From: Andrew Hewus Fresh <andrew@afresh1.com>
Subject: Ignore setuid changes for relinked files in security(8)
To: tech@openbsd.org
Date: Tue, 4 Jun 2024 18:48:12 -0700

Someone (florian@) noticed that security(8) complains every time about
ssh-agent changing any time you reboot.

This patch stops complaining about setuid files that have an entry in
/usr/share/relink and lets folks know that we're ignoring it when it is
removed.

Suggestions on wording of the message (or if it should exist) welcome.

Are the setuid changes actually useful to check still?  Should we remove
that whole feature?

Comments, improvements, OK?


Index: security
===================================================================
RCS file: /cvs/src/libexec/security/security,v
retrieving revision 1.42
diff -u -p -r1.42 security
--- security	5 Mar 2024 18:54:29 -0000	1.42
+++ security	5 Jun 2024 01:39:47 -0000
@@ -30,6 +30,7 @@ require File::Find;
 
 use constant {
 	BACKUP_DIR => '/var/backups/',
+	RELINK_DIR => '/usr/share/relink/',
 };
 
 $ENV{PATH} = '/bin:/usr/bin:/sbin:/usr/sbin';
@@ -574,6 +575,7 @@ sub find_special_files {
 		# SUID/SGID files
 		my $file = {};
 		if (-f _ && $mode & (S_ISUID | S_ISGID)) {
+			return if -e RELINK_DIR . $_;
 			$setuid_files->{$File::Find::name} = $file;
 			$uudecode_is_setuid = 1
 			    if basename($_) eq 'uudecode';
@@ -660,6 +662,9 @@ sub check_filelist {
 		push @{$changed{additions}}, [ @{$files->{$f}}{@fields}, $f ];
 	}
 	foreach my $f (sort keys %current) {
+		nag $mode eq 'setuid' && -e RELINK_DIR . $f,
+		    "$f is relinked at boot, ignoring"
+		    and next;
 		push @{$changed{deletions}}, [ @{$current{$f}}{@fields}, $f ];
 	};