rpmlint/CheckPolkitPrivs.py

# vim:sw=4:et
#############################################################################
# File          : CheckPolkitPrivs.py
# Package       : rpmlint
# Author        : Ludwig Nussel
# Purpose       : Check for /etc/polkit-default-privs violations
#############################################################################

from Filter import *
import AbstractCheck
import Config
import re
import os
from xml.dom.minidom import parse

POLKIT_PRIVS_WHITELIST = Config.getOption('PolkitPrivsWhiteList', ()) # set of file names
POLKIT_PRIVS_FILES = Config.getOption('PolkitPrivsFiles', [ "/etc/polkit-default-privs.standard" ])

class PolkitCheck(AbstractCheck.AbstractCheck):
    def __init__(self):
        AbstractCheck.AbstractCheck.__init__(self, "CheckPolkitPrivs")
        self.privs = {}

        for filename in POLKIT_PRIVS_FILES:
            if os.path.exists(filename):
                self._parsefile(filename)

    def _parsefile(self,filename):
        for line in file(filename):
            line = line.split('#')[0].split('\n')[0]
            if len(line):
                line = re.split(r'\s+', line)
                priv = line[0]
                value = line[1]

                self.privs[priv] = value

    def check(self, pkg):

        if pkg.isSource():
            return

        files = pkg.files()

        permfiles = {}
        # first pass, find additional files
        for f in files:
            if f in pkg.ghostFiles():
                continue

            if f.startswith("/etc/polkit-default-privs.d/"):

                bn = f[28:]
                if not bn in POLKIT_PRIVS_WHITELIST:
                    printError(pkg, "polkit-unauthorized-file", f)

                if bn.endswith(".restrictive") or bn.endswith(".standard") or bn.endswith(".relaxed"):
                    bn = bn.split('.')[0]

                if not bn in permfiles:
                    permfiles[bn] = 1

        for f in permfiles:
            f = pkg.dirName() + "/etc/polkit-default-privs.d/" + f

            if os.path.exists(f+".restrictive"):
                self._parsefile(f + ".restrictive")
            elif os.path.exists(f+".standard"):
                self._parsefile(f + ".standard")
            elif os.path.exists(f+".relaxed"):
                self._parsefile(f + ".relaxed")
            else:
                self._parsefile(f)


        for f in files:
            if f in pkg.ghostFiles():
                continue

            # catch xml exceptions 
            try:
                if f.startswith("/usr/share/PolicyKit/policy/")\
                or f.startswith("/usr/share/polkit-1/actions/"):
                    xml = parse(pkg.dirName() + f)
                    for a in xml.getElementsByTagName("action"):
                        action = a.getAttribute('id')
                        if not action in self.privs:
                            iserr = 0
                            foundno = 0
                            foundundef = 0
                            settings = {}
                            try:
                                defaults = a.getElementsByTagName("defaults")[0]
                                for i in defaults.childNodes:
                                    if not i.nodeType == i.ELEMENT_NODE:
                                        continue

                                    if i.nodeName in ('allow_any', 'allow_inactive', 'allow_active'):
                                        settings[i.nodeName] = i.firstChild.data

                            except:
                                iserr = 1

                            for i in ('allow_any', 'allow_inactive', 'allow_active'):
                                if not i in settings:
                                    foundundef = 1
                                    settings[i] = '??'
                                elif settings[i].find("auth_admin") != 0:
                                    if settings[i] == 'no':
                                        foundno = 1
                                    else:
                                        iserr = 1

                            if iserr:
                                printError(pkg, 'polkit-unauthorized-privilege', '%s (%s:%s:%s)' % (action, \
                                    settings['allow_any'], settings['allow_inactive'], settings['allow_active']))
                            else:
                                printInfo(pkg, 'polkit-untracked-privilege', '%s (%s:%s:%s)' % (action, \
                                    settings['allow_any'], settings['allow_inactive'], settings['allow_active']))

