I consider this a bug in security(8).
The following is the best i could come up with so far; make sure
to wear your sed-peril-proof sunglasses before reading the patch.
This still mangles the file name, but at least you have a chance
to find it on your disk. Anybody has a better plan?
I already told Marcus on misc to mount that one -o nodev,noexec
and use SUIDSKIP; but that's rather a workaround than a fix.
On misc@, MERIGHI Marcus wrote on Wed, Dec 29, 2010 at 07:43:08PM +0100:
> security(8) reports
> ``/home/XXX/Daten/Edv/macs/macs-home/Library/Application''
> as ``Setuid additions:'' where the real file name is
> ``/home/XXX/Daten/Edv/macs/macs-home/Library/Application Support/\
> ProxyOnOff/proxyOnOffTool''
>
> I have found the source of the wrong file name report to be in line 437
> of /etc/security:
> ``egrep -av '^[bc]' $LIST | join -o $FIELDS2 -110 -210 -v2 \
> /dev/null - > $TMP1'',
>
> with join having space (and tab) characters as field separators and thus
> ignoring after first space characters found in field 10.
>
> No quick fix that comes to my mind, using -t to join(1) would help only
> if the output of ls(1) in line 430 would be changed to not contain space
> characters as output separators.
>
> Is this known and if yes, would a patch to the man page be accepted?
>
> And no, I do not use space characters voluntarily in file names. It is a
> back up of an osx system.
--- security Wed Jun 3 11:06:07 2009
+++ /etc/security Wed Dec 29 15:56:37 2010
@@ -427,7 +427,9 @@
\) -a -prune -o \
-type f -a \( -perm -u+s -o -perm -g+s \) -print0 -o \
! -type d -a ! -type f -a ! -type l -a ! -type s -a ! -type p \
- -print0 | xargs -0 -r ls -ldgT | sort +9 > $LIST
+ -print0 | xargs -0 -r ls -ldgT | \
+ sed 'h;s,[^/]*,,;s,[[:blank:]],_,g;x;s,/.*,,;G;s/\n//' | \
+ sort +9 > $LIST
)
# Display any changes in the setuid/setgid file list.