--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+CHECK_PATHS=${@-"/bin /lib /opt /root /sbin /var /usr/bin /usr/lib /usr/sbin"}
+
+CHECK_PATHS=$(find ${CHECK_PATHS} -not -type d)
+
+echo "Searching for all world writable files..."
+f=$(find ${CHECK_PATHS} -not -path "/proc*" -type f -perm -2 2>/dev/null)
+if [ -n "$f" ]; then
+ echo
+ echo "QA Security Notice:"
+ echo " - The folloing files will be world writable."
+ echo " - This may or may not be a security problem, most of the time it is one."
+ echo " - Please double check that these files really need a world writeable bit and file bugs accordingly."
+ echo
+ echo "$f"
+ exit 1
+fi
+
+echo "Searching for unsafe files..."
+f=$(find ${CHECK_PATHS} -type f '(' -perm -2002 -o -perm -4002 ')')
+if [ -n "$f" ]; then
+ echo
+ echo "QA Notice: Unsafe files detected (set*id and world writable)"
+ echo "${f}"
+ exit 1
+fi
+
+# this should help to ensure that all (most?) shared libraries are executable
+# and that all libtool scripts / static libraries are not executable
+echo "Searching for not executeable libs..."
+for i in $(find ${CHECK_PATHS} -name *.so*); do
+ [ ! -e ${i} ] && continue
+ if [ -L ${i} ]; then
+ linkdest=$(readlink "${i}")
+ if [[ ${linkdest} == /* ]] ; then
+ echo
+ echo "QA Notice: Found an absolute symlink in a library directory:"
+ echo " ${i} -> ${linkdest}"
+ echo " It should be a relative symlink if in the same directory"
+ echo " or a linker script if it crosses the /usr boundary."
+ exit 1
+ fi
+ continue
+ fi
+ [ -x ${i} ] && continue
+ echo "making executable: ${i}"
+ chmod +x "${i}"
+done
+for i in $(find ${CHECK_PATHS} -name *.a -o -name *.la); do
+ [ ! -e ${i} ] && continue
+ [ -L ${i} ] && continue
+ [ ! -x ${i} ] && continue
+ echo "removing executable bit: ${i}"
+ chmod -x "${i}"
+done
+
+# Make sure people don't store libtool files or static libs in /lib
+echo "Searching for bad files in /lib..."
+f=$(find /lib -name *.{a,la} 2>/dev/null)
+if [ -n "$f" ]; then
+ echo "QA Notice: Excessive files found in the / partition"
+ echo "${f}"
+ exit 1
+fi
+
+if [ -n "$(which scanelf 2>/dev/null)" ]; then
+ # Make sure we disallow insecure RUNPATH/RPATH's
+ # Don't want paths that point to the tree where the package was built
+ # (older, broken libtools would do this). Also check for null paths
+ # because the loader will search $PWD when it finds null paths.
+ echo "Searching for files that have unsecure RUNPATH/RPATH..."
+ f=$(scanelf -qyRF '%r %p' ${CHECK_PATHS} 2>/dev/null | awk '{ print $NF }' | grep -v -f whitelist-rpaths)
+ if [ -n "$f" ]; then
+ echo
+ echo "QA Notice: The following files contain insecure RUNPATH's"
+ echo "${f}"
+ echo
+ exit 1
+ fi
+
+ # TEXTREL's are baaaaaaaad
+ echo "Searching for files that have baaaaaaad TEXTRELs..."
+ f=$(scanelf -qyRF '%t %p' ${CHECK_PATHS} 2>/dev/null | awk '{ print $NF }' | grep -v -f whitelist-textrels)
+ if [ -n "$f" ]; then
+ echo
+ echo "QA Notice: The following files contain runtime text relocations"
+ echo " Text relocations force the dynamic linker to perform extra"
+ echo " work at startup, waste system resources, and may pose a security"
+ echo " risk. On some architectures, the code may not even function"
+ echo " properly, if at all."
+ echo "${f}"
+ exit 1
+ fi
+
+ # Also, executable stacks only matter on linux...
+ echo "Searching for files that have executeable stacks..."
+ f=$(scanelf -qyRF '%e %p' ${CHECK_PATHS} | awk '{ print $NF }' | grep -v -f whitelist-exec-stacks)
+ if [ -n "$f" ]; then
+ echo
+ echo "QA Notice: The following files contain executable stacks"
+ echo " Files with executable stacks will not work properly (or at all!)"
+ echo " on some architectures/operating systems."
+ echo "${f}"
+ exit 1
+ fi
+
+ # Libary checks
+ check_files=$(find ${CHECK_PATHS} -name lib*.so*)
+
+ echo "Searching bad libs that lack a SONAME..."
+ f=$(scanelf -ByF '%S %p' $check_files | awk '$2 == "" { print }' | grep -v -f whitelist-soname)
+ if [ -n "$f" ]; then
+ echo
+ echo "QA Notice: The following shared libraries lack a SONAME"
+ echo "${f}"
+ exit 1
+ fi
+ f=$(scanelf -ByF '%n %p' $check_files | awk '$2 == "" { print }')
+ if [ -n "$f" ]; then
+ echo
+ echo "QA Notice: The following shared libraries lack NEEDED entries"
+ echo "${f}"
+ exit 1
+ fi
+
+else
+ echo "scanelf is not available. Can't check."
+fi
projects / ipfire-3.x.git / commitdiff
