhs_check_world_writable(pakfire, file);
+ if (r)
+ return r;
+
// Find a check
check = pakfire_fhs_find_check(pakfire, file);
if (!check) {
+++ /dev/null
-#!/bin/bash
-###############################################################################
-# #
-# Pakfire - The IPFire package management system #
-# Copyright (C) 2021 Pakfire development team #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-
-error() {
- echo "$@" >&2
-}
-
-main() {
- local buildroot="${1}"
- shift
-
- # Check if BUILDROOT exists
- if [ ! -d "${buildroot}" ]; then
- error "BUILDROOT does not exist"
- return 1
- fi
-
- # Find all files that are world-writable
- local -a files=(
- $(find "${buildroot}" -type f -perm -2 | sort)
- )
- if [ "${#files[@]}" -gt 0 ]; then
- error "SECURITY NOTICE: The following files are world-writable:"
- local file
- for file in ${files[@]}; do
- error " ${file/${buildroot}/}"
- done
-
- return 1
- fi
-
- # Find all files that use set*id and are world-writable
- files=(
- $(find "${buildroot}" -type f \( -perm -2002 -or -perm -4002 \) | sort)
- )
- if [ "${#files[@]}" -gt 0 ]; then
- error "SECURITY NOTICE: The following files are world-writable:"
- local file
- for file in ${files[@]}; do
- error " ${file/${buildroot}/}"
- done
-
- return 1
- fi
-
- return 0
-}
-
-main "$@" || exit $?