- add logrotate check (bnc#677335)

OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=98
2012-02-20 16:06:38 +00:00 · 2012-02-20 16:06:38 +00:00 · 6213dc0a26
commit 6213dc0a26
parent adb67f230e
4 changed files with 104 additions and 0 deletions
--- a/CheckLogrotate.py
+++ b/CheckLogrotate.py
@ -0,0 +1,96 @@
+# vim:sw=4:et
+#############################################################################
+# File          : CheckLogrotate.py
+# Package       : rpmlint
+# Author        : Ludwig Nussel
+# Purpose       : Check for insecure logrotate directories
+#############################################################################
+
+from Filter import *
+import AbstractCheck
+import re
+import os
+import string
+
+class LogrotateCheck(AbstractCheck.AbstractCheck):
+    def __init__(self):
+        AbstractCheck.AbstractCheck.__init__(self, "CheckLogrotate")
+
+    def check(self, pkg):
+        if pkg.isSource():
+            return
+
+        files = pkg.files()
+        dirs = {}
+
+        for f, pkgfile in files.items():
+            if f in pkg.ghostFiles():
+                continue
+
+            if f.startswith("/etc/logrotate.d/"):
+                try:
+                    for n, o in self.parselogrotateconf(pkg.dirName(), f).items():
+                        if n in dirs and dirs[n] != o:
+                            printError(pkg, "logrotate-duplicate", n)
+                        else:
+                            dirs[n] = o
+                except Exception, x:
+                    printError(pkg, 'rpmlint-exception', "%(file)s raised an exception: %(x)s" % {'file':f, 'x':x})
+
+        for d in sorted(dirs.keys()):
+            if not d in files:
+                if d != '/var/log':
+                    printError(pkg, 'suse-logrotate-log-dir-not-packaged', d)
+                continue
+            mode = files[d].mode&0777
+            if files[d].user != 'root' and (dirs[d] is None or dirs[d][0] != files[d].user):
+                printError(pkg, 'suse-logrotate-user-writable-log-dir', \
+                        "%s %s:%s %04o"%(d, files[d].user, files[d].group, mode))
+            elif files[d].group != 'root' and mode&020 and (dirs[d] is None or dirs[d][1] != files[d].group):
+                    printError(pkg, 'suse-logrotate-user-writable-log-dir', \
+                        "%s %s:%s %04o"%(d, files[d].user, files[d].group, mode))
+
+    # extremely primitive logrotate parser
+    def parselogrotateconf(self, root, f):
+        dirs = {}
+        fd = open('/'.join((root, f)))
+        currentdirs = []
+        for line in fd.readlines():
+            line = line.strip()
+            if line.startswith('#'):
+                continue
+            if not currentdirs:
+                if line.endswith('{'):
+                    insection = True
+                    for logfile in line.split(' '):
+                        if logfile == '{':
+                            continue
+                        dn = os.path.dirname(logfile)
+                        if not dn in dirs:
+                            currentdirs.append(dn)
+                            dirs[dn] = None
+            else:
+                if line.endswith('}'):
+                    currentdirs = []
+                elif line.startswith("su "):
+                    a = line.split(" ")
+                    for dn in currentdirs:
+                        dirs[dn] = (a[1], a[2])
+        return dirs
+
+
+check=LogrotateCheck()
+
+if Config.info:
+    addDetails(
+'suse-logrotate-duplicate',
+"""There are dupliated logrotate entries with different settings for
+the specified file""",
+'suse-logrotate-user-writable-log-dir',
+"""The log directory is writable by unprivileged users. Please fix
+the permissions so only root can write there or add the 'su' option
+to your logrotate config""",
+'suse-logrotate-log-dir-not-packaged',
+"""Please add the specified directory to the file list to be able to
+check permissions"""
+)
--- a/1
+++ b/1
@ -37,6 +37,7 @@ addCheck("KMPPolicyCheck")
 addCheck("CheckAlternativesGhostFiles")
 addCheck("BashismsCheck")
 addCheck("CheckBuildDate")
+addCheck("CheckLogrotate")

 # stuff autobuild takes care about
 addFilter(".*invalid-version.*")
--- a/rpmlint.changes
+++ b/rpmlint.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Feb 20 16:05:23 UTC 2012 - lnussel@suse.de
+
+- add logrotate check (bnc#677335)
+
 -------------------------------------------------------------------
 Mon Feb 20 08:35:11 UTC 2012 - lnussel@suse.de

--- a/rpmlint.spec
+++ b/rpmlint.spec
@ -53,6 +53,7 @@ Source22:       CheckGNOMEMacros.py
 Source23:       CheckBuildDate.py
 Source24:       pie.config
 Source25:       licenses.config
+Source26:       CheckLogrotate.py
 Source100:      syntax-validator.py
 Url:            http://rpmlint.zarb.org/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@ -228,6 +229,7 @@ cp -p %{SOURCE19} .
 cp -p %{SOURCE21} .
 cp -p %{SOURCE22} .
 cp -p %{SOURCE23} .
+cp -p %{SOURCE26} .

 %build
 make %{?_smp_mflags}