Inspired by this thread (http://forums.freebsd.org/showthread.php?t=2659) I came up with a small modification to bsd.local.mk that will automatically keep an mtree database of your ports tree. Especially useful for jails, where installed software is small.

In the 'bsd.port.post.mk' section of /usr/ports/Mk/bsd.local.mk add:

PORTS_MTREE_DB?=/var/db/ports.${PREFIX:S/\//_/g}.dist
.ORDER: post-install-local security-check

security-check: post-install-local

post-install-local:
@${ECHO_MSG} "===> Saving mtree database...to ${PORTS_MTREE_DB}"
@mtree -c -i -n -k uname,gname,mode,nochange -p ${PREFIX} > ${PORTS_MTREE_DB}
@${ECHO_MSG} "===> Done"


Then add USE_LOCAL_MK=yes to /etc/make.conf.

This will save an mtree(8) after each installation (or upgrade).
When you know your permissions are tampered with (either by EDOOFUS, ECHILD or EBADPERSON), run:

mtree -ue -f /var/db/ports.usr_local.dist -p /usr/local


When you want to check, without correcting, run:

mtree -e -f /var/db/ports.usr_local.dist -p /usr/local


You can omit -e if you would like to see which files were added, since you last installed software.

Note that if you use portsnap, bsd.local.mk will be restored to it's original version. When using cvsup/csup, you can add it to the refuse files. See the manpage for details.

Note that if you use portsnap, bsd.local.mk will be restored to it's original version. When using cvsup/csup, you can add it to the refuse files. See the manpage for details.

May be it's worth submitting a PR? :)