summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJason Stubbs <jstubbs@gentoo.org>2005-09-29 16:31:33 +0000
committerJason Stubbs <jstubbs@gentoo.org>2005-09-29 16:31:33 +0000
commit64593ae710a7b4af6d2b5dc6886d695499b72e30 (patch)
tree3f958e8db260faec0c172775991c93cc8d3292ee
parent87150299fd85e167a920931cc3c1d48f25c3b832 (diff)
downloadportage-64593ae710a7b4af6d2b5dc6886d695499b72e30.tar.gz
portage-64593ae710a7b4af6d2b5dc6886d695499b72e30.tar.bz2
portage-64593ae710a7b4af6d2b5dc6886d695499b72e30.zip
Security checks regarding installation of world-writable files.
svn path=/main/branches/2.0/; revision=2049
-rwxr-xr-xbin/ebuild.sh12
1 files changed, 12 insertions, 0 deletions
diff --git a/bin/ebuild.sh b/bin/ebuild.sh
index ed3bd94f2..cf012d1b0 100755
--- a/bin/ebuild.sh
+++ b/bin/ebuild.sh
@@ -1018,12 +1018,24 @@ dyn_install() {
for i in $(find "${D}/" -type f -perm -2002); do
((UNSAFE++))
echo "UNSAFE SetGID: $i"
+ chmod -s,o-w "$i"
done
for i in $(find "${D}/" -type f -perm -4002); do
((UNSAFE++))
echo "UNSAFE SetUID: $i"
+ chmod -s,o-w "$i"
done
+ # Now we look for all world writable files.
+ for i in $(find "${D}/" -type f -perm -2); do
+ echo -ne '\a'
+ echo "QA Security Notice:"
+ echo "- ${i:${#D}:${#i}} will be a world writable file."
+ echo "- This may or may not be a security problem, most of the time it is one."
+ echo "- Please double check that $PF really needs a world writeable bit and file bugs accordingly."
+ sleep 1
+ done
+
if type -p scanelf > /dev/null ; then
# Make sure we disallow insecure RUNPATH/RPATH's
# Don't want paths that point to the tree where the package was built