Inspired by this thread I came up with a small modification to bsd.local.mk that will automatically keep an mtree database of your ports tree. Especially useful for jails, where installed software is small.
In the 'bsd.port.post.mk' section of /usr/ports/Mk/bsd.local.mk add:
Then add USE_LOCAL_MK=yes to /etc/make.conf.
This will save an mtree(8) after each installation (or upgrade).
When you know your permissions are tampered with (either by EDOOFUS, ECHILD or EBADPERSON), run:
When you want to check, without correcting, run:
You can omit -e if you would like to see which files were added, since you last installed software.
Note that if you use portsnap, bsd.local.mk will be restored to it's original version. When using cvsup/csup, you can add it to the refuse files. See the manpage for details.
In the 'bsd.port.post.mk' section of /usr/ports/Mk/bsd.local.mk add:
Code:
PORTS_MTREE_DB?=/var/db/ports.${PREFIX:S/\//_/g}.dist
.ORDER: post-install-local security-check
security-check: post-install-local
post-install-local:
@${ECHO_MSG} "===> Saving mtree database...to ${PORTS_MTREE_DB}"
@mtree -c -i -n -k uname,gname,mode,nochange -p ${PREFIX} > ${PORTS_MTREE_DB}
@${ECHO_MSG} "===> Done"
Then add USE_LOCAL_MK=yes to /etc/make.conf.
This will save an mtree(8) after each installation (or upgrade).
When you know your permissions are tampered with (either by EDOOFUS, ECHILD or EBADPERSON), run:
Code:
mtree -ue -f /var/db/ports.usr_local.dist -p /usr/local
When you want to check, without correcting, run:
Code:
mtree -e -f /var/db/ports.usr_local.dist -p /usr/local
You can omit -e if you would like to see which files were added, since you last installed software.
Note that if you use portsnap, bsd.local.mk will be restored to it's original version. When using cvsup/csup, you can add it to the refuse files. See the manpage for details.