From 7af694c9add866277a9c7867a9520784f76c2fa0 Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Thu, 25 Sep 2014 07:34:57 +0000
Subject: abuild: check for suid binaries

Rais an error when binaries with suid bit set found. You need set
options="suid" to allow it.
---
 abuild.in | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

(limited to 'abuild.in')

diff --git a/abuild.in b/abuild.in
index 724ec8a..89147b4 100644
--- a/abuild.in
+++ b/abuild.in
@@ -634,7 +634,7 @@ postcheck() {
 		warning "World writeable directories found:"
 		echo "$i"
 	fi
-	# check so we dont have any suid root binaries that are not
+	# check so we dont have any suid root binaries that are not PIE
 	i=$(find "$dir" -type f -perm +6000 \
 		| xargs scanelf --nobanner --etype ET_EXEC \
 		| sed "s|ET_EXEC $dir|\t|")
@@ -643,6 +643,17 @@ postcheck() {
 		echo "$i"
 		return 1
 	fi
+	# test suid bit on executable
+	if ! options_has "suid"; then
+		i=$(find "$dir" \( -perm -u+s -o -perm -g+s \) -a -type f \
+			-a -perm -o+x)
+		if [ -n "$i" ]; then
+			error "Found executable files with SUID bit set:"
+			echo "$i"
+			return 1
+		fi
+	fi
+
 	# test for textrels
 	if ! options_has "textrels"; then
 		local res="$(scanelf --recursive --textrel --quiet "$dir")"
-- 
cgit v1.2.3-60-g2f50