diff options
author | Oliver Eikemeier <eik@FreeBSD.org> | 2004-07-01 10:59:48 +0000 |
---|---|---|
committer | Oliver Eikemeier <eik@FreeBSD.org> | 2004-07-01 10:59:48 +0000 |
commit | 2e23771c68aee2caae3300bb7c07507e95e03d99 (patch) | |
tree | c1995bb0f840c279e92656be008ccf992792530f | |
parent | 488dbe6dda90d60a9f161d096b1ade0efb3dbdce (diff) | |
download | ports-2e23771c68aee2caae3300bb7c07507e95e03d99.tar.gz ports-2e23771c68aee2caae3300bb7c07507e95e03d99.zip |
- update to version 0.5
*** NOTE ***
The preferences file format has changed, as have the periodic.conf(5) names.
Normally the default settings should be adequate, except when you need to
configure a proxy. Use $PREFIX/etc/portaudit.conf.sample as an example.
- moved portaudit to sbin
- clean up, merging stuff into the portaudit script
- better return codes and errors to stderr
- -f can check stdin now
- dropped ports tree auditing
- merged the periodic(8) scripts into one
- run daily auditing as `nobody'
Notes
Notes:
svn path=/head/; revision=112658
-rw-r--r-- | ports-mgmt/portaudit/Makefile | 37 | ||||
-rw-r--r-- | ports-mgmt/portaudit/files/fetchaudit.sh | 62 | ||||
-rw-r--r-- | ports-mgmt/portaudit/files/portaudit-cmd.sh | 390 | ||||
-rw-r--r-- | ports-mgmt/portaudit/files/portaudit.1 | 88 | ||||
-rw-r--r-- | ports-mgmt/portaudit/files/portaudit.conf | 15 | ||||
-rw-r--r-- | ports-mgmt/portaudit/files/portaudit.functions | 320 | ||||
-rw-r--r-- | ports-mgmt/portaudit/files/portaudit.sh | 40 | ||||
-rw-r--r-- | ports-mgmt/portaudit/pkg-deinstall | 12 | ||||
-rw-r--r-- | ports-mgmt/portaudit/pkg-install | 24 | ||||
-rw-r--r-- | ports-mgmt/portaudit/pkg-plist | 8 | ||||
-rw-r--r-- | security/portaudit/Makefile | 37 | ||||
-rw-r--r-- | security/portaudit/files/fetchaudit.sh | 62 | ||||
-rw-r--r-- | security/portaudit/files/portaudit-cmd.sh | 390 | ||||
-rw-r--r-- | security/portaudit/files/portaudit.1 | 88 | ||||
-rw-r--r-- | security/portaudit/files/portaudit.conf | 15 | ||||
-rw-r--r-- | security/portaudit/files/portaudit.functions | 320 | ||||
-rw-r--r-- | security/portaudit/files/portaudit.sh | 40 | ||||
-rw-r--r-- | security/portaudit/pkg-deinstall | 12 | ||||
-rw-r--r-- | security/portaudit/pkg-install | 24 | ||||
-rw-r--r-- | security/portaudit/pkg-plist | 8 |
20 files changed, 884 insertions, 1108 deletions
diff --git a/ports-mgmt/portaudit/Makefile b/ports-mgmt/portaudit/Makefile index 894f69463c6d..c09209369902 100644 --- a/ports-mgmt/portaudit/Makefile +++ b/ports-mgmt/portaudit/Makefile @@ -6,7 +6,7 @@ # PORTNAME= portaudit -PORTVERSION= 0.4.1 +PORTVERSION= 0.5 CATEGORIES= security DISTFILES= @@ -29,7 +29,8 @@ REQPKGVER= 20040623 SED_SCRIPT= -e 's|%%PREFIX%%|${PREFIX}|g' \ -e 's|%%LOCALBASE%%|${LOCALBASE}|g' \ - -e "s|%%DATADIR%%|${DATADIR}|g" \ + -e "s|%%PORTSDIR%%|${PORTSDIR}|g" \ + -e "s|%%INDEXFILE%%|${INDEXFILE}|g" \ -e "s|%%DATABASEDIR%%|${DATABASEDIR}|g" \ -e "s|%%PORTVERSION%%|${PORTVERSION}|g" \ -e "s|%%REQPKGVER%%|${REQPKGVER}|g" \ @@ -49,40 +50,28 @@ RUN_DEPENDS+= bzip2:${PORTSDIR}/archivers/bzip2 .endif do-build: -.for f in portaudit-cmd.sh portaudit.sh fetchaudit.sh portaudit.functions portaudit.1 portaudit.conf - @${SED} ${SED_SCRIPT} ${FILESDIR}/${f} > ${WRKDIR}/${f} +.for f in portaudit-cmd.sh portaudit.sh portaudit.1 portaudit.conf + @${SED} ${SED_SCRIPT} ${FILESDIR}/${f} >${WRKDIR}/${f} .endfor post-build: -.for text in pkg-req pkg-install pkg-deinstall - @if [ -f ${PKGDIR}/${text} ]; then \ - ${SED} ${SED_SCRIPT} ${PKGDIR}/${text} >${WRKDIR}/${text}; \ - fi +.for f in pkg-req pkg-install pkg-deinstall + @${SED} ${SED_SCRIPT} ${PKGDIR}/${f} >${WRKDIR}/${f} .endfor pre-install: - @if [ -f ${PKGREQ} ]; then \ - ${SETENV} "PKG_PREFIX=${PREFIX}" ${SH} ${PKGREQ} ${PKGNAME} INSTALL; \ - fi - @if [ -f ${PKGINSTALL} ]; then \ - ${SETENV} "PKG_PREFIX=${PREFIX}" ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL; \ - fi + @${SETENV} "PKG_PREFIX=${PREFIX}" ${SH} ${PKGREQ} ${PKGNAME} INSTALL + @${SETENV} "PKG_PREFIX=${PREFIX}" ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL do-install: - @${INSTALL_SCRIPT} ${WRKDIR}/portaudit-cmd.sh ${PREFIX}/bin/portaudit + @${INSTALL_SCRIPT} ${WRKDIR}/portaudit-cmd.sh ${PREFIX}/sbin/portaudit + @${INSTALL_DATA} ${WRKDIR}/portaudit.conf ${PREFIX}/etc/portaudit.conf.sample @${INSTALL_MAN} ${WRKDIR}/portaudit.1 ${MAN1PREFIX}/man/man1 @${MKDIR} ${PERIODICDIR}/security - @${INSTALL_SCRIPT} ${WRKDIR}/portaudit.sh ${PERIODICDIR}/security/910.portaudit - @${MKDIR} ${PERIODICDIR}/daily - @${INSTALL_SCRIPT} ${WRKDIR}/fetchaudit.sh ${PERIODICDIR}/daily/330.fetchaudit - @${MKDIR} ${DATADIR} - @${INSTALL_DATA} ${WRKDIR}/portaudit.functions ${DATADIR} - @${INSTALL_DATA} ${WRKDIR}/portaudit.conf ${PREFIX}/etc/portaudit.conf.sample + @${INSTALL_SCRIPT} ${WRKDIR}/portaudit.sh ${PERIODICDIR}/security/410.portaudit @${MKDIR} ${DATABASEDIR} post-install: - @if [ -f ${PKGINSTALL} ]; then \ - ${SETENV} "PKG_PREFIX=${PREFIX}" ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL; \ - fi + @${SETENV} "PKG_PREFIX=${PREFIX}" ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL .include <bsd.port.post.mk> diff --git a/ports-mgmt/portaudit/files/fetchaudit.sh b/ports-mgmt/portaudit/files/fetchaudit.sh deleted file mode 100644 index ffe208fd001e..000000000000 --- a/ports-mgmt/portaudit/files/fetchaudit.sh +++ /dev/null @@ -1,62 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2004 Oliver Eikemeier. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# -# 1. Redistributions of source code must retain the above copyright notice -# this list of conditions and the following disclaimer. -# -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# 3. Neither the name of the author nor the names of its contributors may be -# used to endorse or promote products derived from this software without -# specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -# $FreeBSD$ -# - -# defaults -daily_status_portaudit_enable="YES" -daily_status_portaudit_expiry="2" - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -. %%DATADIR%%/portaudit.functions -portaudit_confs - -rc=0 -case "$daily_status_portaudit_enable" in - ""|[Yy][Ee][Ss]) - if [ ! -f "${portaudit_dir}/${portaudit_filename}" ] || ! checkexpiry_auditfile "${daily_status_portaudit_expiry}"; then - echo "" - echo "Updating audit database." - fetch_auditfile && rc=1 || rc=2 - fi - ;; - *) - ;; -esac - -exit "${rc}" diff --git a/ports-mgmt/portaudit/files/portaudit-cmd.sh b/ports-mgmt/portaudit/files/portaudit-cmd.sh index 99fdcbde8bbd..1f90e921f9d2 100644 --- a/ports-mgmt/portaudit/files/portaudit-cmd.sh +++ b/ports-mgmt/portaudit/files/portaudit-cmd.sh @@ -1,4 +1,4 @@ -#!/bin/sh -e +#!/bin/sh -efu # # Copyright (c) 2004 Oliver Eikemeier. All rights reserved. # @@ -6,8 +6,8 @@ # modification, are permitted provided that the following conditions are # met: # -# 1. Redistributions of source code must retain the above copyright notice -# this list of conditions and the following disclaimer. +# 1. Redistributions of source code must retain the above copyright notice +# this list of conditions and the following disclaimer. # # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the @@ -31,35 +31,325 @@ # $FreeBSD$ # -. %%DATADIR%%/portaudit.functions +portaudit_confs() +{ + portaudit_dir=${portaudit_dir:-"%%DATABASEDIR%%"} + portaudit_filename=${portaudit_filename:-"auditfile.tbz"} + + portaudit_fetch_env=${portaudit_fetch_env:-} + portaudit_fetch_cmd=${portaudit_fetch_cmd:-"fetch -1amp"} + + portaudit_sites=${portaudit_sites:-"http://www.FreeBSD.org/ports/"} + + if [ -r %%PREFIX%%/etc/portaudit.conf ]; then + . %%PREFIX%%/etc/portaudit.conf + fi +} + +extract_auditfile() +{ + %%BZIP2_CMD%% -dc -- "$portaudit_dir/$portaudit_filename" | \ + tar -xOf - auditfile +} + +checksum_auditfile() +{ + chksum1=`extract_auditfile | + sed -nE -e '$s/^#CHECKSUM: *MD5 *([0-9a-f]{32})$/\1/p'` + chksum2=`extract_auditfile | sed -e '$d' | md5` + [ "$chksum1" = "$chksum2" ]; +} + +getcreated_auditfile() +{ + extract_auditfile | + sed -nE -e '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}) *([0-9]{2}):?([0-9]{2}):?([0-9]{2}).