weak implementation of threads has problems - kse fix attached

Tue Jun 8 15:45:12 GMT 2004

In the last episode (Jun 08), Kris Kennaway said:
> On Mon, Jun 07, 2004 at 11:48:45PM -0500, Dan Nelson wrote:
> > In the last episode (Jun 08), Daniel Eischen said:
> > > No, I don't want to litter all our thread libraries with strong
> > > references. As I've said before, build your shared libraries
> > > correctly so they don't bring in the threads library.
> > 
> > A good addition to bsd.port.mk, right next to the "possible network
> > server" etc checks, might be to run ldd on all installed shared
> > libraries and print a warning if any threads libraries show up.  There
> > are a huge number of ports that install shlibs linked to libpthreads.
> 
> Some of these are probably correct, in that the library started using
> libpthreads internally and there are a large number of clients that
> would otherwise need to be changed to link to that library.

I don't think you can have it both ways, though.  The rule is either
"pthreads-using shared libraries should pull in a pthreads lib
themselves" or "programs wanting to link to pthreads-using shared
libraries should link with a pthreads lib".

Attached are patches to add this check to the security-check target. 
Ideally they would be checked separately or flagged as something other
than security problems, but that would require copying
security-check.awk and a larger diff..

-- 
	Dan Nelson
	dnelson at allantgroup.com
-------------- next part --------------
Index: Mk/bsd.port.mk
===================================================================
RCS file: /home/ncvs/ports/Mk/bsd.port.mk,v
retrieving revision 1.490
diff -u -r1.490 bsd.port.mk

--- Mk/bsd.port.mk	31 May 2004 18:07:57 -0000	1.490
+++ Mk/bsd.port.mk	8 Jun 2004 14:59:04 -0000
@@ -3334,10 +3334,11 @@
 #   1.  setugid files
 #   2.  accept()/recvfrom() which indicates network listening capability
 #   3.  insecure functions (gets/mktemp/tempnam/[XXX])
-#   4.  startup scripts, in conjunction with 2.
-#   5.  world-writable files/dirs
+#   4.  shared libs linked directly to pthreads libs
+#   5.  startup scripts, in conjunction with 2.
+#   6.  world-writable files/dirs
 #
-	-@${RM} -f ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable ${WRKDIR}/.PLIST.objdump; \
+	-@${RM} -f ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.ldd; \
 	${AWK} -v prefix='${PREFIX}' ' \
 		match($$0, /^@cwd /) { prefix = substr($$0, RSTART + RLENGTH); next; } \
 		/^@/ { next; } \
@@ -3351,9 +3352,12 @@
 	${TR} '\n' '\0' < ${WRKDIR}/.PLIST.flattened \
 	| ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f -print0 2> /dev/null \
 	| ${XARGS} -0 -n 1 /usr/bin/objdump -R 2> /dev/null > ${WRKDIR}/.PLIST.objdump; \
+	${GREP} '\.so' < ${WRKDIR}/.PLIST.flattened | ${TR} '\n' '\0' \
+	| ${XARGS} -0 -J % ${FIND} % -prune ! -type l -type f -print0 2> /dev/null \
+	| ${XARGS} -0 -n 1 /usr/bin/ldd -a 2> /dev/null > ${WRKDIR}/.PLIST.ldd; \
 	if \
 		! ${AWK} -v audit="$${PORTS_AUDIT}" -f ${PORTSDIR}/Tools/scripts/security-check.awk \
-		  ${WRKDIR}/.PLIST.flattened ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable; \
+		  ${WRKDIR}/.PLIST.flattened ${WRKDIR}/.PLIST.objdump ${WRKDIR}/.PLIST.ldd ${WRKDIR}/.PLIST.setuid ${WRKDIR}/.PLIST.writable; \
 	then \
 		www_site=$$(cd ${.CURDIR} && ${MAKE} ${__softMAKEFLAGS} www-site); \
 	    if [ ! -z "$${www_site}" ]; then \
Index: Tools/scripts/security-check.awk
===================================================================
RCS file: /home/ncvs/ports/Tools/scripts/security-check.awk,v
retrieving revision 1.1
diff -u -r1.1 security-check.awk
--- Tools/scripts/security-check.awk	19 Jan 2004 22:19:00 -0000	1.1
+++ Tools/scripts/security-check.awk	8 Jun 2004 14:38:09 -0000
@@ -9,6 +9,7 @@
 	split("", setuid_binaries);
 	split("", writable_files);
 	split("", startup_scripts);
+	split("", pthreads_libs);
 	header_printed = 0;
 }
 FILENAME ~ /\.flattened$/ {
@@ -18,7 +19,6 @@
 FILENAME ~ /\.objdump$/ {
 	if (match($0, /: +file format [^ ]+$/)) {
 		file = substr($0, 1, RSTART - 1);
-		stupid_functions = "";
 		next;
 	}
 	if (file == "")
@@ -29,6 +29,16 @@
 	if ($3 ~ /^(accept|recvfrom)$/)
 		network_binaries[file] = 1;
 }
+FILENAME ~ /\.ldd$/ {
+	if (match($0, /:$/)) {
+		file = substr($0, 1, RSTART - 1);
+		next;
+	}
+	if (file == "")
+		next;
+	if ($1 ~ /^(libc_r|libpthread|libthr).so/)
+		pthreads_libs[file] = $3;
+}
 FILENAME ~ /\.setuid$/ { setuid_binaries[$0] = 1; }
 FILENAME ~ /\.writable$/ { writable_files[$0] = 1; }
 function print_header() {
@@ -79,6 +89,20 @@
 		if (note_printed)
 			print "";
 	}
+
+	note_printed = 0;
+	for (file in pthreads_libs) {
+		if (!note_printed) {
+			print_header();
+			print "      This port has installed the following shared libraries which are";
+			print "      incorrectly linked to a pthreads shared library.";
+			note_printed = 1;
+		}
+		printf "%s (linked to %s)\n", file, pthreads_libs[file];
+	}
+	if (note_printed)
+		print "";
+
 	note_printed = 0;
 	for (file in writable_files) {
 		if (!note_printed) {
