From ab@purple.the-7.net  Wed Aug  6 19:41:41 2003
Return-Path: <ab@purple.the-7.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C727237B401
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  6 Aug 2003 19:41:41 -0700 (PDT)
Received: from purple.the-7.net (purple.the-7.net [38.112.128.116])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B0F4D43FA3
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  6 Aug 2003 19:41:40 -0700 (PDT)
	(envelope-from ab@purple.the-7.net)
Received: from purple.the-7.net (localhost [127.0.0.1])
	by purple.the-7.net (8.12.9/8.12.9) with ESMTP id h772fdtd045698
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 6 Aug 2003 19:41:39 -0700 (PDT)
	(envelope-from ab@purple.the-7.net)
Received: (from ab@localhost)
	by purple.the-7.net (8.12.9/8.12.9/Submit) id h772fd6E045697;
	Wed, 6 Aug 2003 19:41:39 -0700 (PDT)
	(envelope-from ab)
Message-Id: <200308070241.h772fd6E045697@purple.the-7.net>
Date: Wed, 6 Aug 2003 19:41:39 -0700 (PDT)
From: "Eugene M. Kim" <ab@astralblue.com>
Reply-To: "Eugene M. Kim" <ab@astralblue.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Port security check (`security-check' target) is too slow
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         55331
>Category:       ports
>Synopsis:       Port security check (`security-check' target) is too slow
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    portmgr
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 06 19:50:13 PDT 2003
>Closed-Date:    Tue Jan 20 11:15:05 PST 2004
>Last-Modified:  Tue Jan 20 11:15:05 PST 2004
>Originator:     Eugene M. Kim
>Release:        FreeBSD 5.1-CURRENT i386
>Organization:
>Environment:
	System: FreeBSD seerajeane.astralblue.net 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Thu Jul 24 01:34:43 PDT 2003 root@seerajeane.astralblue.net:/home/root/build/usr/obj/usr/src/sys/PL-SEERAJEANE i386

>Description:
	The current security check procedure (defined in Mk/bsd.ports.mk)
	executes several utility processes such as objdump(1) and find(1)
	once for each file.  This is very inefficient in case of ports that
	install huge number of files.

>How-To-Repeat:
	`make generate-plist security-check' for any of such ports already
	installed on the system.

>Fix:
	The patch found at:

		http://purple.the-7.net/~ab/faster-security-check.diff

	addresses this problem by letting the utility commands handle many
	files at once using xargs(1).  An awk(1) script,
	Tools/script/security-check.awk, is used to parse the result from
	those commands to generate suitable warning messages.  I wrote this
	script using the One True Awk on 5-current, and perky@ verified
	that the script worked on 4-stable as well.

	The original security check target can be used by giving the
	-DOLD_SECURITY_CHECK knob to make.  Apart from the order of
	individual files reported, the new target is designed to provide
	the same output as the original one.  Individual ports can define
	this knob too, should the new method fails to work with them.

	The rough flow (all .PLIST files are in ${WRKDIR}):

	o .PLIST.flattened is the packing list file with an absolute
	  pathname for all files listed in TMPPLIST, and is created from
	  TMPPLIST by applying ${PREFIX} and @cwd directives, if any, to
	  the regular files listed in TMPPLIST.

	o .PLIST.objdump is the output from objdump(1) -R performed on each
	  regular file in .PLIST.flattened.  Generated by feeding
	  .PLIST.flattened to a `tr | xargs find | xargs objdump -R'
	  pipeline.

	o .PLIST.setuid and .PLIST.writeable are the list of setuid/setgid
	  files and the list of world-writable files/directories.  Generated
	  by feeding .PLIST.flattened to `tr | xargs find' pipelines.

	o Finally, Tools/script/security-check.awk is invoked on all these
	  four files to parse them and print warnings.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->portmgr 
Responsible-Changed-By: marcus 
Responsible-Changed-When: Wed Aug 6 20:05:49 PDT 2003 
Responsible-Changed-Why:  
bsd.port.mk is portmgr territory. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=55331 
State-Changed-From-To: open->analyzed 
State-Changed-By: marcus 
State-Changed-When: Wed Jan 14 21:59:43 PST 2004 
State-Changed-Why:  
This patch is currently being tested on bento. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=55331 
State-Changed-From-To: analyzed->closed 
State-Changed-By: marcus 
State-Changed-When: Tue Jan 20 11:14:53 PST 2004 
State-Changed-Why:  
Committed, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=55331 
>Unformatted:
