This page gives the details on the analysis that was done to detect offending packages (in regard to multiuser architecture).
In the following document, we summarize the patterns matched by the offending packages and bug information entered in Jira.
A tarball has been uploaded on Jira in PTF-3
Log file names correspond to gerrit repository names with some abbreviations:
- p for platform
- c for core
- a for app
How to reproduce
Some regular expressions have been used on source code to detect hardcoded paths, uids etc.
To reproduce on a given project:
- clone the project (git clone ...)
- create a pattern.list file with the following content:
\s5000[^0-9] /app/ "app" 'app' chown\s %attr\(.*app setuid\s*\( seteuid\s*\( sqlite3_open\s*\( sqlite3\s db_util_open\s*\( dbspace opt/usr opt/home etc/usr
- run the following grep command:
grep --exclude-dir=.git -srn -E -f pattern.list <project_directory>