*$/\1-\2-\3 \4:\5:\6/p' +} + +gettimestamp_auditfile() +{ + extract_auditfile | + sed -nE -e '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$/\1\2\3/p' +} + +checkexpiry_auditfile() +{ + created=`gettimestamp_auditfile` + expiry=`date -u -v-$1d '+%Y%m%d'` + [ "$created" -gt "$expiry" ]; +} + +portaudit_prerequisites() +{ + if $prerequisites_checked; then + return 0 + fi + + if [ -z "${pkg_info:-}" ]; then + if [ -x "%%LOCALBASE%%/sbin/pkg_info" ]; then + pkg_info="%%LOCALBASE%%/sbin/pkg_info" + else + pkg_info="/usr/sbin/pkg_info" + fi + fi + + if [ -z "${pkg_version:-}"]; then + case "$pkg_info" in + */*) + pkg_version="${pkg_info%/*}/pkg_version";; + *) + pkg_version="pkg_version";; + esac + fi + + PKG_INSTALL_VER=`$pkg_info -qP 2>/dev/null` + if [ -z "$PKG_INSTALL_VER" -o "$PKG_INSTALL_VER" -lt %%REQPKGVER%% ]; then + echo "$pkg_info is too old, please update port sysutils/pkg_install-devel" + return 1 + fi + + if [ ! -r "$portaudit_dir/$portaudit_filename" ]; then + echo "portaudit: Database missing, run \`portaudit -F' to update." >&2 + return 2 + elif ! checksum_auditfile; then + echo "portaudit: Corrupt database." >&2 + return 2 + elif ! checkexpiry_auditfile 14; then + echo "portaudit: Database too old." >&2 + return 2 + fi + + prerequisites_checked=true + return 0 +} + +audit_installed() +{ + local rc=0 + + extract_auditfile | awk -F\| ' + BEGIN { vul=0 } + /^(#|\$)/ { next } + { + cmd="'"$pkg_info"' -E \"" $1 "\"" + while((cmd | getline pkg) > 0) { + vul++ + split($2, ref, / /) + print "Affected package: " pkg + print "Type of problem: " $3 "." + for (r in ref) + print "Reference: <" ref[r] ">" + print "" + } + close(cmd) + } + END { + print vul " problem(s) in your installed packages found." + if (vul > 0) { + print "\nYou are advised to update or deinstall" \ + " the affected package(s) immediately." + exit(1) + } + } + ' || rc=$? + + return $rc +} + +audit_file() +{ + local rc=0 + local TMPFILE= + + case "$1" in + -) + TMPFILE=`mktemp -t portaudit` + cat > "$TMPFILE" + FILE="$TMPFILE" + ;; + http://*|ftp://*|https://*|file://*) + echo "portaudit: Can't audit remote file $1" >&2 + return 2 + ;; + *) + if [ -r "$1" ]; then + FILE="$1" + else + echo "portaudit: Can't read $1" >&2 + return 2 + fi + ;; + esac + + extract_auditfile | awk -F\| ' + BEGIN { vul=0 } + /^(#|\$)/ { next } + { + cmd="'"$pkg_version"' -T - \"" $1 "\" <\"'"$FILE"'\"" + while((cmd | getline pkg) > 0) { + vul++ + split($2, ref, / /) + split(pkg, p) + print "Affected package: " p[1] + print "Type of problem: " $3 "." + for (r in ref) + print "Reference: <" ref[r] ">" + print "" + } + close(cmd) + } + END { + print vul " problem(s) found." + if (vul > 0) { + exit(1) + } + } + ' || rc=$? + + if [ -n "$TMPFILE" ]; then + rm "$TMPFILE" + fi + return $rc +} + +audit_args() +{ + local VULCNT=0 + while [ $# -gt 0 ]; do + case "$1" in + /*|-) + echo "portaudit: $1 is a file, please use the -f option" >&2 + ;; + http://*|ftp://*|https://*|file://*) + echo "portaudit: Can't audit remote file $1" >&2 + ;; + *) + if VLIST=`extract_auditfile | grep -v '^#' | $pkg_version -T "$1" -`; then + VULCNT=$(($VULCNT+1)) + echo "$VLIST" | awk -F\| '{ + print "Affected package: '$1' (matched by " $1 ")" + print "Type of problem: " $3 "." + split($2, ref, / /) + for (r in ref) + print "Reference: <" ref[r] ">" + print "" + }' + fi + ;; + esac + shift + done + $opt_quiet || echo "$VULCNT problem(s) found." + if [ $VULCNT -gt 0 ]; then + return 1 + fi +} + +audit_cwd() +{ + if [ ! -r "Makefile" ]; then + echo "portaudit: No Makefile here" >&2 + return 2 + fi + + PKGNAME=`make -VPKGNAME 2>/dev/null || true"` + + if [ -z "$PKGNAME" ]; then + echo "portaudit: Can't determine the package name" >&2 + return 2 + fi + + if VLIST=`extract_auditfile | grep -v '^#' | $pkg_version -T "$PKGNAME" -`; then + echo "$VLIST" | awk -F\| '{ + print "Affected package: '$PKGNAME' (matched by " $1 ")" + print "Type of problem: " $3 "." + split($2, ref, / /) + for (r in ref) + print "Reference: <" ref[r] ">" + print "" + }' + return 1 + fi +} + +fetch_auditfile() +{ + local rc=2 + + if [ ! -d "$portaudit_dir" ]; then + if ! mkdir -p "$portaudit_dir"; then + echo "Couldn't create $portaudit_dir, try running \`portaudit -F' as root" >&2 + return 2 + fi + fi + if [ ! -w "$portaudit_dir" ]; then + echo "Couldn't write to $portaudit_dir, try running \`portaudit -F' as root" >&2 + return 2 + + fi + cd "$portaudit_dir" + if [ -r "$portaudit_filename" ]; then + cp -f "$portaudit_filename" "$portaudit_filename.old" + fi + + $opt_verbose && echo "Attempting to fetch from $portaudit_site." + urls=`echo "$portaudit_sites" | tr -s ' \t' '\n' | sed -E -e "s/?\$/$portaudit_filename"` + + if ! env $portaudit_fetch_env $portaudit_fetch_cmd $urls; then + echo "Couldn't fetch database." >&2 + elif [ ! -f "$portaudit_dir/$portaudit_filename" ] ; then + echo "portaudit: No database." >&2 + elif ! checksum_auditfile; then + echo "portaudit: Database corrupt." >&2 + elif ! checkexpiry_auditfile 7; then + echo "portaudit: Database too old." >&2 + else + $opt_quiet || echo "New database installed." + rc=0 + break + fi + + if [ -f "$portaudit_filename.old" ]; then + if [ $rc -eq 0 ]; then + rm -f "$portaudit_filename.old" + else + mv -f "$portaudit_filename.old" "$portaudit_filename" + $opt_quiet || echo "Old database restored." + fi + fi + if [ -f "$portaudit_filename" ]; then + chmod a=r "$portaudit_filename" + fi + + return $rc +} + portaudit_confs opt_audit=false opt_auditcwd=false -opt_audittree=false opt_dbversion=false opt_fetch=false opt_file= opt_quiet=false opt_verbose=false opt_version=false +opt_expiry= if [ $# -eq 0 ] ; then opt_audit=true fi -while getopts aACdf:FqvV opt; do +while getopts aCdf:FqvVX: opt; do case "$opt" in a) opt_audit=true;; - A) - opt_audittree=true;; C) opt_auditcwd=true;; d) opt_dbversion=true;; f) - opt_file=$OPTARG;; + opt_file="$OPTARG";; F) opt_fetch=true;; q) @@ -68,91 +358,71 @@ while getopts aACdf:FqvV opt; do opt_verbose=true;; V) opt_version=true;; + X) + opt_expiry="$OPTARG";; ?) - echo "Usage: $0 -aACvVdFq [-f file]" + echo "Usage: $0 -aCdF [-f file] [pkg-name ...]" exit 2;; esac done -shift $((${OPTIND}-1)) +shift $(($OPTIND-1)) + +ret=0 if $opt_version; then echo "portaudit version %%PORTVERSION%%" fi if $opt_fetch; then - fetch_auditfile || echo "failed." + if ! fetch_auditfile; then + echo "portaudit: Download failed." >&2 + exit 2 + fi +elif [ -n "$opt_expiry" ]; then + if [ ! -r "$portaudit_dir/$portaudit_filename" ] || ! checkexpiry_auditfile "$opt_expiry"; then + $opt_quiet || echo "Downloading fresh database." + if ! fetch_auditfile; then + echo "portaudit: Download failed." >&2 + exit 2 + fi + ret=1 + fi fi if $opt_dbversion; then - if [ ! -f "${portaudit_dir}/${portaudit_filename}" ]; then - echo "portaudit: database missing. run \`portaudit -F' to update." + if [ ! -f "$portaudit_dir/$portaudit_filename" ]; then + echo "portaudit: Database missing, run \`portaudit -F' to update." >&2 exit 2 fi if ! checksum_auditfile; then - echo "portaudit: database corrupt." + echo "portaudit: Database corrupt." >&2 exit 2 fi created=`getcreated_auditfile` - echo "database created: `/bin/date -j -f '%Y-%m-%d %H:%M:%S %Z' \"${created} GMT\"`" + echo "Database created: `date -j -f '%Y-%m-%d %H:%M:%S %Z' \"$created GMT\"`" fi +prerequisites_checked=false + if $opt_audit; then portaudit_prerequisites - audit_installed || true + audit_installed || ret=$? fi if $opt_auditcwd; then portaudit_prerequisites - audit_cwd -fi - -if $opt_audittree; then - echo "auditing ports tree for known vulnerabilities" - VULCNT=0 - - portaudit_prerequisites - - cd "${PORTSDIR:=/usr/ports}" - CATEGORIES=`echo [a-z]*` - - for category in ${CATEGORIES}; do - if [ ! -d "${PORTSDIR}/${category}" ]; then continue; fi - case "${category}" in - CVS) continue ;; - Mk) continue ;; - Templates) continue ;; - Tools) continue ;; - distfiles) continue ;; - packages) continue ;; - esac - - $opt_quiet || echo "==> ${category}" - - cd "${PORTSDIR}/${category}" - PORTS=`echo *` - - for port in ${PORTS}; do - if [ ! -d "${PORTSDIR}/${category}/${port}" ]; then continue; fi - case "${port}" in - pkg) continue ;; - CVS) continue ;; - esac - - cd "${PORTSDIR}/${category}/${port}" - audit_cwd; - done - done - - echo "${VULCNT} ports with unmarked vulnerabilities." + audit_cwd || ret=$? fi if [ -n "$opt_file" ]; then portaudit_prerequisites - audit_file "$opt_file" + audit_file "$opt_file" || ret=$? fi if [ $# -gt 0 ]; then portaudit_prerequisites - audit_args "$@" + audit_args "$@" || ret=$? fi + +exit $ret diff --git a/ports-mgmt/portaudit/files/portaudit.1 b/ports-mgmt/portaudit/files/portaudit.1 index 4e6dfde7d673..60acb2a65c0a 100644 --- a/ports-mgmt/portaudit/files/portaudit.1 +++ b/ports-mgmt/portaudit/files/portaudit.1 @@ -4,8 +4,8 @@ .