rpmlint/CheckLogrotate.py

# vim:sw=4:et
#############################################################################
# File          : CheckLogrotate.py
# Package       : rpmlint
# Author        : Ludwig Nussel
# Purpose       : Check for insecure logrotate directories
#############################################################################

from Filter import *
import AbstractCheck
import re
import os
import string

class LogrotateCheck(AbstractCheck.AbstractCheck):
    def __init__(self):
        AbstractCheck.AbstractCheck.__init__(self, "CheckLogrotate")

    def check(self, pkg):
        if pkg.isSource():
            return

        files = pkg.files()
        dirs = {}

        for f, pkgfile in files.items():
            if f in pkg.ghostFiles():
                continue

            if f.startswith("/etc/logrotate.d/"):
                try:
                    for n, o in self.parselogrotateconf(pkg.dirName(), f).items():
                        if n in dirs and dirs[n] != o:
                            printError(pkg, "logrotate-duplicate", n)
                        else:
                            dirs[n] = o
                except Exception, x:
                    printError(pkg, 'rpmlint-exception', "%(file)s raised an exception: %(x)s" % {'file':f, 'x':x})

        for d in sorted(dirs.keys()):
            if not d in files:
                if d != '/var/log':
                    printError(pkg, 'suse-logrotate-log-dir-not-packaged', d)
                continue
            mode = files[d].mode&0777
            if files[d].user != 'root' and (dirs[d] is None or dirs[d][0] != files[d].user):
                printError(pkg, 'suse-logrotate-user-writable-log-dir', \
                        "%s %s:%s %04o"%(d, files[d].user, files[d].group, mode))
            elif files[d].group != 'root' and mode&020 and (dirs[d] is None or dirs[d][1] != files[d].group):
                    printError(pkg, 'suse-logrotate-user-writable-log-dir', \
                        "%s %s:%s %04o"%(d, files[d].user, files[d].group, mode))

    # extremely primitive logrotate parser
    def parselogrotateconf(self, root, f):
        dirs = {}
        fd = open('/'.join((root, f)))
        currentdirs = []
        for line in fd.readlines():
            line = line.strip()
            if line.startswith('#'):
                continue
            if not currentdirs:
                if line.endswith('{'):
                    insection = True
                    for logfile in line.split(' '):
                        logfile = logfile.strip()
                        if len(logfile) == 0 or logfile == '{':
                            continue
                        dn = os.path.dirname(logfile)
                        if not dn in dirs:
                            currentdirs.append(dn)
                            dirs[dn] = None
            else:
                if line.endswith('}'):
                    currentdirs = []
                elif line.startswith("su "):
                    a = line.split(" ")
                    for dn in currentdirs:
                        dirs[dn] = (a[1], a[2])
        return dirs


check=LogrotateCheck()

if Config.info:
    addDetails(
'suse-logrotate-duplicate',
"""There are dupliated logrotate entries with different settings for
the specified file""",
'suse-logrotate-user-writable-log-dir',
"""The log directory is writable by unprivileged users. Please fix
the permissions so only root can write there or add the 'su' option
to your logrotate config""",
'suse-logrotate-log-dir-not-packaged',
"""Please add the specified directory to the file list to be able to
check permissions"""
)
- add logrotate check (bnc#677335) OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=98 2012-02-20 17:06:38 +01:00			`# vim:sw=4:et`
			`#############################################################################`
			`# File : CheckLogrotate.py`
			`# Package : rpmlint`
			`# Author : Ludwig Nussel`
			`# Purpose : Check for insecure logrotate directories`
			`#############################################################################`

			`from Filter import *`
			`import AbstractCheck`
			`import re`
			`import os`
			`import string`

			`class LogrotateCheck(AbstractCheck.AbstractCheck):`
			`def __init__(self):`
			`AbstractCheck.AbstractCheck.__init__(self, "CheckLogrotate")`

			`def check(self, pkg):`
			`if pkg.isSource():`
			`return`

			`files = pkg.files()`
			`dirs = {}`

			`for f, pkgfile in files.items():`
			`if f in pkg.ghostFiles():`
			`continue`

			`if f.startswith("/etc/logrotate.d/"):`
			`try:`
			`for n, o in self.parselogrotateconf(pkg.dirName(), f).items():`
			`if n in dirs and dirs[n] != o:`
			`printError(pkg, "logrotate-duplicate", n)`
			`else:`
			`dirs[n] = o`
			`except Exception, x:`
			`printError(pkg, 'rpmlint-exception', "%(file)s raised an exception: %(x)s" % {'file':f, 'x':x})`

			`for d in sorted(dirs.keys()):`
			`if not d in files:`
			`if d != '/var/log':`
			`printError(pkg, 'suse-logrotate-log-dir-not-packaged', d)`
			`continue`
			`mode = files[d].mode&0777`
			`if files[d].user != 'root' and (dirs[d] is None or dirs[d][0] != files[d].user):`
			`printError(pkg, 'suse-logrotate-user-writable-log-dir', \`
			`"%s %s:%s %04o"%(d, files[d].user, files[d].group, mode))`
			`elif files[d].group != 'root' and mode&020 and (dirs[d] is None or dirs[d][1] != files[d].group):`
			`printError(pkg, 'suse-logrotate-user-writable-log-dir', \`
			`"%s %s:%s %04o"%(d, files[d].user, files[d].group, mode))`

			`# extremely primitive logrotate parser`
			`def parselogrotateconf(self, root, f):`
			`dirs = {}`
			`fd = open('/'.join((root, f)))`
			`currentdirs = []`
			`for line in fd.readlines():`
			`line = line.strip()`
			`if line.startswith('#'):`
			`continue`
			`if not currentdirs:`
			`if line.endswith('{'):`
			`insection = True`
			`for logfile in line.split(' '):`
- better deal with spaces in logrotate config - add colord-sane dbus service to whitelist (bnc#752518) OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=107 2012-03-20 09:34:26 +01:00			`logfile = logfile.strip()`
			`if len(logfile) == 0 or logfile == '{':`
- add logrotate check (bnc#677335) OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=98 2012-02-20 17:06:38 +01:00			`continue`
			`dn = os.path.dirname(logfile)`
			`if not dn in dirs:`
			`currentdirs.append(dn)`
			`dirs[dn] = None`
			`else:`
			`if line.endswith('}'):`
			`currentdirs = []`
			`elif line.startswith("su "):`
			`a = line.split(" ")`
			`for dn in currentdirs:`
			`dirs[dn] = (a[1], a[2])`
			`return dirs`


			`check=LogrotateCheck()`

			`if Config.info:`
			`addDetails(`
			`'suse-logrotate-duplicate',`
			`"""There are dupliated logrotate entries with different settings for`
			`the specified file""",`
			`'suse-logrotate-user-writable-log-dir',`
			`"""The log directory is writable by unprivileged users. Please fix`
			`the permissions so only root can write there or add the 'su' option`
			`to your logrotate config""",`
			`'suse-logrotate-log-dir-not-packaged',`
			`"""Please add the specified directory to the file list to be able to`
			`check permissions"""`
			`)`