                            if foundno or foundundef:
                                printInfo(pkg,
                                        'polkit-cant-acquire-privilege', '%s (%s:%s:%s)' % (action, \
                                    settings['allow_any'], settings['allow_inactive'], settings['allow_active']))

            except Exception, x:
                printError(pkg, 'rpmlint-exception', "%(file)s raised an exception: %(x)s" % {'file':f, 'x':x})
                continue

check=PolkitCheck()

if Config.info:
    addDetails(
'polkit-unauthorized-file',
"""If the package is intended for inclusion in any SUSE product
please open a bug report to request review of the package by the
security team""",
'polkit-unauthorized-privilege',
"""The package allows unprivileged users to carry out privileged
operations without authentication. This could cause security
problems if not done carefully. If the package is intended for
inclusion in any SUSE product please open a bug report to request
review of the package by the security team""",
'polkit-untracked-privilege',
"""The privilege is not listed in /etc/polkit-default-privs.*
which makes it harder for admins to find. If the package is intended
for inclusion in any SUSE product please open a bug report to
request review of the package by the security team""",
'polkit-cant-acquire-privilege',
"""Usability can be improved by allowing users to acquire privileges
via authentication. Use e.g. 'auth_admin' instead of 'no' and make
sure to define 'allow_any'. This is an issue only if the privilege
is not listed in /etc/polkit-default-privs.*""")
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=31 2008-12-15 15:05:00 +01:00			`# vim:sw=4:et`
			`#############################################################################`
			`# File : CheckPolkitPrivs.py`
			`# Package : rpmlint`
			`# Author : Ludwig Nussel`
			`# Purpose : Check for /etc/polkit-default-privs violations`
			`#############################################################################`

			`from Filter import *`
			`import AbstractCheck`
Accepting request 33497 from Base:System Copy from Base:System/rpmlint based on submit request 33497 from user lnussel OBS-URL: https://build.opensuse.org/request/show/33497 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=53 2010-02-26 01:10:53 +01:00			`import Config`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=31 2008-12-15 15:05:00 +01:00			`import re`
			`import os`
			`from xml.dom.minidom import parse`

Accepting request 33497 from Base:System Copy from Base:System/rpmlint based on submit request 33497 from user lnussel OBS-URL: https://build.opensuse.org/request/show/33497 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=53 2010-02-26 01:10:53 +01:00			`POLKIT_PRIVS_WHITELIST = Config.getOption('PolkitPrivsWhiteList', ()) # set of file names`
			`POLKIT_PRIVS_FILES = Config.getOption('PolkitPrivsFiles', [ "/etc/polkit-default-privs.standard" ])`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=31 2008-12-15 15:05:00 +01:00
			`class PolkitCheck(AbstractCheck.AbstractCheck):`
			`def __init__(self):`
			`AbstractCheck.AbstractCheck.__init__(self, "CheckPolkitPrivs")`
			`self.privs = {}`

- fix stripping of unknown polkit suffixes (bnc#711485) OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=58 2011-08-19 18:36:40 +02:00			`for filename in POLKIT_PRIVS_FILES:`
			`if os.path.exists(filename):`
			`self._parsefile(filename)`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=31 2008-12-15 15:05:00 +01:00
- fix stripping of unknown polkit suffixes (bnc#711485) OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=58 2011-08-19 18:36:40 +02:00			`def _parsefile(self,filename):`
			`for line in file(filename):`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=31 2008-12-15 15:05:00 +01:00			`line = line.split('#')[0].split('\n')[0]`
			`if len(line):`
			`line = re.split(r'\s+', line)`
			`priv = line[0]`
			`value = line[1]`

			`self.privs[priv] = value`

			`def check(self, pkg):`

			`if pkg.isSource():`
			`return`

			`files = pkg.files()`

			`permfiles = {}`
			`# first pass, find additional files`
			`for f in files:`
			`if f in pkg.ghostFiles():`
			`continue`

