Accepting request 122359 from devel:openSUSE:Factory:rpmlint

- add check for pam modules (fate#313077)

OBS-URL: https://build.opensuse.org/request/show/122359
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=161

CheckPAMModules.py

@@ -0,0 +1,49 @@
+# vim:sw=4:et
+#############################################################################
+# File          : CheckPAMModules.py
+# Package       : rpmlint
+# Author        : Ludwig Nussel
+# Purpose       : Check for pam modules that are not authorized by the security team
+#############################################################################
+
+from Filter import *
+import AbstractCheck
+import re
+import os
+import string
+
+PAM_WHITELIST = Config.getOption('PAMModules.WhiteList', ()) # set of file names
+
+pam_module_re = re.compile('^(?:/usr)?/lib(?:64)?/security/([^/]+\.so)$')
+
+class PAMModulesCheck(AbstractCheck.AbstractCheck):
+    def __init__(self):
+        AbstractCheck.AbstractCheck.__init__(self, "CheckPAMModules")
+
+    def check(self, pkg):
+        global PAM_WHITELIST
+
+        if pkg.isSource():
+            return
+
+        files = pkg.files()
+
+        for f in files:
+            if f in pkg.ghostFiles():
+                continue
+
+            m = pam_module_re.match(f)
+            if m:
+                bn = m.groups()[0]
+                if not bn in PAM_WHITELIST:
+                    printError(pkg, "suse-pam-unauthorized-module", bn)
+
+check=PAMModulesCheck()
+
+if Config.info:
+    addDetails(
+'suse-pam-unauthorized-module',
+"""The package installs a PAM module. If the package
+is intended for inclusion in any SUSE product please open a bug
+report to request review of the service by the security team.""",
+)

config

@@ -38,6 +38,7 @@ addCheck("CheckAlternativesGhostFiles")
 addCheck("BashismsCheck")
 addCheck("CheckBuildDate")
 addCheck("CheckLogrotate")
+addCheck("CheckPAMModules")
 
 # stuff autobuild takes care about
 addFilter(".*invalid-version.*")
@@ -497,6 +498,120 @@ setOption("DBUSServices.WhiteList", (
     "de.berlios.smb4k.mounthelper.service",
 ))
 
+setOption("PAMModules.WhiteList", (
+    # pam_p11
+    "pam_p11_opensc.so",
+    "pam_p11_openssh.so",
+    # pam_krb5
+    "pam_krb5.so",
+    "pam_krb5afs.so",
+    # ecryptfs-utils
+    "pam_ecryptfs.so",
+    # gnome-keyring-pam
+    "pam_gnome_keyring.so",
+    # pwdutils-rpasswd
+    "pam_rpasswd.so",
+    # samba-winbind
+    "pam_winbind.so",
+    # pam-modules
+    "pam_homecheck.so",
+    "pam_pwcheck.so",
+    "pam_unix2.so",
+    # pam_smb
+    "pam_smb_auth.so",
+    # ConsoleKit
+    "pam_ck_connector.so",
+    # pam_ssh
+    "pam_ssh.so",
+    # libcgroup1
+    "pam_cgroup.so",
+    # pam_fprint
+    "pam_fprint.so",
+    # pam_mount
+    "pam_mount.so",
+    # pam_ccreds
+    "pam_ccreds.so",
+    # pam_radius
+    "pam_radius_auth.so",
+    # pam_pkcs11
+    "pam_pkcs11.so",
+    # nss-pam-ldapd
+    "pam_ldap.so",
+    # pam_passwdqc
+    "pam_passwdqc.so",
+    # pam_userpass
+    "pam_userpass.so",
+    # pam_apparmor
+    "pam_apparmor.so",
+    # pam_ldap
+    "pam_ldap.so",
+    # cryptconfig
+    "pam_cryptpass.so",
+    # opie
+    "pam_opie.so",
+    # pam
+    "pam_access.so",
+    "pam_cracklib.so",
+    "pam_debug.so",
+    "pam_deny.so",
+    "pam_echo.so",
+    "pam_env.so",
+    "pam_exec.so",
+    "pam_faildelay.so",
+    "pam_filter.so",
+    "pam_ftp.so",
+    "pam_group.so",
+    "pam_issue.so",
+    "pam_keyinit.so",
+    "pam_lastlog.so",
+    "pam_limits.so",
+    "pam_listfile.so",
+    "pam_localuser.so",
+    "pam_loginuid.so",
+    "pam_mail.so",
+    "pam_mkhomedir.so",
+    "pam_motd.so",
+    "pam_namespace.so",
+    "pam_nologin.so",
+    "pam_permit.so",
+    "pam_pwhistory.so",
+    "pam_rhosts.so",
+    "pam_rootok.so",
+    "pam_securetty.so",
+    "pam_selinux.so",
+    "pam_sepermit.so",
+    "pam_shells.so",
+    "pam_stress.so",
+    "pam_succeed_if.so",
+    "pam_tally.so",
+    "pam_tally2.so",
+    "pam_time.so",
+    "pam_timestamp.so",
+    "pam_tty_audit.so",
+    "pam_umask.so",
+    "pam_unix.so",
+    "pam_unix_acct.so",
+    "pam_unix_auth.so",
+    "pam_unix_passwd.so",
+    "pam_unix_session.so",
+    "pam_userdb.so",
+    "pam_warn.so",
+    "pam_wheel.so",
+    "pam_xauth.so",
+    # systemd
+    "pam_systemd.so",
+    # sssd
+    "pam_sss.so",
+    # pam_mktemp
+    "pam_mktemp.so",
+    # pam_csync
+    "pam_csync.so",
+    # samba
+    "pam_smbpass.so",
+    # pam_chroot
+    "pam_chroot.so",
+))
+
 # Output filters
 addFilter(".*spurious-bracket-in-.*")
 addFilter(".*one-line-command-in-.*")

rpmlint.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed May 23 12:43:40 UTC 2012 - lnussel@suse.de
+
+- add check for pam modules (fate#313077)
+
 -------------------------------------------------------------------
 Tue May 15 14:33:01 UTC 2012 - lnussel@suse.de
 

rpmlint.spec

@@ -54,6 +54,7 @@ Source23:       CheckBuildDate.py
 Source24:       pie.config
 Source25:       licenses.config
 Source26:       CheckLogrotate.py
+Source27:       CheckPAMModules.py
 Source100:      syntax-validator.py
 Url:            http://rpmlint.zarb.org/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -236,6 +237,7 @@ cp -p %{SOURCE21} .
 cp -p %{SOURCE22} .
 cp -p %{SOURCE23} .
 cp -p %{SOURCE26} .
+cp -p %{SOURCE27} .
 
 %build
 make %{?_smp_mflags}