From 64593ae710a7b4af6d2b5dc6886d695499b72e30 Mon Sep 17 00:00:00 2001
From: Jason Stubbs <jstubbs@gentoo.org>
Date: Thu, 29 Sep 2005 16:31:33 +0000
Subject: Security checks regarding installation of world-writable files.

svn path=/main/branches/2.0/; revision=2049
---
 bin/ebuild.sh | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/bin/ebuild.sh b/bin/ebuild.sh
index ed3bd94f2..cf012d1b0 100755
--- a/bin/ebuild.sh
+++ b/bin/ebuild.sh
@@ -1018,12 +1018,24 @@ dyn_install() {
 	for i in $(find "${D}/" -type f -perm -2002); do
 		((UNSAFE++))
 		echo "UNSAFE SetGID: $i"
+		chmod -s,o-w "$i"
 	done
 	for i in $(find "${D}/" -type f -perm -4002); do
 		((UNSAFE++))
 		echo "UNSAFE SetUID: $i"
+		chmod -s,o-w "$i"
 	done
 	
+	# Now we look for all world writable files.
+	for i in $(find "${D}/" -type f -perm -2); do
+		echo -ne '\a'
+		echo "QA Security Notice:"
+		echo "- ${i:${#D}:${#i}} will be a world writable file."
+		echo "- This may or may not be a security problem, most of the time it is one."
+		echo "- Please double check that $PF really needs a world writeable bit and file bugs accordingly."
+		sleep 1
+	done
+
 	if type -p scanelf > /dev/null ; then
 		# Make sure we disallow insecure RUNPATH/RPATH's
 		# Don't want paths that point to the tree where the package was built
-- 
cgit v1.2.3-1-g7c22