			`if f.startswith("/etc/polkit-default-privs.d/"):`

			`bn = f[28:]`
Accepting request 33497 from Base:System Copy from Base:System/rpmlint based on submit request 33497 from user lnussel OBS-URL: https://build.opensuse.org/request/show/33497 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=53 2010-02-26 01:10:53 +01:00			`if not bn in POLKIT_PRIVS_WHITELIST:`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=31 2008-12-15 15:05:00 +01:00			`printError(pkg, "polkit-unauthorized-file", f)`

- fix stripping of unknown polkit suffixes (bnc#711485) OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=58 2011-08-19 18:36:40 +02:00			`if bn.endswith(".restrictive") or bn.endswith(".standard") or bn.endswith(".relaxed"):`
			`bn = bn.split('.')[0]`

OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=31 2008-12-15 15:05:00 +01:00			`if not bn in permfiles:`
			`permfiles[bn] = 1`

			`for f in permfiles:`
			`f = pkg.dirName() + "/etc/polkit-default-privs.d/" + f`
- fix stripping of unknown polkit suffixes (bnc#711485) OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=58 2011-08-19 18:36:40 +02:00
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=31 2008-12-15 15:05:00 +01:00			`if os.path.exists(f+".restrictive"):`
			`self._parsefile(f + ".restrictive")`
			`elif os.path.exists(f+".standard"):`
			`self._parsefile(f + ".standard")`
			`elif os.path.exists(f+".relaxed"):`
			`self._parsefile(f + ".relaxed")`
			`else:`
			`self._parsefile(f)`

- fix stripping of unknown polkit suffixes (bnc#711485) OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=58 2011-08-19 18:36:40 +02:00
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=31 2008-12-15 15:05:00 +01:00			`for f in files:`
			`if f in pkg.ghostFiles():`
			`continue`

			`# catch xml exceptions`
			`try:`
Accepting request 33497 from Base:System Copy from Base:System/rpmlint based on submit request 33497 from user lnussel OBS-URL: https://build.opensuse.org/request/show/33497 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=53 2010-02-26 01:10:53 +01:00			`if f.startswith("/usr/share/PolicyKit/policy/")\`
			`or f.startswith("/usr/share/polkit-1/actions/"):`
- CheckPolkitPrivs.py: use different tag for non-fatal issues - CheckBuildDate.py: print either file-contains-current-date or file-contains-current-date but not both OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=33 2011-06-07 17:11:55 +02:00			`xml = parse(pkg.dirName() + f)`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=31 2008-12-15 15:05:00 +01:00			`for a in xml.getElementsByTagName("action"):`
			`action = a.getAttribute('id')`
			`if not action in self.privs:`
			`iserr = 0`
			`foundno = 0`
- CheckPolkitPrivs.py: use different tag for non-fatal issues - CheckBuildDate.py: print either file-contains-current-date or file-contains-current-date but not both OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=33 2011-06-07 17:11:55 +02:00			`foundundef = 0`
			`settings = {}`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=31 2008-12-15 15:05:00 +01:00			`try:`
			`defaults = a.getElementsByTagName("defaults")[0]`
			`for i in defaults.childNodes:`
			`if not i.nodeType == i.ELEMENT_NODE:`
			`continue`
- CheckPolkitPrivs.py: use different tag for non-fatal issues - CheckBuildDate.py: print either file-contains-current-date or file-contains-current-date but not both OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=33 2011-06-07 17:11:55 +02:00
			`if i.nodeName in ('allow_any', 'allow_inactive', 'allow_active'):`
			`settings[i.nodeName] = i.firstChild.data`

OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=31 2008-12-15 15:05:00 +01:00			`except:`
			`iserr = 1`

