View previous topic :: View next topic |
Author |
Message |
CaptainBlood Advocate
Joined: 24 Jan 2010 Posts: 3858
|
Posted: Sat Jul 13, 2024 6:42 pm Post subject: app-admin/checksec |
|
|
Another tool that helps checking the security configuration of a system.
Stable worked out of the box here.
Latest keyworded requires sys-apps/grep[pcre] here which isn't defaulted to, just another untested published ebuild.
The later possibly provides better accuracy.
github
Thks 4 ur attention, interest & support. _________________ USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. " |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22651
|
Posted: Sat Jul 13, 2024 7:42 pm Post subject: Re: app-admin/checksec |
|
|
CaptainBlood wrote: | Latest keyworded requires sys-apps/grep[pcre] here which isn't defaulted to, just another untested published ebuild. | What did you see that led you to think that USE=pcre is needed here? Is there an open bug report about this? |
|
Back to top |
|
|
CaptainBlood Advocate
Joined: 24 Jan 2010 Posts: 3858
|
Posted: Sat Jul 13, 2024 8:10 pm Post subject: |
|
|
The point of this post is about how useful a package can be.
Code: | grep: Perl matching not supported in a --disable-perl-regexp build |
And no I won"t open a bug report for an untested keyworded ebuild, sorry.
The rest is a side effect of upstream organization.
Plz feel free 2 turn to the ones in charge, if any.
Code: | 2024-07-13T20:27:39 >>> app-admin/checksec: 1′39″ | May be this will encourage you to do a less than 5 mn testing, and hopefully do the reporting.
Thks 4 your attention, interest & support. _________________ USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. " |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20485
|
Posted: Sat Jul 13, 2024 8:38 pm Post subject: |
|
|
You didn't mention a version, but the package has a stable version on the "common" platforms. Code: | $ eshowkw checksec
Keywords for app-admin/checksec:
| | u |
| a a p s l r a | n |
| m r h p p i o i s l m m | e u s | r
| d a m p p c a x a o s 3 p 6 i | a s l | e
| 6 r 6 p p 6 r 8 6 n c 9 h 8 p | p e o | p
| 4 m 4 a c 4 c 6 4 g v 0 a k s | i d t | o
---------+-------------------------------+-------+-------
2.4.0-r1 | + + + o ~ + ~ + o o ~ o o o ~ | 7 o 0 | gentoo
2.5.0-r1 | ~ ~ ~ o ~ ~ ~ ~ o o ~ o o o ~ | 7 # | gentoo
2.6.0-r1 | ~ ~ ~ o ~ ~ ~ ~ o ~ ~ o o o ~ | 8 # | gentoo
2.7.0 | ~ ~ ~ o ~ ~ ~ ~ o ~ ~ o o o ~ | 8 # | gentoo
2.7.1 | ~ ~ ~ o ~ ~ ~ ~ o ~ ~ o o o ~ | 8 o | gentoo | Filing bug reports on a ~ package version is one way they can become stable. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22651
|
Posted: Sat Jul 13, 2024 9:33 pm Post subject: |
|
|
CaptainBlood wrote: | The point of this post is about how useful a package can be. | It looked like the point was to gripe that the RDEPEND for app-admin/checksec was not perfect out of the box. I'm not involved with this package, but I've had USE=pcre on my grep for years, so if I were the one testing this, I would have missed this in simple run testing. Only an inspection of every invocation of grep in the package would have flagged it. CaptainBlood wrote: | Code: | grep: Perl matching not supported in a --disable-perl-regexp build |
| Yes, that looks like grep's error message for using -P when PCRE support is missing. However, you did not show how checksec reached that point. Is it a failure to build? A failure to run? If the latter, with what options? CaptainBlood wrote: | And no I won"t open a bug report for an untested keyworded ebuild, sorry. | Then no one will notice that this has a problem, and it will not get better. If you don't want to report bugs, you should be prepared for bugs to linger in packages that you use. CaptainBlood wrote: | The rest is a side effect of upstream organization.
Plz feel free 2 turn to the ones in charge, if any. | I don't understand this. I'm trying to get you to contribute to the community instead of just complaining that someone missed a dependency (which, per above, I would have missed if I were the tester and only checked that it ran correctly). CaptainBlood wrote: | Code: | 2024-07-13T20:27:39 >>> app-admin/checksec: 1′39″ | May be this will encourage you to do a less than 5 mn testing, and hopefully do the reporting. | I have no use for this package. I don't know how you provoked the error. My grep won't fail with it, because I have USE=pcre. Therefore, no, it will not encourage me. You are already set up to file the report, you know how to make it fail, and you seem to care about whether this is right. Therefore, it seems to me like you are better positioned to make the report, and to answer any follow-up questions about it. |
|
Back to top |
|
|
CaptainBlood Advocate
Joined: 24 Jan 2010 Posts: 3858
|
Posted: Sun Jul 14, 2024 5:59 am Post subject: |
|
|
Code: | grep "\-E" /usr/bin/checksec
coreValue=$(grep -Exic "hard[[:blank:]]+core[[:blank:]]+0" /etc/security/limits.conf)
coreValueDefault=$(grep -Exic "\*[[:blank:]]+hard[[:blank:]]+core[[:blank:]]+0" /etc/security/limits.conf)
if ${readelf} -s "${use_dynamic}" "${1}" 2> /dev/null | grep " UND " | grep -Eq '__stack_chk_fail|__stack_chk_guard|__intel_security_cookie'; then
#if $readelf -s "$1" 2>/dev/null | grep -Eq '\.cfi'; then
if $readelf -s "${use_dynamic}" "$1" 2> /dev/null | grep -Eq '__safestack_init'; then
if ${readelf} -s "${1}/exe" 2> /dev/null | grep " UND " | grep -Eq '__stack_chk_fail|__stack_chk_guard|__intel_security_cookie'; then
#if $readelf -s "$1" 2>/dev/null | grep -Eq '\.cfi'; then
if $readelf -s "$1/exe" 2> /dev/null | grep -Eq '__safestack_init'; then
|
Changelog isn't clear about this new requirement, starting with app-admin/checksec-2.7.0 though.
Thks 4 ur attention, interest & support. _________________ USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. " |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|