\" modification, are permitted provided that the following conditions are .\" met: .\" -.\" 1. Redistributions of source code must retain the above copyright notice -.\" this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright notice +.\" this list of conditions and the following disclaimer. .\" .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the @@ -28,8 +28,8 @@ .\" .\" $FreeBSD$ .\" -.Dd March 11, 2004 -.Os FreeBSD +.Dd June 29, 2004 +.Os .Dt PORTAUDIT \&1 "FreeBSD ports collection" . . @@ -42,29 +42,28 @@ .Sh SYNOPSIS . .Nm -.Op Fl a -.Op Fl A -.Op Fl C -.Op Fl V -.Op Fl d -.Op Fl F +.Op Fl aCdF +.Op Fl X Ar days +.Op Fl f Ar file +.Op Ar pkg-name ... . . .Sh DESCRIPTION . .Nm checks installed packages for known vulnerabilities and generates reports -including references to security advisories. Its audience are system -administrators or individual users. +including references to security advisories. +Its audience are system administrators or individual users. .Pp -It uses a database maintained by port committers and the FreeBSD security team -to check if security advisories for any installed packages exist. Note that a -current ports tree (or any local copy of the ports tree) is not required for -operation. +.Nm +uses a database maintained by port committers and the FreeBSD security team +to check if security advisories for any installed packages exist. +Note that a current ports tree (or any local copy of the ports tree) is not +required for operation. .Pp -This package also installs two scripts into %%PREFIX%%/etc/periodic that -regularly update this database and include the report of vulnerable packages -in the daily security report. +This package also installs a script into %%PREFIX%%/etc/periodic/security +that regularly updates this database and includes a report of vulnerable +packages in the daily security report. .Pp If you have a vulnerable package installed, you are advised to update or deinstall it immediately. @@ -75,20 +74,27 @@ deinstall it immediately. The following options are supported: .Bl -tag -width ".Fl X" .It Fl a -Print a vulnerability report for all installed packages -.It Fl A -Print a vulnerability report for all ports in PORTSDIR (slow). +Print a vulnerability report for all installed packages. .It Fl C Print a vulnerability report for the port in the current working directory. -Mostly useful for committers. +Mostly useful for port developers. .It Fl F Fetch the current database from the -.Fx servers +.Fx servers. .It Fl d -Print the creation date of the database -.It Fl V -Print the version of -.Nm . +Print the creation date of the database. +.It Fl X Ar days +Download a fresh database when the local is at least +.Ar days +old. +.It Fl f Ar file +Check the packages listed in +.Ar file +for known vulnerabilities. +.It Ar pkg-name ... +Test whether +.Ar pkg-name +is listed in the audit database. .El . . @@ -98,11 +104,19 @@ Print the version of .It Fetch the current database and print its creation date: .Pp -.Dl "portaudit -F -d" +.Dl "portaudit -Fd" .It Print a vulnerability report for all installed packages: .Pp -.Dl "portaudit" +.Dl "portaudit -a" +.It +Print a vulnerability report for the local INDEX: +.Pp +.Dl "portaudit -f %%PORTSDIR%%/%%INDEXFILE%%" +.It +Print a vulnerability report for the current set of prebuild packages: +.Pp +.Dl "curl -l ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/All/ | sed -n -e 's/\.t[bg]z[[:cntrl:]]*$//p' | portaudit -f -" .El . . @@ -115,18 +129,10 @@ Print a vulnerability report for all installed packages: .Sh SEE ALSO . .Xr ports 7 , -.Xr periodic 8 , .Xr periodic.conf 5 , -.Li Aq http://people.freebsd.org/~eik/portaudit/ , -.Li Aq http://www.freebsd.org/security/#adv , -.Li Aq http://www.vuxml.org/ . -. -. -.Sh CAVEATS -. -The format of -.Pa %%PREFIX%%/etc/portaudit.conf -might change. +.Li Aq http://www.FreeBSD.org/ports/portaudit/ , +.Li Aq http://www.FreeBSD.org/security/#adv , +.Li Aq http://FreeBSD.VuXML.org/ . . . .Sh BUGS diff --git a/ports-mgmt/portaudit/files/portaudit.conf b/ports-mgmt/portaudit/files/portaudit.conf index 2e73ffcd9830..68fbe9f23888 100644 --- a/ports-mgmt/portaudit/files/portaudit.conf +++ b/ports-mgmt/portaudit/files/portaudit.conf @@ -7,19 +7,10 @@ # # specify a proxy if needed, see fetch(3) -#FETCH_ENV="FTP_PROXY=http://ftp.proxy.sample/ HTTP_PROXY=http://http.proxy.sample:80/" +#portaudit_fetch_env="FTP_PROXY=http://ftp.proxy.sample/ HTTP_PROXY=http://http.proxy.sample:80/" # default fetch command -#FETCH_CMD="/usr/bin/fetch -1m" - -# use passive ftp transfers with extra verbose mode, see fetch(1) -#FETCH_BEFORE_ARGS="-p -vvv" - -#FETCH_AFTER_ARGS= +#portaudit_fetch_cmd="fetch -1amp" # specify a local mirror that generates databases with portaudit-db here -#MASTER_SITE_OVERRIDE="http://my.mirror.sample/path/portaudit/" -# use the following to disable the override -#MASTER_SITE_OVERRIDE=" " - -# uncomment to prefer the UK mirror, at, cz, dk, jp, ro, se, tw and uk are available +#portaudit_sites="http://www.FreeBSD.org/ports/" diff --git a/ports-mgmt/portaudit/files/portaudit.functions b/ports-mgmt/portaudit/files/portaudit.functions deleted file mode 100644 index af9dfe3d086f..000000000000 --- a/ports-mgmt/portaudit/files/portaudit.functions +++ /dev/null @@ -1,320 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2004 Oliver Eikemeier. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# -# 1. Redistributions of source code must retain the above copyright notice -# this list of conditions and the following disclaimer. -# -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# 3. Neither the name of the author nor the names of its contributors may be -# used to endorse or promote products derived from this software without -# specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -# $FreeBSD$ -# - -portaudit_confs() -{ - portaudit_dir=${portaudit_dir:-"%%DATABASEDIR%%"} - portaudit_filename=${portaudit_filename:-"auditfile.tbz"} - - FETCH_ENV=${FETCH_ENV:-} - FETCH_CMD=${FETCH_CMD:-"/usr/bin/fetch -1m"} - FETCH_BEFORE_ARGS=${FETCH_BEFORE_ARGS:-"-p"} - FETCH_AFTER_ARGS=${FETCH_AFTER_ARGS:-} - - MASTER_SITE_OVERRIDE=${MASTER_SITE_OVERRIDE:-"http://www.FreeBSD.org/ports/"} - MASTER_SITES=${MASTER_SITES:-" - ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - ftp://ftp.se.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - ftp://ftp.dk.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - ftp://ftp.cz.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - ftp://ftp1.ro.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - ftp://ftp.uk.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - ftp://ftp.jp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - ftp://ftp.tw.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - http://public.planetmirror.com/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - "} - MASTER_SITE_SUBDIR=${MASTER_SITE_SUBDIR:-"eik"} - - MASTER_SITE_BACKUP=${MASTER_SITE_BACKUP:-"http://people.freebsd.org/~eik/portaudit/"} - - #MASTER_SORT_REGEX="\.uk[.\/]" - MASTER_SORT_REGEX=${MASTER_SORT_REGEX:-"#"} - - if [ -r %%PREFIX%%/etc/portaudit.conf ]; then - . %%PREFIX%%/etc/portaudit.conf - fi -} - -extract_auditfile() -{ - %%BZIP2_CMD%% -dc -- "${portaudit_dir}/${portaudit_filename}" | \ - /usr/bin/tar -xOf - auditfile -} - -checksum_auditfile() -{ - chksum1=`extract_auditfile | - /usr/bin/sed -nEe '$s/^#CHECKSUM: *MD5 *([0-9a-f]{32})$/\1/p'` - chksum2=`extract_auditfile | /usr/bin/sed -e '$d' | /sbin/md5` - [ "${chksum1}" = "${chksum2}" ]; -} - -getcreated_auditfile() -{ - extract_auditfile | - /usr/bin/sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}) *([0-9]{2}):?([0-9]{2}):?([0-9]{2}).