Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: openbsd.org > bugs > 02 > 080061.html (Request Expert openbsd.org Support)

ports/2904: ports are built as the (possibly privileged) user who types make

From: <s(at)msmith.net>
Date: Sat Aug 24 2002 - 14:23:41 EDT


>Number: 2904
>Category: ports
>Synopsis: ports are built as the (possibly privileged) user who types make
>Confidential: no
         

	System      : OpenBSD 3.1
	Architecture: OpenBSD.i386
	Machine     : i386

>Description:

Ports are built and configured by the (possibly privileged) user who types the make command. Recent OpenSSH, irssi and other configure trojans show this is not a good idea.

The below patch moves the unpacking, configuring, building of software to an unprivileged user who can then be restricted. The fetch is still executed by the person who runs make. And only code which is downloaded may be executed.

>How-To-Repeat:

  build ports.

>Fix:

This patch assumes that there is something similar to the following in /etc/master.passwd (and the corresponding entry in /etc/group)

    portsbuilder:*:73:73::0:0:Ports Building user:/nonexistent:/sbin/nologin You can also add the following to /etc/pf.conf

    block out all user portsbuilder
meaning the build process may only execute code on the local machine, and not stuff dumped to it over arbitrary ports.

Do you need help?X

This patch could be trivially extended to call systrace(1) as well as sudo(8) allowing for even finer grained control. Writing the policies is not trivial however.

You must have configured SUDO and also allow the user you execute make as to use sudo(8) to become the user you define as ${PORTSBUILDER_USER} Executing make fetch currently does not recurse to dependancies of a port. This is annoying for this, but should be fixed separately. Comments on the patch appreciated.

This port changes nothing for those who do not have SUDO defined. This could arguably be described as a bug.

Index: infrastructure/mk/bsd.port.mk


RCS file: /cvs/ports/infrastructure/mk/bsd.port.mk,v retrieving revision 1.533
diff -u -r1.533 bsd.port.mk 
--- infrastructure/mk/bsd.port.mk	7 Aug 2002 15:48:19 -0000	1.533
+++ infrastructure/mk/bsd.port.mk	24 Aug 2002 17:30:43 -0000
@@ -217,6 +217,14 @@
 _BUILDLIBLIST=${WRKDIR}/.buildliblist-${ARCH}${_FLAVOR_EXT2}     
+SUDO_PORTSBUILDER?=
+# who port configuration is done as. 
+PORTSBUILDER_USER=portsbuilder
+.if defined(SUDO)
+# could add systrace limitations in here as well
+SUDO_PORTSBUILDER=	${SUDO} -u ${PORTSBUILDER_USER} 
+.endif
+
 # Get the architecture
 ARCH!=	uname -m
 
@@ -477,10 +485,13 @@
 _WRKDIR_COOKIE=		${WRKDIR}/.extract_started
 _EXTRACT_COOKIE=	${WRKDIR}/.extract_done
 _PATCH_COOKIE=		${WRKDIR}/.patch_done
+_REAL_PATCH_COOKIE=		${WRKDIR}/.real_patch_done
 _DISTPATCH_COOKIE=	${WRKDIR}/.distpatch_done
+_REAL_DISTPATCH_COOKIE=		${WRKDIR}/.real_patch_done
 _PREPATCH_COOKIE=	${WRKDIR}/.prepatch_done
 _INSTALL_COOKIE=	${PKG_DBDIR}/${FULLPKGNAME${SUBPACKAGE}}/+CONTENTS
 _BULK_COOKIE=		${BULK_COOKIES_DIR}/${FULLPKGNAME}
+_REAL_EXTRACT_COOKIE=	${WRKDIR}/.real_extract_done
 .if ${FAKE:L} == "yes"
 _FAKE_COOKIE=		${WRKINST}/.fake_done

 _INSTALL_PRE_COOKIE=${WRKINST}/.install_started @@ -493,12 +504,17 @@
 _PACKAGE_COOKIE= ${PKGFILE}
 .if defined(SEPARATE_BUILD) 
 _CONFIGURE_COOKIE=	${WRKBUILD}/.configure_done
+_REAL_CONFIGURE_COOKIE=	${WRKBUILD}/.real_configure_done
 _BUILD_COOKIE=		${WRKBUILD}/.build_done
+_REAL_BUILD_COOKIE=		${WRKBUILD}/.real_build_done
 _REGRESS_COOKIE=	${WRKBUILD}/.regress_done
 .else
 _CONFIGURE_COOKIE=	${WRKDIR}/.configure_done
+_REAL_CONFIGURE_COOKIE=	${WRKDIR}/.real_configure_done
 _BUILD_COOKIE=		${WRKDIR}/.build_done
+_REAL_BUILD_COOKIE=		${WRKDIR}/.real_build_done
 _REGRESS_COOKIE=	${WRKDIR}/.regress_done
+_REAL_CLEAN=		${WRKBUILD}/.real_clean

 .endif  

 _ALL_COOKIES=${_EXTRACT_COOKIE} ${_PATCH_COOKIE} ${_CONFIGURE_COOKIE} \ @@ -1421,14 +1437,13 @@
 # What FETCH normally does:
 . if !empty(ALLFILES)

         @cd ${.CURDIR} && exec ${MAKE} ${ALLFILES:S@^@${FULLDISTDIR}/@} -. endif
+. endif
 # End of FETCH
 . endif
 . if target(post-fetch)

         @cd ${.CURDIR} && exec ${MAKE} post-fetch  . endif  

-
 # Set to true to try to retrieve older distfiles from ftp.openbsd.org if  # checksums no longer match.  

