From 64593ae710a7b4af6d2b5dc6886d695499b72e30 Mon Sep 17 00:00:00 2001 From: Jason Stubbs Date: Thu, 29 Sep 2005 16:31:33 +0000 Subject: [PATCH] Security checks regarding installation of world-writable files. svn path=/main/branches/2.0/; revision=2049 --- bin/ebuild.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/bin/ebuild.sh b/bin/ebuild.sh index ed3bd94f2..cf012d1b0 100755 --- a/bin/ebuild.sh +++ b/bin/ebuild.sh @@ -1018,12 +1018,24 @@ dyn_install() { for i in $(find "${D}/" -type f -perm -2002); do ((UNSAFE++)) echo "UNSAFE SetGID: $i" + chmod -s,o-w "$i" done for i in $(find "${D}/" -type f -perm -4002); do ((UNSAFE++)) echo "UNSAFE SetUID: $i" + chmod -s,o-w "$i" done + # Now we look for all world writable files. + for i in $(find "${D}/" -type f -perm -2); do + echo -ne '\a' + echo "QA Security Notice:" + echo "- ${i:${#D}:${#i}} will be a world writable file." + echo "- This may or may not be a security problem, most of the time it is one." + echo "- Please double check that $PF really needs a world writeable bit and file bugs accordingly." + sleep 1 + done + if type -p scanelf > /dev/null ; then # Make sure we disallow insecure RUNPATH/RPATH's # Don't want paths that point to the tree where the package was built -- 2.26.2