diff options
| author |   Michael Orlitzky <mjo@gentoo.org> | 2018-08-07 12:46:04 -0400 |
|---|---|---|
| committer |   Zac Medico <zmedico@gentoo.org> | 2018-08-07 11:39:26 -0700 |
| commit | 807ac3d9d6eecead73f59d399b30559e5c731587 (patch) | |
| tree | 767c4d62de978c9ba037223be2a26ebb243d2c86 | |
| parent | bin/install-qa-check.d: add new 90bad-bin-owner QA check. (diff) | |
| download | portage-807ac3d9d6eecead73f59d399b30559e5c731587.tar.gz portage-807ac3d9d6eecead73f59d399b30559e5c731587.tar.bz2 portage-807ac3d9d6eecead73f59d399b30559e5c731587.zip | |
bin/install-qa-check.d: add new 90bad-bin-group-write QA check.
System executables that are writable by a non-root user pose a
security risk. Anyone who can write to an executable can change its
behavior. If that executable is later run with elevated privileges
(say, by root, when the machine starts), then the non-root user can
escalate his own privileges to those of the person running the
modified executable.
The 90bad-bin-owner check already addresses one cause for a non-root
user to be able to modify an executable: because he owns it. This
commit adds another check, to ensure that no non-root *groups* have
write access to any system executables. On a "normal" system, all
system executables should be writable only by the super-user's group,
if any. To avoid false-positives, non-"normal" systems (like prefix)
are skipped.
Closes: https://bugs.gentoo.org/629398
| -rw-r--r-- | bin/install-qa-check.d/90bad-bin-group-write | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/bin/install-qa-check.d/90bad-bin-group-write b/bin/install-qa-check.d/90bad-bin-group-write new file mode 100644 index 000000000..786dde712 --- /dev/null +++ b/bin/install-qa-check.d/90bad-bin-group-write @@ -0,0 +1,55 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +bad_bin_group_write_check() { + # Warn about globally-installed executables (in /bin, /usr/bin, /sbin, + # /usr/sbin, or /opt/bin) that are group-writable by a nonzero GID. + + # This check doesn't work on non-root prefix installations at + # the moment, because every executable therein is owned by a + # nonzero GID. + [[ "${EUID}" -ne "0" || "${PORTAGE_INST_UID}" -ne "0" ]] && return + + local d f found=() + + for d in "${ED%/}/opt/bin" "${ED%/}/bin" "${ED%/}/usr/bin" \ + "${ED%/}/sbin" "${ED%/}/usr/sbin"; do + [[ -d "${d}" ]] || continue + + # Read the results of the "find" command into the "found" array. + # + # Use -L to catch symlinks whose targets are vulnerable, + # even though it won't catch ABSOLUTE symlinks until the package + # is RE-installed (the first time around, the target won't exist). + # + # We match the GID and not the name "root" here because (for + # example) on FreeBSD, the superuser group is "wheel". + # + # We don't make an exception for setguid executables here, because + # a group-writable setguid executable is likely a mistake. By + # altering the contents of the executable, a member of the group + # can allow everyone (i.e. the people running it) to obtain the + # full privileges available to that group. While only existing + # group members can make that choice, it's a decision usually + # limited to the system administrator. + while read -r -d '' f; do + found+=( "${f}" ) + done < <(find -L "${d}" \ + -maxdepth 1 \ + -type f \ + -perm /g+w \ + ! -gid 0 \ + -print0) + done + + if [[ ${found[@]} ]]; then + eqawarn "system executables group-writable by nonzero gid:" + for f in "${found[@]}"; do + # Strip off the leading destdir before outputting the path. + eqawarn " ${f#${D%/}}" + done + fi +} + +bad_bin_group_write_check +: |