- CheckPolkitPrivs.py: use different tag for non-fatal issues - CheckBuildDate.py: print either file-contains-current-date or file-contains-current-date but not both OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=33 2011-06-07 17:11:55 +02:00			`for i in ('allow_any', 'allow_inactive', 'allow_active'):`
			`if not i in settings:`
			`foundundef = 1`
			`settings[i] = '??'`
			`elif settings[i].find("auth_admin") != 0:`
			`if settings[i] == 'no':`
			`foundno = 1`
			`else:`
			`iserr = 1`

OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=31 2008-12-15 15:05:00 +01:00			`if iserr:`
- CheckPolkitPrivs.py: use different tag for non-fatal issues - CheckBuildDate.py: print either file-contains-current-date or file-contains-current-date but not both OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=33 2011-06-07 17:11:55 +02:00			`printError(pkg, 'polkit-unauthorized-privilege', '%s (%s:%s:%s)' % (action, \`
			`settings['allow_any'], settings['allow_inactive'], settings['allow_active']))`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=31 2008-12-15 15:05:00 +01:00			`else:`
- CheckPolkitPrivs.py: use different tag for non-fatal issues - CheckBuildDate.py: print either file-contains-current-date or file-contains-current-date but not both OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=33 2011-06-07 17:11:55 +02:00			`printInfo(pkg, 'polkit-untracked-privilege', '%s (%s:%s:%s)' % (action, \`
			`settings['allow_any'], settings['allow_inactive'], settings['allow_active']))`

			`if foundno or foundundef:`
			`printInfo(pkg,`
			`'polkit-cant-acquire-privilege', '%s (%s:%s:%s)' % (action, \`
			`settings['allow_any'], settings['allow_inactive'], settings['allow_active']))`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=31 2008-12-15 15:05:00 +01:00
- CheckPolkitPrivs.py: use different tag for non-fatal issues - CheckBuildDate.py: print either file-contains-current-date or file-contains-current-date but not both OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=33 2011-06-07 17:11:55 +02:00			`except Exception, x:`
			`printError(pkg, 'rpmlint-exception', "%(file)s raised an exception: %(x)s" % {'file':f, 'x':x})`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=31 2008-12-15 15:05:00 +01:00			`continue`

			`check=PolkitCheck()`

			`if Config.info:`
			`addDetails(`
			`'polkit-unauthorized-file',`
Accepting request 51510 from Base:System Accepted submit request 51510 from user dirkmueller OBS-URL: https://build.opensuse.org/request/show/51510 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=72 2010-10-28 13:38:59 +02:00			`"""If the package is intended for inclusion in any SUSE product`
			`please open a bug report to request review of the package by the`
			`security team""",`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=31 2008-12-15 15:05:00 +01:00			`'polkit-unauthorized-privilege',`
- CheckPolkitPrivs.py: use different tag for non-fatal issues - CheckBuildDate.py: print either file-contains-current-date or file-contains-current-date but not both OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=33 2011-06-07 17:11:55 +02:00			`"""The package allows unprivileged users to carry out privileged`
			`operations without authentication. This could cause security`
			`problems if not done carefully. If the package is intended for`
			`inclusion in any SUSE product please open a bug report to request`
			`review of the package by the security team""",`
			`'polkit-untracked-privilege',`
			`"""The privilege is not listed in /etc/polkit-default-privs.*`
			`which makes it harder for admins to find. If the package is intended`
			`for inclusion in any SUSE product please open a bug report to`
			`request review of the package by the security team""",`
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=31 2008-12-15 15:05:00 +01:00			`'polkit-cant-acquire-privilege',`
			`"""Usability can be improved by allowing users to acquire privileges`
			`via authentication. Use e.g. 'auth_admin' instead of 'no' and make`
- CheckPolkitPrivs.py: use different tag for non-fatal issues - CheckBuildDate.py: print either file-contains-current-date or file-contains-current-date but not both OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=33 2011-06-07 17:11:55 +02:00			`sure to define 'allow_any'. This is an issue only if the privilege`
			`is not listed in /etc/polkit-default-privs.*""")`