Do you need more help?X

@@ -1571,12 +1586,15 @@

         @${_create_wrkobjdir}
 . else 

 	@rm -rf ${WRKDIR}
-	@mkdir -p ${WRKDIR}
+	@mkdir -p -m 775 ${WRKDIR}
 .  endif
-	@mkdir -p ${WRKDIR}/bin
+	@mkdir -p -m 775 ${WRKDIR}/bin
 	@${_MAKE_COOKIE} $@
 
 ${_EXTRACT_COOKIE}: ${_WRKDIR_COOKIE} 
+	@${SUDO_PORTSBUILDER} ${MAKE} ${_REAL_EXTRACT_COOKIE}

Can we help you?X
+
+${_REAL_EXTRACT_COOKIE}: 
 	@cd ${.CURDIR} && exec ${MAKE} checksum build-depends lib-depends misc-depends
 	@${ECHO_MSG} "===>  Extracting for ${FULLPKGNAME}${_MASTER}"
 .if target(pre-extract)
@@ -1613,9 +1631,13 @@      

-# The real distpatch  

 ${_DISTPATCH_COOKIE}: ${_EXTRACT_COOKIE} 

+	@${SUDO_PORTSBUILDER} ${MAKE} ${_REAL_DISTPATCH_COOKIE}
+
+# The real distpatch
+
+${_REAL_DISTPATCH_COOKIE}:
 .if target(pre-patch)
 	@cd ${.CURDIR} && exec ${MAKE} ${_PREPATCH_COOKIE}
 .endif
@@ -1645,9 +1667,15 @@

         @${_MAKE_COOKIE} $@
 .endif  

+
+
 # The real patch  

 ${_PATCH_COOKIE}: ${_EXTRACT_COOKIE} 

+	@${SUDO_PORTSBUILDER} ${MAKE} ${_REAL_PATCH_COOKIE}
+	
+
+${_REAL_PATCH_COOKIE}: 
 	@${ECHO_MSG} "===>  Patching for ${FULLPKGNAME}${_MASTER}"
 .if target(pre-patch)
 	@cd ${.CURDIR} && exec ${MAKE} ${_PREPATCH_COOKIE}
@@ -1712,11 +1740,14 @@
 		YACC="${YACC}" \
 		${CONFIGURE_ENV} ${_CONFIGURE_SCRIPT} ${CONFIGURE_ARGS}

-# The real configure  

Can't find what you're looking for?X

 ${_CONFIGURE_COOKIE}: ${_PATCH_COOKIE} 

+	@${SUDO_PORTSBUILDER} ${MAKE} ${_REAL_CONFIGURE_COOKIE}
+
+# The real configure optionally running as ${PORTSBUILDER}
+${_REAL_CONFIGURE_COOKIE}:
 	@${ECHO_MSG} "===>  Configuring for ${FULLPKGNAME}${_MASTER}"
-	@mkdir -p ${WRKBUILD} ${WRKPKG}
+	@mkdir -p -m 775  ${WRKBUILD} ${WRKPKG}
 .if target(pre-configure)
 	@cd ${.CURDIR} && exec ${MAKE} pre-configure
 .endif
@@ -1745,6 +1776,9 @@
 # The real build  

 ${_BUILD_COOKIE}: ${_CONFIGURE_COOKIE} 

+	@${SUDO_PORTSBUILDER} ${MAKE} ${_REAL_BUILD_COOKIE}
+
+${_REAL_BUILD_COOKIE}:
 .if ${NO_BUILD:L} == "no"
 	@${ECHO_MSG} "===>  Building for ${FULLPKGNAME}${_MASTER}"
 .if ${VMEM_WARNING:L} == "yes"
@@ -1948,6 +1982,12 @@ 
 	${ECHO_MSG} ">> $$f doesn't seem to exist on this system."; \
 	${_CDROM_OVERRIDE}; \
 	${_SITE_SELECTOR}; \
+    if [ "${USER}" = "${PORTSBUILDER_USER}" ]; then \
+	  ${ECHO_MSG} "===>  You should fetch the files using make fetch rather than"; \
+	  ${ECHO_MSG} "        as a dependancy. "; \
+	  ${ECHO_MSG} "      Run 'make fetch' and then reissue your command. "; \
+      exit 1; \
+	fi; \
 	for site in $$sites; do \
 		${ECHO_MSG} ">> Attempting to fetch ${_F} from $${site}."; \
 		if ${FETCH_CMD} ${FETCH_BEFORE_ARGS} $${site}$$f ${FETCH_AFTER_ARGS}; then \

