From 6213dc0a269041ba250668943d284e8f58dbd9d5f292ff07f98a82b709ac921e Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <lnussel@suse.com>
Date: Mon, 20 Feb 2012 16:06:38 +0000
Subject: [PATCH] - add logrotate check (bnc#677335)

OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=98
---
 CheckLogrotate.py | 96 +++++++++++++++++++++++++++++++++++++++++++++++
 config            |  1 +
 rpmlint.changes   |  5 +++
 rpmlint.spec      |  2 +
 4 files changed, 104 insertions(+)
 create mode 100644 CheckLogrotate.py

diff --git a/CheckLogrotate.py b/CheckLogrotate.py
new file mode 100644
index 0000000..54d2371
--- /dev/null
+++ b/CheckLogrotate.py
@@ -0,0 +1,96 @@
+# vim:sw=4:et
+#############################################################################
+# File          : CheckLogrotate.py
+# Package       : rpmlint
+# Author        : Ludwig Nussel
+# Purpose       : Check for insecure logrotate directories
+#############################################################################
+
+from Filter import *
+import AbstractCheck
+import re
+import os
+import string
+
+class LogrotateCheck(AbstractCheck.AbstractCheck):
+    def __init__(self):
+        AbstractCheck.AbstractCheck.__init__(self, "CheckLogrotate")
+
+    def check(self, pkg):
+        if pkg.isSource():
+            return
+
+        files = pkg.files()
+        dirs = {}
+
+        for f, pkgfile in files.items():
+            if f in pkg.ghostFiles():
+                continue
+
+            if f.startswith("/etc/logrotate.d/"):
+                try:
+                    for n, o in self.parselogrotateconf(pkg.dirName(), f).items():
+                        if n in dirs and dirs[n] != o:
+                            printError(pkg, "logrotate-duplicate", n)
+                        else:
+                            dirs[n] = o
+                except Exception, x:
+                    printError(pkg, 'rpmlint-exception', "%(file)s raised an exception: %(x)s" % {'file':f, 'x':x})
+
+        for d in sorted(dirs.keys()):
+            if not d in files:
+                if d != '/var/log':
+                    printError(pkg, 'suse-logrotate-log-dir-not-packaged', d)
+                continue
+            mode = files[d].mode&0777
+            if files[d].user != 'root' and (dirs[d] is None or dirs[d][0] != files[d].user):
+                printError(pkg, 'suse-logrotate-user-writable-log-dir', \
+                        "%s %s:%s %04o"%(d, files[d].user, files[d].group, mode))
+            elif files[d].group != 'root' and mode&020 and (dirs[d] is None or dirs[d][1] != files[d].group):
+                    printError(pkg, 'suse-logrotate-user-writable-log-dir', \
+                        "%s %s:%s %04o"%(d, files[d].user, files[d].group, mode))
+
+    # extremely primitive logrotate parser
+    def parselogrotateconf(self, root, f):
+        dirs = {}
+        fd = open('/'.join((root, f)))
+        currentdirs = []
+        for line in fd.readlines():
+            line = line.strip()
+            if line.startswith('#'):
+                continue
+            if not currentdirs:
+                if line.endswith('{'):
+                    insection = True
+                    for logfile in line.split(' '):
+                        if logfile == '{':
+                            continue
+                        dn = os.path.dirname(logfile)
+                        if not dn in dirs:
+                            currentdirs.append(dn)
+                            dirs[dn] = None
+            else:
+                if line.endswith('}'):
+                    currentdirs = []
+                elif line.startswith("su "):
+                    a = line.split(" ")
+                    for dn in currentdirs:
+                        dirs[dn] = (a[1], a[2])
+        return dirs
+
+
+check=LogrotateCheck()
+
+if Config.info:
+    addDetails(
+'suse-logrotate-duplicate',
+"""There are dupliated logrotate entries with different settings for
+the specified file""",
+'suse-logrotate-user-writable-log-dir',
+"""The log directory is writable by unprivileged users. Please fix
+the permissions so only root can write there or add the 'su' option
+to your logrotate config""",
+'suse-logrotate-log-dir-not-packaged',
+"""Please add the specified directory to the file list to be able to
+check permissions"""
+)
diff --git a/config b/config
index 1404d06..085cc38 100644
--- a/config
+++ b/config
@@ -37,6 +37,7 @@ addCheck("KMPPolicyCheck")
 addCheck("CheckAlternativesGhostFiles")
 addCheck("BashismsCheck")
 addCheck("CheckBuildDate")
+addCheck("CheckLogrotate")
 
 # stuff autobuild takes care about
 addFilter(".*invalid-version.*")
diff --git a/rpmlint.changes b/rpmlint.changes
index 20d5c0d..809acb1 100644
--- a/rpmlint.changes
+++ b/rpmlint.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Feb 20 16:05:23 UTC 2012 - lnussel@suse.de
+
+- add logrotate check (bnc#677335)
+
 -------------------------------------------------------------------
 Mon Feb 20 08:35:11 UTC 2012 - lnussel@suse.de
 
diff --git a/rpmlint.spec b/rpmlint.spec
index 97b1d48..3bfbce8 100644
--- a/rpmlint.spec
+++ b/rpmlint.spec
@@ -53,6 +53,7 @@ Source22:       CheckGNOMEMacros.py
 Source23:       CheckBuildDate.py
 Source24:       pie.config
 Source25:       licenses.config
+Source26:       CheckLogrotate.py
 Source100:      syntax-validator.py
 Url:            http://rpmlint.zarb.org/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -228,6 +229,7 @@ cp -p %{SOURCE19} .
 cp -p %{SOURCE21} .
 cp -p %{SOURCE22} .
 cp -p %{SOURCE23} .
+cp -p %{SOURCE26} .
 
 %build
 make %{?_smp_mflags}