Accepting request 122359 from devel:openSUSE:Factory:rpmlint

- add check for pam modules (fate#313077)

OBS-URL: https://build.opensuse.org/request/show/122359
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=161
This commit is contained in:
Stephan Kulow 2012-05-26 07:28:21 +00:00 committed by Git OBS Bridge
commit 37010e10c5
4 changed files with 171 additions and 0 deletions

49
CheckPAMModules.py Normal file
View File

@ -0,0 +1,49 @@
# vim:sw=4:et
#############################################################################
# File : CheckPAMModules.py
# Package : rpmlint
# Author : Ludwig Nussel
# Purpose : Check for pam modules that are not authorized by the security team
#############################################################################
from Filter import *
import AbstractCheck
import re
import os
import string
PAM_WHITELIST = Config.getOption('PAMModules.WhiteList', ()) # set of file names
pam_module_re = re.compile('^(?:/usr)?/lib(?:64)?/security/([^/]+\.so)$')
class PAMModulesCheck(AbstractCheck.AbstractCheck):
def __init__(self):
AbstractCheck.AbstractCheck.__init__(self, "CheckPAMModules")
def check(self, pkg):
global PAM_WHITELIST
if pkg.isSource():
return
files = pkg.files()
for f in files:
if f in pkg.ghostFiles():
continue
m = pam_module_re.match(f)
if m:
bn = m.groups()[0]
if not bn in PAM_WHITELIST:
printError(pkg, "suse-pam-unauthorized-module", bn)
check=PAMModulesCheck()
if Config.info:
addDetails(
'suse-pam-unauthorized-module',
"""The package installs a PAM module. If the package
is intended for inclusion in any SUSE product please open a bug
report to request review of the service by the security team.""",
)

115
config
View File

@ -38,6 +38,7 @@ addCheck("CheckAlternativesGhostFiles")
addCheck("BashismsCheck") addCheck("BashismsCheck")
addCheck("CheckBuildDate") addCheck("CheckBuildDate")
addCheck("CheckLogrotate") addCheck("CheckLogrotate")
addCheck("CheckPAMModules")
# stuff autobuild takes care about # stuff autobuild takes care about
addFilter(".*invalid-version.*") addFilter(".*invalid-version.*")
@ -497,6 +498,120 @@ setOption("DBUSServices.WhiteList", (
"de.berlios.smb4k.mounthelper.service", "de.berlios.smb4k.mounthelper.service",
)) ))
setOption("PAMModules.WhiteList", (
# pam_p11
"pam_p11_opensc.so",
"pam_p11_openssh.so",
# pam_krb5
"pam_krb5.so",
"pam_krb5afs.so",
# ecryptfs-utils
"pam_ecryptfs.so",
# gnome-keyring-pam
"pam_gnome_keyring.so",
# pwdutils-rpasswd
"pam_rpasswd.so",
# samba-winbind
"pam_winbind.so",
# pam-modules
"pam_homecheck.so",
"pam_pwcheck.so",
"pam_unix2.so",
# pam_smb
"pam_smb_auth.so",
# ConsoleKit
"pam_ck_connector.so",
# pam_ssh
"pam_ssh.so",
# libcgroup1
"pam_cgroup.so",
# pam_fprint
"pam_fprint.so",
# pam_mount
"pam_mount.so",
# pam_ccreds
"pam_ccreds.so",
# pam_radius
"pam_radius_auth.so",
# pam_pkcs11
"pam_pkcs11.so",
# nss-pam-ldapd
"pam_ldap.so",
# pam_passwdqc
"pam_passwdqc.so",
# pam_userpass
"pam_userpass.so",
# pam_apparmor
"pam_apparmor.so",
# pam_ldap
"pam_ldap.so",
# cryptconfig
"pam_cryptpass.so",
# opie
"pam_opie.so",
# pam
"pam_access.so",
"pam_cracklib.so",
"pam_debug.so",
"pam_deny.so",
"pam_echo.so",
"pam_env.so",
"pam_exec.so",
"pam_faildelay.so",
"pam_filter.so",
"pam_ftp.so",
"pam_group.so",
"pam_issue.so",
"pam_keyinit.so",
"pam_lastlog.so",
"pam_limits.so",
"pam_listfile.so",
"pam_localuser.so",
"pam_loginuid.so",
"pam_mail.so",
"pam_mkhomedir.so",
"pam_motd.so",
"pam_namespace.so",
"pam_nologin.so",
"pam_permit.so",
"pam_pwhistory.so",
"pam_rhosts.so",
"pam_rootok.so",
"pam_securetty.so",
"pam_selinux.so",
"pam_sepermit.so",
"pam_shells.so",
"pam_stress.so",
"pam_succeed_if.so",
"pam_tally.so",
"pam_tally2.so",
"pam_time.so",
"pam_timestamp.so",
"pam_tty_audit.so",
"pam_umask.so",
"pam_unix.so",
"pam_unix_acct.so",
"pam_unix_auth.so",
"pam_unix_passwd.so",
"pam_unix_session.so",
"pam_userdb.so",
"pam_warn.so",
"pam_wheel.so",
"pam_xauth.so",
# systemd
"pam_systemd.so",
# sssd
"pam_sss.so",
# pam_mktemp
"pam_mktemp.so",
# pam_csync
"pam_csync.so",
# samba
"pam_smbpass.so",
# pam_chroot
"pam_chroot.so",
))
# Output filters # Output filters
addFilter(".*spurious-bracket-in-.*") addFilter(".*spurious-bracket-in-.*")
addFilter(".*one-line-command-in-.*") addFilter(".*one-line-command-in-.*")

View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Wed May 23 12:43:40 UTC 2012 - lnussel@suse.de
- add check for pam modules (fate#313077)
------------------------------------------------------------------- -------------------------------------------------------------------
Tue May 15 14:33:01 UTC 2012 - lnussel@suse.de Tue May 15 14:33:01 UTC 2012 - lnussel@suse.de

View File

@ -54,6 +54,7 @@ Source23: CheckBuildDate.py
Source24: pie.config Source24: pie.config
Source25: licenses.config Source25: licenses.config
Source26: CheckLogrotate.py Source26: CheckLogrotate.py
Source27: CheckPAMModules.py
Source100: syntax-validator.py Source100: syntax-validator.py
Url: http://rpmlint.zarb.org/ Url: http://rpmlint.zarb.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -236,6 +237,7 @@ cp -p %{SOURCE21} .
cp -p %{SOURCE22} . cp -p %{SOURCE22} .
cp -p %{SOURCE23} . cp -p %{SOURCE23} .
cp -p %{SOURCE26} . cp -p %{SOURCE26} .
cp -p %{SOURCE27} .
%build %build
make %{?_smp_mflags} make %{?_smp_mflags}