Don't know where to look next?X
@@ -2092,12 +2132,21 @@  

 .if !target(clean)
 clean: pre-clean 

-.  if ${clean:L:Mdepends}
-	@cd ${.CURDIR} && exec ${MAKE} clean-depends
-.  endif
 	@${ECHO_MSG} "===>  Cleaning for ${FULLPKGNAME${SUBPACKAGE}}"
+	@${SUDO_PORTSBUILDER} ${MAKE} ${_REAL_CLEAN}
+.  if ${clean:L:Mdist}
+	@${ECHO_MSG} "===>  Dist cleaning for ${FULLPKGNAME${SUBPACKAGE}}"
+	@if cd ${FULLDISTDIR} 2>/dev/null; then \
+		if [ "${_DISTFILES}" -o "${_PATCHFILES}" ]; then \
+			rm -f ${_DISTFILES} ${_PATCHFILES}; \
+		fi \
+	 fi
+.    if defined(DIST_SUBDIR) && !empty(DIST_SUBDIR)
+	 @rmdir ${FULLDISTDIR}  
+.    endif

+. endif
 . if ${clean:L:Mfake} 
-	@if cd ${WRKINST} 2>/dev/null; then ${SUDO} rm -rf ${WRKINST}; fi
+	-@if [ -d ${WRKINST} ] ; then ${SUDO} rm -rf ${WRKINST} 2>/dev/null ; fi
 .  endif

 . if ${clean:L:Mwork}
 . if ${clean:L:Mflavors}
@@ -2106,21 +2155,10 @@ 
 		${SUDO} rm -rf $$i; \
 	done
 .    else
-	@if [ -L ${WRKDIR} ]; then rm -rf `readlink ${WRKDIR}`; fi
-	@rm -rf ${WRKDIR}
+	@-if [ -L ${WRKDIR} ]; then ${SUDO} rm -rf `readlink ${WRKDIR}` 2>/dev/null ; fi
+	@-${SUDO} rm -rf ${WRKDIR} 2>/dev/null
 .    endif

 . endif 
-.  if ${clean:L:Mdist}
-	@${ECHO_MSG} "===>  Dist cleaning for ${FULLPKGNAME${SUBPACKAGE}}"
-	@if cd ${FULLDISTDIR} 2>/dev/null; then \
-		if [ "${_DISTFILES}" -o "${_PATCHFILES}" ]; then \
-			rm -f ${_DISTFILES} ${_PATCHFILES}; \
-		fi \
-	fi
-.    if defined(DIST_SUBDIR) && !empty(DIST_SUBDIR)
-	-@rmdir ${FULLDISTDIR}  
-.    endif
-.  endif
 .  if ${clean:L:Minstall}
 .    if ${clean:L:Msub}
 .	   for _s in ${MULTI_PACKAGES}
@@ -2130,15 +2168,30 @@
 	-${SUDO} ${PKG_DELETE} ${clean:M-f} ${FULLPKGNAME${SUBPACKAGE}}
 . endif
 . endif 
+
+${_REAL_CLEAN}:
+.  if ${clean:L:Mdepends}
+	@cd ${.CURDIR} && exec ${MAKE} clean-depends
+.  endif
 .  if ${clean:L:Mpackages} || ${clean:L:Mpackage} && ${clean:L:Msub}
-	rm -f ${_PACKAGE_COOKIES}
+	rm -f ${_PACKAGE_COOKIES} 2>/dev/null
 .  elif ${clean:L:Mpackage}
-	rm -f ${PKGFILE${SUBPACKAGE}}

Confused? Frustrated?X

+	rm -f ${PKGFILE${SUBPACKAGE}} 2>/dev/null
 . endif 
 .  if ${clean:L:Mbulk}
-	rm -f ${_BULK_COOKIE}
+	rm -f ${_BULK_COOKIE} 2>/dev/null
 .  endif
-.endif
+.  if ${clean:L:Mwork}
+.    if ! ${clean:L:Mflavors}
+.     if defined(PORTSBUILDER_USER)
+	    @-if [ -d ${WRKDIR} ]; then \
+		   find ${WRKDIR} -user ${PORTSBUILDER_USER} | xargs  rm -rf ; fi
+.  	   else
+	    -if [ -d ${WRKDIR} ]; then rm -rf ${WRKDIR} 2>/dev/null; fi
+.      endif
+.    endif

+. endif
+.endif #!target(clean)  

 .if !target(pre-distclean)
 pre-distclean:

>Release-Note:
Received on Thu Nov 7 15:59:45 2002

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:29:36 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library