*$/\1-\2-\3 \4:\5:\6/p' -} - -gettimestamp_auditfile() -{ - extract_auditfile | - /usr/bin/sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$/\1\2\3/p' -} - -checkexpiry_auditfile() -{ - created=`gettimestamp_auditfile` - expiry=`/bin/date -u -v-$1d '+%Y%m%d'` - [ "${created}" -ge "${expiry}" ]; -} - -portaudit_prerequisites() -{ - if [ -z "${PKG_INFO}" ]; then - if [ -x "%%LOCALBASE%%/sbin/pkg_info" ]; then - PKG_INFO="%%LOCALBASE%%/sbin/pkg_info" - else - PKG_INFO="/usr/sbin/pkg_info" - fi - fi - - PKG_VERSION="${PKG_INFO%/*}/pkg_version" - - if [ ! -x "${PKG_INFO}" ]; then - echo "${PKG_INFO} missing, please install port sysutils/pkg_install-devel" - return 1 - fi - - PKG_INSTALL_VER=`${PKG_INFO} -qP 2>/dev/null` - if [ -z "${PKG_INSTALL_VER}" -o "${PKG_INSTALL_VER}" -lt %%REQPKGVER%% ]; then - echo "${PKG_INFO} is too old, please update port sysutils/pkg_install-devel" - return 1 - fi - - if [ ! -r "${portaudit_dir}/${portaudit_filename}" ]; then - echo "portaudit: database missing, run \`portaudit -F' to update." - return 1 - fi - if ! checksum_auditfile; then - echo "portaudit: corrupt database." - return 1 - fi - if ! checkexpiry_auditfile 14; then - echo "portaudit: database too old." - return 1 - fi - - return 0 -} - -audit_installed() -{ - extract_auditfile | /usr/bin/awk -F\| ' - BEGIN { vul=0 } - /^(#|\$)/ { next } - { - cmd="'"${PKG_INFO}"' -E \"" $1 "\"" - while((cmd | getline pkg) > 0) { - vul++ - split($2, ref, / /) - print "Affected package: " pkg - print "Type of problem: " $3 "." - for (r in ref) - print "Reference: <" ref[r] ">" - print "" - } - close(cmd) - } - END { - print vul " problem(s) in your installed packages found." - if (vul > 0) { - print "\nYou are advised to update or deinstall" \ - " the affected package(s) immediately." - exit(1) - } - } - ' -} - -audit_file() -{ - extract_auditfile | /usr/bin/awk -F\| ' - BEGIN { vul=0 } - /^(#|\$)/ { next } - { - cmd="'"${PKG_VERSION}"' -T - \"" $1 "\" <\"'"${1}"'\"" - while((cmd | getline pkg) > 0) { - vul++ - split($2, ref, / /) - split(pkg, p) - print "Affected package: " p[1] - print "Type of problem: " $3 "." - for (r in ref) - print "Reference: <" ref[r] ">" - print "" - } - close(cmd) - } - END { - print vul " problem(s) found." - if (vul > 0) { - exit(1) - } - } - ' -} - -audit_args() -{ - VULCNT=0 - while [ $# -gt 0 ]; do - if VLIST=`extract_auditfile | /usr/bin/grep -v '^#' | ${PKG_VERSION} -T "${1}" -`; then - VULCNT=$((${VULCNT}+1)) - echo "${VLIST}" | /usr/bin/awk -F\| '{ - print "Affected package: '${1}' (matched by " $1 ")" - print "Type of problem: " $3 "." - split($2, ref, / /) - for (r in ref) - print "Reference: <" ref[r] ">" - print "" - }' - fi - shift - done - echo "${VULCNT} problem(s) found." - if [ ${VULCNT} -gt 0 ]; then - return 1 - fi -} - -audit_cwd() -{ - if [ ! -r "Makefile" ]; then - return 1 - fi - - PKGSTATE=`/usr/bin/make -VPKGNAME -VFORBIDDEN -VPKGORIGIN 2>/dev/null || true"` - PKGNAME=`echo "${PKGSTATE}" | /usr/bin/sed -ne '1p'` - FORBIDDEN=`echo "${PKGSTATE}" | /usr/bin/sed -ne '2p'` - PKGORIGIN=`echo "${PKGSTATE}" | /usr/bin/sed -ne '3p'` - - if VLIST=`extract_auditfile | /usr/bin/grep -v '^#' | ${PKG_VERSION} -T "${PKGNAME}" -`; then - if [ -z "${FORBIDDEN}" ]; then - echo - echo "Port ${PKGNAME} (${PKGORIGIN}) should be marked FORBIDDEN:" - VULCNT=$((${VULCNT}+1)) - elif $opt_verbose; then - echo - echo "Good: port ${PKGNAME} (${PKGORIGIN}) is marked FORBIDDEN: ${FORBIDDEN}" - fi - if [ -z "${FORBIDDEN}" ] || $opt_verbose; then - echo "${VLIST}" | /usr/bin/awk -F\| '{ - split($2, ref, / /) - for (r in ref) - print "- <" ref[r] ">" - }' - fi - fi -} - -fetch_locations() -{ - # site sort order is not overly smart - if [ -n "${MASTER_SITE_OVERRIDE}" ]; then - echo "${MASTER_SITE_OVERRIDE}" - fi - echo ${MASTER_SITES} | /usr/bin/tr -s ' \t' '\n' | /usr/bin/awk " - BEGIN { IGNORECASE=1; srand() } - /^$/ { next } - { - if (\$0 ~ /${MASTER_SORT_REGEX}/ ) rank=0; else rank=rand() - gsub(/%SUBDIR%/, \"${MASTER_SITE_SUBDIR}\") - print \$0 \"\\t\" rank - } - " | /usr/bin/sort -n -k 2 | /usr/bin/cut -f 1 - if [ -n "${MASTER_SITE_BACKUP}" ]; then - echo "${MASTER_SITE_BACKUP}" - fi -} - -fetch_auditfile() -{ - rc=1 - - if [ ! -d "${portaudit_dir}" ]; then - if ! /bin/mkdir -p "${portaudit_dir}"; then - echo "Couldn't create ${portaudit_dir}, try running portaudit -F as root" - return 1 - fi - fi - if [ ! -w "${portaudit_dir}" ]; then - echo "Couldn't write to ${portaudit_dir}, try running portaudit -F as root" - return 1 - - fi - cd "${portaudit_dir}" - if [ -r "${portaudit_filename}" ]; then - /bin/cp "${portaudit_filename}" "${portaudit_filename}.old" - fi - - for site in `fetch_locations`; do - echo ">> Attempting to fetch from ${site}." - args="${site}${portaudit_filename}" - /usr/bin/env ${FETCH_ENV} ${FETCH_CMD} ${FETCH_BEFORE_ARGS} ${args} ${FETCH_AFTER_ARGS} - if [ $? -ne 0 ]; then - echo "Couldn't fetch database." - elif [ ! -f "${portaudit_dir}/${portaudit_filename}" ] ; then - echo "no database fetched." - elif ! checksum_auditfile; then - echo "fetched database corrupt." - elif ! checkexpiry_auditfile 7; then - echo "fetched database too old." - else - echo "new database installed." - rc=0 - break - fi - done - if [ -f "${portaudit_filename}.old" ]; then - if [ ${rc} -eq 0 ]; then - /bin/rm -f "${portaudit_filename}.old" - else - /bin/mv -f "${portaudit_filename}.old" "${portaudit_filename}" - echo "old database restored." - fi - fi - if [ -f "${portaudit_filename}" ]; then - /bin/chmod a=r "${portaudit_filename}" - fi - return ${rc} -} diff --git a/ports-mgmt/portaudit/files/portaudit.sh b/ports-mgmt/portaudit/files/portaudit.sh index 9747444be77f..8e3b460ec750 100644 --- a/ports-mgmt/portaudit/files/portaudit.sh +++ b/ports-mgmt/portaudit/files/portaudit.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/sh -f # # Copyright (c) 2004 Oliver Eikemeier. All rights reserved. # @@ -6,8 +6,8 @@ # modification, are permitted provided that the following conditions are # met: # -# 1. Redistributions of source code must retain the above copyright notice -# this list of conditions and the following disclaimer. +# 1. Redistributions of source code must retain the above copyright notice +# this list of conditions and the following disclaimer. # # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the @@ -31,34 +31,30 @@ # $FreeBSD$ # -# defaults -daily_status_portaudit_enable="YES" - # If there is a global system configuration file, suck it in. # -if [ -r /etc/defaults/periodic.conf ] -then +if [ -r /etc/defaults/periodic.conf ]; then . /etc/defaults/periodic.conf source_periodic_confs fi -. %%DATADIR%%/portaudit.functions -portaudit_confs - rc=0 -case "$daily_status_portaudit_enable" in - ""|[Yy][Ee][Ss]) - echo "" - echo "Checking for packages with security vulnerabilities:" - echo "" - - if portaudit_prerequisites; then - audit_installed || rc=1 - else - rc=2 - fi +case "${daily_status_security_portaudit_enable:-YES}" in + [Nn][Oo]) ;; *) + echo + echo "Checking for a current audit database:" + echo + %%PREFIX%%/sbin/portaudit -X "${daily_status_security_portaudit_expiry:-2}" || rc=$? + if [ $rc -lt 2 ]; then + %%PREFIX%%/sbin/portaudit -d + echo + echo "Checking for packages with security vulnerabilities:" + echo + echo %%PREFIX%%/sbin/portaudit -a | + su -fm "${daily_status_security_portaudit_user:-nobody}" || rc=$? + fi ;; esac diff --git a/ports-mgmt/portaudit/pkg-deinstall b/ports-mgmt/portaudit/pkg-deinstall index 7e4ebf7c68c4..948c7135abb6 100644 --- a/ports-mgmt/portaudit/pkg-deinstall +++ b/ports-mgmt/portaudit/pkg-deinstall @@ -7,11 +7,13 @@ case $2 in POST-DEINSTALL) echo echo "The portaudit package has been deleted." - echo "If you're *not* upgrading and won't be using" - echo "it any longer, you may want to remove the" - echo "portaudit database:" - echo - echo " rm -Rf %%DATABASEDIR%%" + if [ -f "%%DATABASEDIR%%/auditfile.tbz" ]; then + echo "If you're *not* upgrading and won't be using" + echo "it any longer, you may want to remove the" + echo "portaudit database:" + echo + echo " rm -Rf %%DATABASEDIR%%" + fi echo ;; esac diff --git a/ports-mgmt/portaudit/pkg-install b/ports-mgmt/portaudit/pkg-install index 158f0e25ee15..6ee3e0433e46 100644 --- a/ports-mgmt/portaudit/pkg-install +++ b/ports-mgmt/portaudit/pkg-install @@ -3,13 +3,33 @@ # $FreeBSD$ # +PREFIX="${PREFIX:-%%PREFIX%%}" + case $2 in +PRE-INSTALL) + if egrep -qs "^(FETCH|MASTER_SITE)_" "$PREFIX/etc/portaudit.conf" ;then + echo + echo "*** WARNING ***" + echo + echo "The preference file format has changed. Please edit" + echo " $PREFIX/etc/portaudit.conf" + echo + fi + if egrep -qs "^daily_status_portaudit_" "/etc/periodic.conf" ;then + echo + echo "*** WARNING ***" + echo + echo "The periodic(8) names have changed. Please edit" + echo " /etc/periodic.conf" + echo + fi + ;; POST-INSTALL) if [ ! -f "%%DATABASEDIR%%/auditfile.tbz" ]; then echo - echo "===> To check your installed ports for known vulnerabilities now do:" + echo "===> To check your installed ports for known vulnerabilities now, do:" echo - echo " %%PREFIX%%/bin/portaudit -Fda" + echo " $PREFIX/sbin/portaudit -Fda" echo fi ;; diff --git a/ports-mgmt/portaudit/pkg-plist b/ports-mgmt/portaudit/pkg-plist index 901547d3196e..84b4ccaaf52e 100644 --- a/ports-mgmt/portaudit/pkg-plist +++ b/ports-mgmt/portaudit/pkg-plist @@ -1,11 +1,7 @@ -bin/portaudit +sbin/portaudit etc/portaudit.conf.sample -%%PERIODICDIR%%/security/910.portaudit -%%PERIODICDIR%%/daily/330.fetchaudit -%%DATADIR%%/portaudit.functions +%%PERIODICDIR%%/security/410.portaudit @unexec rmdir %D/%%PERIODICDIR%%/security 2>/dev/null || true -@unexec rmdir %D/%%PERIODICDIR%%/daily 2>/dev/null || true @unexec rmdir %D/%%PERIODICDIR%% 2>/dev/null || true -@dirrm %%DATADIR%% @exec mkdir -p %%DATABASEDIR%% @unexec rmdir %%DATABASEDIR%% 2>/dev/null || true diff --git a/security/portaudit/Makefile b/security/portaudit/Makefile index 894f69463c6d..c09209369902 100644 --- a/security/portaudit/Makefile +++ b/security/portaudit/Makefile @@ -6,7 +6,7 @@ # PORTNAME= portaudit -PORTVERSION= 0.4.1 +PORTVERSION= 0.5 CATEGORIES= security DISTFILES= @@ -29,7 +29,8 @@ REQPKGVER= 20040623 SED_SCRIPT= -e 's|%%PREFIX%%|${PREFIX}|g' \ -e 's|%%LOCALBASE%%|${LOCALBASE}|g' \ - -e "s|%%DATADIR%%|${DATADIR}|g" \ + -e "s|%%PORTSDIR%%|${PORTSDIR}|g" \ + -e "s|%%INDEXFILE%%|${INDEXFILE}|g" \ -e "s|%%DATABASEDIR%%|${DATABASEDIR}|g" \ -e "s|%%PORTVERSION%%|${PORTVERSION}|g" \ -e "s|%%REQPKGVER%%|${REQPKGVER}|g" \ @@ -49,40 +50,28 @@ RUN_DEPENDS+= bzip2:${PORTSDIR}/archivers/bzip2 .endif do-build: -.for f in portaudit-cmd.sh portaudit.sh fetchaudit.sh portaudit.functions portaudit.1 portaudit.conf - @${SED} ${SED_SCRIPT} ${FILESDIR}/${f} > ${WRKDIR}/${f} +.for f in portaudit-cmd.sh portaudit.sh portaudit.1 portaudit.conf + @${SED} ${SED_SCRIPT} ${FILESDIR}/${f} >${WRKDIR}/${f} .endfor post-build: -.for text in pkg-req pkg-install pkg-deinstall - @if [ -f ${PKGDIR}/${text} ]; then \ - ${SED} ${SED_SCRIPT} ${PKGDIR}/${text} >${WRKDIR}/${text}; \ - fi +.for f in pkg-req pkg-install pkg-deinstall + @${SED} ${SED_SCRIPT} ${PKGDIR}/${f} >${WRKDIR}/${f} .endfor pre-install: - @if [ -f ${PKGREQ} ]; then \ - ${SETENV} "PKG_PREFIX=${PREFIX}" ${SH} ${PKGREQ} ${PKGNAME} INSTALL; \ - fi - @if [ -f ${PKGINSTALL} ]; then \ - ${SETENV} "PKG_PREFIX=${PREFIX}" ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL; \ - fi + @${SETENV} "PKG_PREFIX=${PREFIX}" ${SH} ${PKGREQ} ${PKGNAME} INSTALL + @${SETENV} "PKG_PREFIX=${PREFIX}" ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL do-install: - @${INSTALL_SCRIPT} ${WRKDIR}/portaudit-cmd.sh ${PREFIX}/bin/portaudit + @${INSTALL_SCRIPT} ${WRKDIR}/portaudit-cmd.sh ${PREFIX}/sbin/portaudit + @${INSTALL_DATA} ${WRKDIR}/portaudit.conf ${PREFIX}/etc/portaudit.conf.sample @${INSTALL_MAN} ${WRKDIR}/portaudit.1 ${MAN1PREFIX}/man/man1 @${MKDIR} ${PERIODICDIR}/security - @${INSTALL_SCRIPT} ${WRKDIR}/portaudit.sh ${PERIODICDIR}/security/910.portaudit - @${MKDIR} ${PERIODICDIR}/daily - @${INSTALL_SCRIPT} ${WRKDIR}/fetchaudit.sh ${PERIODICDIR}/daily/330.fetchaudit - @${MKDIR} ${DATADIR} - @${INSTALL_DATA} ${WRKDIR}/portaudit.functions ${DATADIR} - @${INSTALL_DATA} ${WRKDIR}/portaudit.conf ${PREFIX}/etc/portaudit.conf.sample + @${INSTALL_SCRIPT} ${WRKDIR}/portaudit.sh ${PERIODICDIR}/security/410.portaudit @${MKDIR} ${DATABASEDIR} post-install: - @if [ -f ${PKGINSTALL} ]; then \ - ${SETENV} "PKG_PREFIX=${PREFIX}" ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL; \ - fi + @${SETENV} "PKG_PREFIX=${PREFIX}" ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL .include <bsd.port.post.mk> diff --git a/security/portaudit/files/fetchaudit.sh b/security/portaudit/files/fetchaudit.sh deleted file mode 100644 index ffe208fd001e..000000000000 --- a/security/portaudit/files/fetchaudit.sh +++ /dev/null @@ -1,62 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2004 Oliver Eikemeier. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# -# 1. Redistributions of source code must retain the above copyright notice -# this list of conditions and the following disclaimer. -# -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# 3. Neither the name of the author nor the names of its contributors may be -# used to endorse or promote products derived from this software without -# specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -# $FreeBSD$ -# - -# defaults -daily_status_portaudit_enable="YES" -daily_status_portaudit_expiry="2" - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -. %%DATADIR%%/portaudit.functions -portaudit_confs - -rc=0 -case "$daily_status_portaudit_enable" in - ""|[Yy][Ee][Ss]) - if [ ! -f "${portaudit_dir}/${portaudit_filename}" ] || ! checkexpiry_auditfile "${daily_status_portaudit_expiry}"; then - echo "" - echo "Updating audit database." - fetch_auditfile && rc=1 || rc=2 - fi - ;; - *) - ;; -esac - -exit "${rc}" diff --git a/security/portaudit/files/portaudit-cmd.sh b/security/portaudit/files/portaudit-cmd.sh index 99fdcbde8bbd..1f90e921f9d2 100644 --- a/security/portaudit/files/portaudit-cmd.sh +++ b/security/portaudit/files/portaudit-cmd.sh @@ -1,4 +1,4 @@ -#!/bin/sh -e +#!/bin/sh -efu # # Copyright (c) 2004 Oliver Eikemeier. All rights reserved. # @@ -6,8 +6,8 @@ # modification, are permitted provided that the following conditions are # met: # -# 1. Redistributions of source code must retain the above copyright notice -# this list of conditions and the following disclaimer. +# 1. Redistributions of source code must retain the above copyright notice +# this list of conditions and the following disclaimer. # # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the @@ -31,35 +31,325 @@ # $FreeBSD$ # -. %%DATADIR%%/portaudit.functions +portaudit_confs() +{ + portaudit_dir=${portaudit_dir:-"%%DATABASEDIR%%"} + portaudit_filename=${portaudit_filename:-"auditfile.tbz"} + + portaudit_fetch_env=${portaudit_fetch_env:-} + portaudit_fetch_cmd=${portaudit_fetch_cmd:-"fetch -1amp"} + + portaudit_sites=${portaudit_sites:-"http://www.FreeBSD.org/ports/"} + + if [ -r %%PREFIX%%/etc/portaudit.conf ]; then + . %%PREFIX%%/etc/portaudit.conf + fi +} + +extract_auditfile() +{ + %%BZIP2_CMD%% -dc -- "$portaudit_dir/$portaudit_filename" | \ + tar -xOf - auditfile +} + +checksum_auditfile() +{ + chksum1=`extract_auditfile | + sed -nE -e '$s/^#CHECKSUM: *MD5 *([0-9a-f]{32})$/\1/p'` + chksum2=`extract_auditfile | sed -e '$d' | md5` + [ "$chksum1" = "$chksum2" ]; +} + +getcreated_auditfile() +{ + extract_auditfile | + sed -nE -e '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}) *([0-9]{2}):?([0-9]{2}):?([0-9]{2}).*$/\1-\2-\3 \4:\5:\6/p' +} + +gettimestamp_auditfile() +{ + extract_auditfile | + sed -nE -e '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$/\1\2\3/p' +} + +checkexpiry_auditfile() +{ + created=`gettimestamp_auditfile` + expiry=`date -u -v-$1d '+%Y%m%d'` + [ "$created" -gt "$expiry" ]; +} + +portaudit_prerequisites() +{ + if $prerequisites_checked; then + return 0 + fi + + if [ -z "${pkg_info:-}" ]; then + if [ -x "%%LOCALBASE%%/sbin/pkg_info" ]; then + pkg_info="%%LOCALBASE%%/sbin/pkg_info" + else + pkg_info="/usr/sbin/pkg_info" + fi + fi + + if [ -z "${pkg_version:-}"]; then + case "$pkg_info" in + */*) + pkg_version="${pkg_info%/*}/pkg_version";; + *) + pkg_version="pkg_version";; + esac + fi + + PKG_INSTALL_VER=`$pkg_info -qP 2>/dev/null` + if [ -z "$PKG_INSTALL_VER" -o "$PKG_INSTALL_VER" -lt %%REQPKGVER%% ]; then + echo "$pkg_info is too old, please update port sysutils/pkg_install-devel" + return 1 + fi + + if [ ! -r "$portaudit_dir/$portaudit_filename" ]; then + echo "portaudit: Database missing, run \`portaudit -F' to update." >&2 + return 2 + elif ! checksum_auditfile; then + echo "portaudit: Corrupt database." >&2 + return 2 + elif ! checkexpiry_auditfile 14; then + echo "portaudit: Database too old." >&2 + return 2 + fi + + prerequisites_checked=true + return 0 +} + +audit_installed() +{ + local rc=0 + + extract_auditfile | awk -F\| ' + BEGIN { vul=0 } + /^(#|\$)/ { next } + { + cmd="'"$pkg_info"' -E \"" $1 "\"" + while((cmd | getline pkg) > 0) { + vul++ + split($2, ref, / /) + print "Affected package: " pkg + print "Type of problem: " $3 "." + for (r in ref) + print "Reference: <" ref[r] ">" + print "" + } + close(cmd) + } + END { + print vul " problem(s) in your installed packages found." + if (vul > 0) { + print "\nYou are advised to update or deinstall" \ + " the affected package(s) immediately." + exit(1) + } + } + ' || rc=$? + + return $rc +} + +audit_file() +{ + local rc=0 + local TMPFILE= + + case "$1" in + -) + TMPFILE=`mktemp -t portaudit` + cat > "$TMPFILE" + FILE="$TMPFILE" + ;; + http://*|ftp://*|https://*|file://*) + echo "portaudit: Can't audit remote file $1" >&2 + return 2 + ;; + *) + if [ -r "$1" ]; then + FILE="$1" + else + echo "portaudit: Can't read $1" >&2 + return 2 + fi + ;; + esac + + extract_auditfile | awk -F\| ' + BEGIN { vul=0 } + /^(#|\$)/ { next } + { + cmd="'"$pkg_version"' -T - \"" $1 "\" <\"'"$FILE"'\"" + while((cmd | getline pkg) > 0) { + vul++ + split($2, ref, / /) + split(pkg, p) + print "Affected package: " p[1] + print "Type of problem: " $3 "." + for (r in ref) + print "Reference: <" ref[r] ">" + print "" + } + close(cmd) + } + END { + print vul " problem(s) found." + if (vul > 0) { + exit(1) + } + } + ' || rc=$? + + if [ -n "$TMPFILE" ]; then + rm "$TMPFILE" + fi + return $rc +} + +audit_args() +{ + local VULCNT=0 + while [ $# -gt 0 ]; do + case "$1" in + /*|-) + echo "portaudit: $1 is a file, please use the -f option" >&2 + ;; + http://*|ftp://*|https://*|file://*) + echo "portaudit: Can't audit remote file $1" >&2 + ;; + *) + if VLIST=`extract_auditfile | grep -v '^#' | $pkg_version -T "$1" -`; then + VULCNT=$(($VULCNT+1)) + echo "$VLIST" | awk -F\| '{ + print "Affected package: '$1' (matched by " $1 ")" + print "Type of problem: " $3 "." + split($2, ref, / /) + for (r in ref) + print "Reference: <" ref[r] ">" + print "" + }' + fi + ;; + esac + shift + done + $opt_quiet || echo "$VULCNT problem(s) found." + if [ $VULCNT -gt 0 ]; then + return 1 + fi +} + +audit_cwd() +{ + if [ ! -r "Makefile" ]; then + echo "portaudit: No Makefile here" >&2 + return 2 + fi + + PKGNAME=`make -VPKGNAME 2>/dev/null || true"` + + if [ -z "$PKGNAME" ]; then + echo "portaudit: Can't determine the package name" >&2 + return 2 + fi + + if VLIST=`extract_auditfile | grep -v '^#' | $pkg_version -T "$PKGNAME" -`; then + echo "$VLIST" | awk -F\| '{ + print "Affected package: '$PKGNAME' (matched by " $1 ")" + print "Type of problem: " $3 "." + split($2, ref, / /) + for (r in ref) + print "Reference: <" ref[r] ">" + print "" + }' + return 1 + fi +} + +fetch_auditfile() +{ + local rc=2 + + if [ ! -d "$portaudit_dir" ]; then + if ! mkdir -p "$portaudit_dir"; then + echo "Couldn't create $portaudit_dir, try running \`portaudit -F' as root" >&2 + return 2 + fi + fi + if [ ! -w "$portaudit_dir" ]; then + echo "Couldn't write to $portaudit_dir, try running \`portaudit -F' as root" >&2 + return 2 + + fi + cd "$portaudit_dir" + if [ -r "$portaudit_filename" ]; then + cp -f "$portaudit_filename" "$portaudit_filename.old" + fi + + $opt_verbose && echo "Attempting to fetch from $portaudit_site." + urls=`echo "$portaudit_sites" | tr -s ' \t' '\n' | sed -E -e "s/?\$/$portaudit_filename"` + + if ! env $portaudit_fetch_env $portaudit_fetch_cmd $urls; then + echo "Couldn't fetch database." >&2 + elif [ ! -f "$portaudit_dir/$portaudit_filename" ] ; then + echo "portaudit: No database." >&2 + elif ! checksum_auditfile; then + echo "portaudit: Database corrupt." >&2 + elif ! checkexpiry_auditfile 7; then + echo "portaudit: Database too old." >&2 + else + $opt_quiet || echo "New database installed." + rc=0 + break + fi + + if [ -f "$portaudit_filename.old" ]; then + if [ $rc -eq 0 ]; then + rm -f "$portaudit_filename.old" + else + mv -f "$portaudit_filename.old" "$portaudit_filename" + $opt_quiet || echo "Old database restored." + fi + fi + if [ -f "$portaudit_filename" ]; then + chmod a=r "$portaudit_filename" + fi + + return $rc +} + portaudit_confs opt_audit=false opt_auditcwd=false -opt_audittree=false opt_dbversion=false opt_fetch=false opt_file= opt_quiet=false opt_verbose=false opt_version=false +opt_expiry= if [ $# -eq 0 ] ; then opt_audit=true fi -while getopts aACdf:FqvV opt; do +while getopts aCdf:FqvVX: opt; do case "$opt" in a) opt_audit=true;; - A) - opt_audittree=true;; C) opt_auditcwd=true;; d) opt_dbversion=true;; f) - opt_file=$OPTARG;; + opt_file="$OPTARG";; F) opt_fetch=true;; q) @@ -68,91 +358,71 @@ while getopts aACdf:FqvV opt; do opt_verbose=true;; V) opt_version=true;; + X) + opt_expiry="$OPTARG";; ?) - echo "Usage: $0 -aACvVdFq [-f file]" + echo "Usage: $0 -aCdF [-f file] [pkg-name ...]" exit 2;; esac done -shift $((${OPTIND}-1)) +shift $(($OPTIND-1)) + +ret=0 if $opt_version; then echo "portaudit version %%PORTVERSION%%" fi if $opt_fetch; then - fetch_auditfile || echo "failed." + if ! fetch_auditfile; then + echo "portaudit: Download failed." >&2 + exit 2 + fi +elif [ -n "$opt_expiry" ]; then + if [ ! -r "$portaudit_dir/$portaudit_filename" ] || ! checkexpiry_auditfile "$opt_expiry"; then + $opt_quiet || echo "Downloading fresh database." + if ! fetch_auditfile; then + echo "portaudit: Download failed." >&2 + exit 2 + fi + ret=1 + fi fi if $opt_dbversion; then - if [ ! -f "${portaudit_dir}/${portaudit_filename}" ]; then - echo "portaudit: database missing. run \`portaudit -F' to update." + if [ ! -f "$portaudit_dir/$portaudit_filename" ]; then + echo "portaudit: Database missing, run \`portaudit -F' to update." >&2 exit 2 fi if ! checksum_auditfile; then - echo "portaudit: database corrupt." + echo "portaudit: Database corrupt." >&2 exit 2 fi created=`getcreated_auditfile` - echo "database created: `/bin/date -j -f '%Y-%m-%d %H:%M:%S %Z' \"${created} GMT\"`" + echo "Database created: `date -j -f '%Y-%m-%d %H:%M:%S %Z' \"$created GMT\"`" fi +prerequisites_checked=false + if $opt_audit; then portaudit_prerequisites - audit_installed || true + audit_installed || ret=$? fi if $opt_auditcwd; then portaudit_prerequisites - audit_cwd -fi - -if $opt_audittree; then - echo "auditing ports tree for known vulnerabilities" - VULCNT=0 - - portaudit_prerequisites - - cd "${PORTSDIR:=/usr/ports}" - CATEGORIES=`echo [a-z]*` - - for category in ${CATEGORIES}; do - if [ ! -d "${PORTSDIR}/${category}" ]; then continue; fi - case "${category}" in - CVS) continue ;; - Mk) continue ;; - Templates) continue ;; - Tools) continue ;; - distfiles) continue ;; - packages) continue ;; - esac - - $opt_quiet || echo "==> ${category}" - - cd "${PORTSDIR}/${category}" - PORTS=`echo *` - - for port in ${PORTS}; do - if [ ! -d "${PORTSDIR}/${category}/${port}" ]; then continue; fi - case "${port}" in - pkg) continue ;; - CVS) continue ;; - esac - - cd "${PORTSDIR}/${category}/${port}" - audit_cwd; - done - done - - echo "${VULCNT} ports with unmarked vulnerabilities." + audit_cwd || ret=$? fi if [ -n "$opt_file" ]; then portaudit_prerequisites - audit_file "$opt_file" + audit_file "$opt_file" || ret=$? fi if [ $# -gt 0 ]; then portaudit_prerequisites - audit_args "$@" + audit_args "$@" || ret=$? fi + +exit $ret diff --git a/security/portaudit/files/portaudit.1 b/security/portaudit/files/portaudit.1 index 4e6dfde7d673..60acb2a65c0a 100644 --- a/security/portaudit/files/portaudit.1 +++ b/security/portaudit/files/portaudit.1 @@ -4,8 +4,8 @@ .\" modification, are permitted provided that the following conditions are .\" met: .\" -.\" 1. Redistributions of source code must retain the above copyright notice -.\" this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright notice +.\" this list of conditions and the following disclaimer. .\" .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the @@ -28,8 +28,8 @@ .\" .\" $FreeBSD$ .