Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
app-admin/checksec
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
CaptainBlood
Advocate
Advocate


Joined: 24 Jan 2010
Posts: 3976

PostPosted: Sat Jul 13, 2024 6:42 pm    Post subject: app-admin/checksec Reply with quote

Another tool that helps checking the security configuration of a system.

Stable worked out of the box here.
Latest keyworded requires sys-apps/grep[pcre] here which isn't defaulted to, just another untested published ebuild.
The later possibly provides better accuracy.

github

Thks 4 ur attention, interest & support.
_________________
USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. "
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22804

PostPosted: Sat Jul 13, 2024 7:42 pm    Post subject: Re: app-admin/checksec Reply with quote

CaptainBlood wrote:
Latest keyworded requires sys-apps/grep[pcre] here which isn't defaulted to, just another untested published ebuild.
What did you see that led you to think that USE=pcre is needed here? Is there an open bug report about this?
Back to top
View user's profile Send private message
CaptainBlood
Advocate
Advocate


Joined: 24 Jan 2010
Posts: 3976

PostPosted: Sat Jul 13, 2024 8:10 pm    Post subject: Reply with quote

The point of this post is about how useful a package can be.

Code:
grep: Perl matching not supported in a --disable-perl-regexp build

And no I won"t open a bug report for an untested keyworded ebuild, sorry.

The rest is a side effect of upstream organization.
Plz feel free 2 turn to the ones in charge, if any.

Code:
2024-07-13T20:27:39 >>> app-admin/checksec: 1′39″
May be this will encourage you to do a less than 5 mn testing, and hopefully do the reporting.

Thks 4 your attention, interest & support.
_________________
USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. "
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20506

PostPosted: Sat Jul 13, 2024 8:38 pm    Post subject: Reply with quote

You didn't mention a version, but the package has a stable version on the "common" platforms.
Code:
$ eshowkw checksec
Keywords for app-admin/checksec:
         |                               |   u   | 
         | a   a     p s     l r   a     |   n   | 
         | m   r h   p p   i o i s l m m | e u s | r
         | d a m p p c a x a o s 3 p 6 i | a s l | e
         | 6 r 6 p p 6 r 8 6 n c 9 h 8 p | p e o | p
         | 4 m 4 a c 4 c 6 4 g v 0 a k s | i d t | o
---------+-------------------------------+-------+-------
2.4.0-r1 | + + + o ~ + ~ + o o ~ o o o ~ | 7 o 0 | gentoo
2.5.0-r1 | ~ ~ ~ o ~ ~ ~ ~ o o ~ o o o ~ | 7 #   | gentoo
2.6.0-r1 | ~ ~ ~ o ~ ~ ~ ~ o ~ ~ o o o ~ | 8 #   | gentoo
2.7.0    | ~ ~ ~ o ~ ~ ~ ~ o ~ ~ o o o ~ | 8 #   | gentoo
2.7.1    | ~ ~ ~ o ~ ~ ~ ~ o ~ ~ o o o ~ | 8 o   | gentoo
Filing bug reports on a ~ package version is one way they can become stable.
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22804

PostPosted: Sat Jul 13, 2024 9:33 pm    Post subject: Reply with quote

CaptainBlood wrote:
The point of this post is about how useful a package can be.
It looked like the point was to gripe that the RDEPEND for app-admin/checksec was not perfect out of the box. I'm not involved with this package, but I've had USE=pcre on my grep for years, so if I were the one testing this, I would have missed this in simple run testing. Only an inspection of every invocation of grep in the package would have flagged it.
CaptainBlood wrote:
Code:
grep: Perl matching not supported in a --disable-perl-regexp build
Yes, that looks like grep's error message for using -P when PCRE support is missing. However, you did not show how checksec reached that point. Is it a failure to build? A failure to run? If the latter, with what options?
CaptainBlood wrote:
And no I won"t open a bug report for an untested keyworded ebuild, sorry.
Then no one will notice that this has a problem, and it will not get better. If you don't want to report bugs, you should be prepared for bugs to linger in packages that you use.
CaptainBlood wrote:
The rest is a side effect of upstream organization.
Plz feel free 2 turn to the ones in charge, if any.
I don't understand this. I'm trying to get you to contribute to the community instead of just complaining that someone missed a dependency (which, per above, I would have missed if I were the tester and only checked that it ran correctly).
CaptainBlood wrote:
Code:
2024-07-13T20:27:39 >>> app-admin/checksec: 1′39″
May be this will encourage you to do a less than 5 mn testing, and hopefully do the reporting.
I have no use for this package. I don't know how you provoked the error. My grep won't fail with it, because I have USE=pcre. Therefore, no, it will not encourage me. You are already set up to file the report, you know how to make it fail, and you seem to care about whether this is right. Therefore, it seems to me like you are better positioned to make the report, and to answer any follow-up questions about it.
Back to top
View user's profile Send private message
CaptainBlood
Advocate
Advocate


Joined: 24 Jan 2010
Posts: 3976

PostPosted: Sun Jul 14, 2024 5:59 am    Post subject: Reply with quote

Code:
grep "\-E" /usr/bin/checksec
    coreValue=$(grep -Exic "hard[[:blank:]]+core[[:blank:]]+0" /etc/security/limits.conf)
    coreValueDefault=$(grep -Exic "\*[[:blank:]]+hard[[:blank:]]+core[[:blank:]]+0" /etc/security/limits.conf)
  if ${readelf} -s "${use_dynamic}" "${1}" 2> /dev/null | grep " UND " | grep -Eq '__stack_chk_fail|__stack_chk_guard|__intel_security_cookie'; then
    #if $readelf -s "$1" 2>/dev/null | grep -Eq '\.cfi'; then
    if $readelf -s "${use_dynamic}" "$1" 2> /dev/null | grep -Eq '__safestack_init'; then
    if ${readelf} -s "${1}/exe" 2> /dev/null | grep " UND " | grep -Eq '__stack_chk_fail|__stack_chk_guard|__intel_security_cookie'; then
    #if $readelf -s "$1" 2>/dev/null | grep -Eq '\.cfi'; then
    if $readelf -s "$1/exe" 2> /dev/null | grep -Eq '__safestack_init'; then

Changelog isn't clear about this new requirement, starting with app-admin/checksec-2.7.0 though.

Thks 4 ur attention, interest & support.
_________________
USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. "
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum