From c5d0954bd6baeddabc855fdc7c3cecbb70a4d570 Mon Sep 17 00:00:00 2001 From: afresh1 Date: Sun, 9 Jun 2024 18:31:17 +0000 Subject: [PATCH] Silently ignore setuid changes in relinked binaries If these files are being relinked at reboot, this causes false positives and alert fatigue. Prompted by florian@ Feedback from millert@ and deraadt@ --- libexec/security/security | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libexec/security/security b/libexec/security/security index 12ae7d631c3..0c1206a20a0 100644 --- a/libexec/security/security +++ b/libexec/security/security @@ -1,6 +1,6 @@ #!/usr/bin/perl -T -# $OpenBSD: security,v 1.42 2024/03/05 18:54:29 kn Exp $ +# $OpenBSD: security,v 1.43 2024/06/09 18:31:17 afresh1 Exp $ # # Copyright (c) 2011, 2012, 2014, 2015 Ingo Schwarze # Copyright (c) 2011 Andrew Fresh @@ -30,6 +30,7 @@ require File::Find; use constant { BACKUP_DIR => '/var/backups/', + RELINK_DIR => '/usr/share/relink/', }; $ENV{PATH} = '/bin:/usr/bin:/sbin:/usr/sbin'; @@ -574,6 +575,7 @@ sub find_special_files { # SUID/SGID files my $file = {}; if (-f _ && $mode & (S_ISUID | S_ISGID)) { + return if -e RELINK_DIR . $_; $setuid_files->{$File::Find::name} = $file; $uudecode_is_setuid = 1 if basename($_) eq 'uudecode'; @@ -660,6 +662,7 @@ sub check_filelist { push @{$changed{additions}}, [ @{$files->{$f}}{@fields}, $f ]; } foreach my $f (sort keys %current) { + next if $mode eq 'setuid' && -e RELINK_DIR . $f; push @{$changed{deletions}}, [ @{$current{$f}}{@fields}, $f ]; }; -- 2.20.1