\" -.Dd March 11, 2004 -.Os FreeBSD +.Dd June 29, 2004 +.Os .Dt PORTAUDIT \&1 "FreeBSD ports collection" . . @@ -42,29 +42,28 @@ .Sh SYNOPSIS . .Nm -.Op Fl a -.Op Fl A -.Op Fl C -.Op Fl V -.Op Fl d -.Op Fl F +.Op Fl aCdF +.Op Fl X Ar days +.Op Fl f Ar file +.Op Ar pkg-name ... . . .Sh DESCRIPTION . .Nm checks installed packages for known vulnerabilities and generates reports -including references to security advisories. Its audience are system -administrators or individual users. +including references to security advisories. +Its audience are system administrators or individual users. .Pp -It uses a database maintained by port committers and the FreeBSD security team -to check if security advisories for any installed packages exist. Note that a -current ports tree (or any local copy of the ports tree) is not required for -operation. +.Nm +uses a database maintained by port committers and the FreeBSD security team +to check if security advisories for any installed packages exist. +Note that a current ports tree (or any local copy of the ports tree) is not +required for operation. .Pp -This package also installs two scripts into %%PREFIX%%/etc/periodic that -regularly update this database and include the report of vulnerable packages -in the daily security report. +This package also installs a script into %%PREFIX%%/etc/periodic/security +that regularly updates this database and includes a report of vulnerable +packages in the daily security report. .Pp If you have a vulnerable package installed, you are advised to update or deinstall it immediately. @@ -75,20 +74,27 @@ deinstall it immediately. The following options are supported: .Bl -tag -width ".Fl X" .It Fl a -Print a vulnerability report for all installed packages -.It Fl A -Print a vulnerability report for all ports in PORTSDIR (slow). +Print a vulnerability report for all installed packages. .It Fl C Print a vulnerability report for the port in the current working directory. -Mostly useful for committers. +Mostly useful for port developers. .It Fl F Fetch the current database from the -.Fx servers +.Fx servers. .It Fl d -Print the creation date of the database -.It Fl V -Print the version of -.Nm . +Print the creation date of the database. +.It Fl X Ar days +Download a fresh database when the local is at least +.Ar days +old. +.It Fl f Ar file +Check the packages listed in +.Ar file +for known vulnerabilities. +.It Ar pkg-name ... +Test whether +.Ar pkg-name +is listed in the audit database. .El . . @@ -98,11 +104,19 @@ Print the version of .It Fetch the current database and print its creation date: .Pp -.Dl "portaudit -F -d" +.Dl "portaudit -Fd" .It Print a vulnerability report for all installed packages: .Pp -.Dl "portaudit" +.Dl "portaudit -a" +.It +Print a vulnerability report for the local INDEX: +.Pp +.Dl "portaudit -f %%PORTSDIR%%/%%INDEXFILE%%" +.It +Print a vulnerability report for the current set of prebuild packages: +.Pp +.Dl "curl -l ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/All/ | sed -n -e 's/\.t[bg]z[[:cntrl:]]*$//p' | portaudit -f -" .El . . @@ -115,18 +129,10 @@ Print a vulnerability report for all installed packages: .Sh SEE ALSO . .Xr ports 7 , -.Xr periodic 8 , .Xr periodic.conf 5 , -.Li Aq http://people.freebsd.org/~eik/portaudit/ , -.Li Aq http://www.freebsd.org/security/#adv , -.Li Aq http://www.vuxml.org/ . -. -. -.Sh CAVEATS -. -The format of -.Pa %%PREFIX%%/etc/portaudit.conf -might change. +.Li Aq http://www.FreeBSD.org/ports/portaudit/ , +.Li Aq http://www.FreeBSD.org/security/#adv , +.Li Aq http://FreeBSD.VuXML.org/ . . . .Sh BUGS diff --git a/security/portaudit/files/portaudit.conf b/security/portaudit/files/portaudit.conf index 2e73ffcd9830..68fbe9f23888 100644 --- a/security/portaudit/files/portaudit.conf +++ b/security/portaudit/files/portaudit.conf @@ -7,19 +7,10 @@ # # specify a proxy if needed, see fetch(3) -#FETCH_ENV="FTP_PROXY=http://ftp.proxy.sample/ HTTP_PROXY=http://http.proxy.sample:80/" +#portaudit_fetch_env="FTP_PROXY=http://ftp.proxy.sample/ HTTP_PROXY=http://http.proxy.sample:80/" # default fetch command -#FETCH_CMD="/usr/bin/fetch -1m" - -# use passive ftp transfers with extra verbose mode, see fetch(1) -#FETCH_BEFORE_ARGS="-p -vvv" - -#FETCH_AFTER_ARGS= +#portaudit_fetch_cmd="fetch -1amp" # specify a local mirror that generates databases with portaudit-db here -#MASTER_SITE_OVERRIDE="http://my.mirror.sample/path/portaudit/" -# use the following to disable the override -#MASTER_SITE_OVERRIDE=" " - -# uncomment to prefer the UK mirror, at, cz, dk, jp, ro, se, tw and uk are available +#portaudit_sites="http://www.FreeBSD.org/ports/" diff --git a/security/portaudit/files/portaudit.functions b/security/portaudit/files/portaudit.functions deleted file mode 100644 index af9dfe3d086f..000000000000 --- a/security/portaudit/files/portaudit.functions +++ /dev/null @@ -1,320 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2004 Oliver Eikemeier. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# -# 1. Redistributions of source code must retain the above copyright notice -# this list of conditions and the following disclaimer. -# -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# 3. Neither the name of the author nor the names of its contributors may be -# used to endorse or promote products derived from this software without -# specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -# $FreeBSD$ -# - -portaudit_confs() -{ - portaudit_dir=${portaudit_dir:-"%%DATABASEDIR%%"} - portaudit_filename=${portaudit_filename:-"auditfile.tbz"} - - FETCH_ENV=${FETCH_ENV:-} - FETCH_CMD=${FETCH_CMD:-"/usr/bin/fetch -1m"} - FETCH_BEFORE_ARGS=${FETCH_BEFORE_ARGS:-"-p"} - FETCH_AFTER_ARGS=${FETCH_AFTER_ARGS:-} - - MASTER_SITE_OVERRIDE=${MASTER_SITE_OVERRIDE:-"http://www.FreeBSD.org/ports/"} - MASTER_SITES=${MASTER_SITES:-" - ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - ftp://ftp.se.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - ftp://ftp.dk.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - ftp://ftp.cz.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - ftp://ftp1.ro.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - ftp://ftp.uk.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - ftp://ftp.jp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - ftp://ftp.tw.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - http://public.planetmirror.com/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - "} - MASTER_SITE_SUBDIR=${MASTER_SITE_SUBDIR:-"eik"} - - MASTER_SITE_BACKUP=${MASTER_SITE_BACKUP:-"http://people.freebsd.org/~eik/portaudit/"} - - #MASTER_SORT_REGEX="\.uk[.\/]" - MASTER_SORT_REGEX=${MASTER_SORT_REGEX:-"#"} - - if [ -r %%PREFIX%%/etc/portaudit.conf ]; then - . %%PREFIX%%/etc/portaudit.conf - fi -} - -extract_auditfile() -{ - %%BZIP2_CMD%% -dc -- "${portaudit_dir}/${portaudit_filename}" | \ - /usr/bin/tar -xOf - auditfile -} - -checksum_auditfile() -{ - chksum1=`extract_auditfile | - /usr/bin/sed -nEe '$s/^#CHECKSUM: *MD5 *([0-9a-f]{32})$/\1/p'` - chksum2=`extract_auditfile | /usr/bin/sed -e '$d' | /sbin/md5` - [ "${chksum1}" = "${chksum2}" ]; -} - -getcreated_auditfile() -{ - extract_auditfile | - /usr/bin/sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}) *([0-9]{2}):?([0-9]{2}):?([0-9]{2}).*$/\1-\2-\3 \4:\5:\6/p' -} - -gettimestamp_auditfile() -{ - extract_auditfile | - /usr/bin/sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$/\1\2\3/p' -} - -checkexpiry_auditfile() -{ - created=`gettimestamp_auditfile` - expiry=`/bin/date -u -v-$1d '+%Y%m%d'` - [ "${created}" -ge "${expiry}" ]; -} - -portaudit_prerequisites() -{ - if [ -z "${PKG_INFO}" ]; then - if [ -x "%%LOCALBASE%%/sbin/pkg_info" ]; then - PKG_INFO="%%LOCALBASE%%/sbin/pkg_info" - else - PKG_INFO="/usr/sbin/pkg_info" - fi - fi - - PKG_VERSION="${PKG_INFO%/*}/pkg_version" - - if [ ! -x "${PKG_INFO}" ]; then - echo "${PKG_INFO} missing, please install port sysutils/pkg_install-devel" - return 1 - fi - - PKG_INSTALL_VER=`${PKG_INFO} -qP 2>/dev/null` - if [ -z "${PKG_INSTALL_VER}" -o "${PKG_INSTALL_VER}" -lt %%REQPKGVER%% ]; then - echo "${PKG_INFO} is too old, please update port sysutils/pkg_install-devel" - return 1 - fi - - if [ ! -r "${portaudit_dir}/${portaudit_filename}" ]; then - echo "portaudit: database missing, run \`portaudit -F' to update." - return 1 - fi - if ! checksum_auditfile; then - echo "portaudit: corrupt database." - return 1 - fi - if ! checkexpiry_auditfile 14; then - echo "portaudit: database too old." - return 1 - fi - - return 0 -} - -audit_installed() -{ - extract_auditfile | /usr/bin/awk -F\| ' - BEGIN { vul=0 } - /^(#|\$)/ { next } - { - cmd="'"${PKG_INFO}"' -E \"" $1 "\"" - while((cmd | getline pkg) > 0) { - vul++ - split($2, ref, / /) - print "Affected package: " pkg - print "Type of problem: " $3 "." - for (r in ref) - print "Reference: <" ref[r] ">" - print "" - } - close(cmd) - } - END { - print vul " problem(s) in your installed packages found." - if (vul > 0) { - print "\nYou are advised to update or deinstall" \ - " the affected package(s) immediately." - exit(1) - } - } - ' -} - -audit_file() -{ - extract_auditfile | /usr/bin/awk -F\| ' - BEGIN { vul=0 } - /^(#|\$)/ { next } - { - cmd="'"${PKG_VERSION}"' -T - \"" $1 "\" <\"'"${1}"'\"" - while((cmd | getline pkg) > 0) { - vul++ - split($2, ref, / /) - split(pkg, p) - print "Affected package: " p[1] - print "Type of problem: " $3 "." - for (r in ref) - print "Reference: <" ref[r] ">" - print "" - } - close(cmd) - } - END { - print vul " problem(s) found." - if (vul > 0) { - exit(1) - } - } - ' -} - -audit_args() -{ - VULCNT=0 - while [ $# -gt 0 ]; do - if VLIST=`extract_auditfile | /usr/bin/grep -v '^#' | ${PKG_VERSION} -T "${1}" -`; then - VULCNT=$((${VULCNT}+1)) - echo "${VLIST}" | /usr/bin/awk -F\| '{ - print "Affected package: '${1}' (matched by " $1 ")" - print "Type of problem: " $3 "." - split($2, ref, / /) - for (r in ref) - print "Reference: <" ref[r] ">" - print "" - }' - fi - shift - done - echo "${VULCNT} problem(s) found." - if [ ${VULCNT} -gt 0 ]; then - return 1 - fi -} - -audit_cwd() -{ - if [ ! -r "Makefile" ]; then - return 1 - fi - - PKGSTATE=`/usr/bin/make -VPKGNAME -VFORBIDDEN -VPKGORIGIN 2>/dev/null || true"` - PKGNAME=`echo "${PKGSTATE}" | /usr/bin/sed -ne '1p'` - FORBIDDEN=`echo "${PKGSTATE}" | /usr/bin/sed -ne '2p'` - PKGORIGIN=`echo "${PKGSTATE}" | /usr/bin/sed -ne '3p'` - - if VLIST=`extract_auditfile | /usr/bin/grep -v '^#' | ${PKG_VERSION} -T "${PKGNAME}" -`; then - if [ -z "${FORBIDDEN}" ]; then - echo - echo "Port ${PKGNAME} (${PKGORIGIN}) should be marked FORBIDDEN:" - VULCNT=$((${VULCNT}+1)) - elif $opt_verbose; then - echo - echo "Good: port ${PKGNAME} (${PKGORIGIN}) is marked FORBIDDEN: ${FORBIDDEN}" - fi - if [ -z "${FORBIDDEN}" ] || $opt_verbose; then - echo "${VLIST}" | /usr/bin/awk -F\| '{ - split($2, ref, / /) - for (r in ref) - print "- <" ref[r] ">" - }' - fi - fi -} - -fetch_locations() -{ - # site sort order is not overly smart - if [ -n "${MASTER_SITE_OVERRIDE}" ]; then - echo "${MASTER_SITE_OVERRIDE}" - fi - echo ${MASTER_SITES} | /usr/bin/tr -s ' \t' '\n' | /usr/bin/awk " - BEGIN { IGNORECASE=1; srand() } - /^$/ { next } - { - if (\$0 ~ /${MASTER_SORT_REGEX}/ ) rank=0; else rank=rand() - gsub(/%SUBDIR%/, \"${MASTER_SITE_SUBDIR}\") - print \$0 \"\\t\" rank - } - " | /usr/bin/sort -n -k 2 | /usr/bin/cut -f 1 - if [ -n "${MASTER_SITE_BACKUP}" ]; then - echo "${MASTER_SITE_BACKUP}" - fi -} - -fetch_auditfile() -{ - rc=1 - - if [ ! -d "${portaudit_dir}" ]; then - if ! /bin/mkdir -p "${portaudit_dir}"; then - echo "Couldn't create ${portaudit_dir}, try running portaudit -F as root" - return 1 - fi - fi - if [ ! -w "${portaudit_dir}" ]; then - echo "Couldn't write to ${portaudit_dir}, try running portaudit -F as root" - return 1 - - fi - cd "${portaudit_dir}" - if [ -r "${portaudit_filename}" ]; then - /bin/cp "${portaudit_filename}" "${portaudit_filename}.old" - fi - - for site in `fetch_locations`; do - echo ">> Attempting to fetch from ${site}." - args="${site}${portaudit_filename}" - /usr/bin/env ${FETCH_ENV} ${FETCH_CMD} ${FETCH_BEFORE_ARGS} ${args} ${FETCH_AFTER_ARGS} - if [ $? -ne 0 ]; then - echo "Couldn't fetch database." - elif [ ! -f "${portaudit_dir}/${portaudit_filename}" ] ; then - echo "no database fetched." - elif ! checksum_auditfile; then - echo "fetched database corrupt." - elif ! checkexpiry_auditfile 7; then - echo "fetched database too old." - else - echo "new database installed." - rc=0 - break - fi - done - if [ -f "${portaudit_filename}.old" ]; then - if [ ${rc} -eq 0 ]; then - /bin/rm -f "${portaudit_filename}.old" - else - /bin/mv -f "${portaudit_filename}.old" "${portaudit_filename}" - echo "old database restored." - fi - fi - if [ -f "${portaudit_filename}" ]; then - /bin/chmod a=r "${portaudit_filename}" - fi - return ${rc} -} diff --git a/security/portaudit/files/portaudit.sh b/security/portaudit/files/portaudit.sh index 9747444be77f..8e3b460ec750 100644 --- a/security/portaudit/files/portaudit.sh +++ b/security/portaudit/files/portaudit.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/sh -f # # Copyright (c) 2004 Oliver Eikemeier. All rights reserved. # @@ -6,8 +6,8 @@ # modification, are permitted provided that the following conditions are # met: # -# 1. Redistributions of source code must retain the above copyright notice -# this list of conditions and the following disclaimer. +# 1. Redistributions of source code must retain the above copyright notice +# this list of conditions and the following disclaimer. # # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the @@ -31,34 +31,30 @@ # $FreeBSD$ # -# defaults -daily_status_portaudit_enable="YES" - # If there is a global system configuration file, suck it in. # -if [ -r /etc/defaults/periodic.conf ] -then +if [ -r /etc/defaults/periodic.conf ]; then . /etc/defaults/periodic.conf source_periodic_confs fi -. %%DATADIR%%/portaudit.functions -portaudit_confs - rc=0 -case "$daily_status_portaudit_enable" in - ""|[Yy][Ee][Ss]) - echo "" - echo "Checking for packages with security vulnerabilities:" - echo "" - - if portaudit_prerequisites; then - audit_installed || rc=1 - else - rc=2 - fi +case "${daily_status_security_portaudit_enable:-YES}" in + [Nn][Oo]) ;; *) + echo + echo "Checking for a current audit database:" + echo + %%PREFIX%%/sbin/portaudit -X "${daily_status_security_portaudit_expiry:-2}" || rc=$? + if [ $rc -lt 2 ]; then + %%PREFIX%%/sbin/portaudit -d + echo + echo "Checking for packages with security vulnerabilities:" + echo + echo %%PREFIX%%/sbin/portaudit -a | + su -fm "${daily_status_security_portaudit_user:-nobody}" || rc=$? + fi ;; esac diff --git a/security/portaudit/pkg-deinstall b/security/portaudit/pkg-deinstall index 7e4ebf7c68c4..948c7135abb6 100644 --- a/security/portaudit/pkg-deinstall +++ b/security/portaudit/pkg-deinstall @@ -7,11 +7,13 @@ case $2 in POST-DEINSTALL) echo echo "The portaudit package has been deleted." - echo "If you're *not* upgrading and won't be using" - echo "it any longer, you may want to remove the" - echo "portaudit database:" - echo - echo " rm -Rf %%DATABASEDIR%%" + if [ -f "%%DATABASEDIR%%/auditfile.tbz" ]; then + echo "If you're *not* upgrading and won't be using" + echo "it any longer, you may want to remove the" + echo "portaudit database:" + echo + echo " rm -Rf %%DATABASEDIR%%" + fi echo ;; esac diff --git a/security/portaudit/pkg-install b/security/portaudit/pkg-install index 158f0e25ee15..6ee3e0433e46 100644 --- a/security/portaudit/pkg-install +++ b/security/portaudit/pkg-install @@ -3,13 +3,33 @@ # $FreeBSD$ # +PREFIX="${PREFIX:-%%PREFIX%%}" + case $2 in +PRE-INSTALL) + if egrep -qs "^(FETCH|MASTER_SITE)_" "$PREFIX/etc/portaudit.conf" ;then + echo + echo "*** WARNING ***" + echo + echo "The preference file format has changed. Please edit" + echo " $PREFIX/etc/portaudit.conf" + echo + fi + if egrep -qs "^daily_status_portaudit_" "/etc/periodic.conf" ;then + echo + echo "*** WARNING ***" + echo + echo "The periodic(8) names have changed. Please edit" + echo " /etc/periodic.conf" + echo + fi + ;; POST-INSTALL) if [ ! -f "%%DATABASEDIR%%/auditfile.tbz" ]; then echo - echo "===> To check your installed ports for known vulnerabilities now do:" + echo "===> To check your installed ports for known vulnerabilities now, do:" echo - echo " %%PREFIX%%/bin/portaudit -Fda" + echo " $PREFIX/sbin/portaudit -Fda" echo fi ;; diff --git a/security/portaudit/pkg-plist b/security/portaudit/pkg-plist index 901547d3196e..84b4ccaaf52e 100644 --- a/security/portaudit/pkg-plist +++ b/security/portaudit/pkg-plist @@ -1,11 +1,7 @@ -bin/portaudit +sbin/portaudit etc/portaudit.conf.sample -%%PERIODICDIR%%/security/910.portaudit -%%PERIODICDIR%%/daily/330.fetchaudit -%%DATADIR%%/portaudit.functions +%%PERIODICDIR%%/security/410.portaudit @unexec rmdir %D/%%PERIODICDIR%%/security 2>/dev/null || true -@unexec rmdir %D/%%PERIODICDIR%%/daily 2>/dev/null || true @unexec rmdir %D/%%PERIODICDIR%% 2>/dev/null || true -@dirrm %%DATADIR%% @exec mkdir -p %%DATABASEDIR%% @unexec rmdir %%DATABASEDIR%% 2>/dev/null || true |