diff --git a/CheckPAMModules.py b/CheckPAMModules.py new file mode 100644 index 0000000..5e8a953 --- /dev/null +++ b/CheckPAMModules.py @@ -0,0 +1,49 @@ +# vim:sw=4:et +############################################################################# +# File : CheckPAMModules.py +# Package : rpmlint +# Author : Ludwig Nussel +# Purpose : Check for pam modules that are not authorized by the security team +############################################################################# + +from Filter import * +import AbstractCheck +import re +import os +import string + +PAM_WHITELIST = Config.getOption('PAMModules.WhiteList', ()) # set of file names + +pam_module_re = re.compile('^(?:/usr)?/lib(?:64)?/security/([^/]+\.so)$') + +class PAMModulesCheck(AbstractCheck.AbstractCheck): + def __init__(self): + AbstractCheck.AbstractCheck.__init__(self, "CheckPAMModules") + + def check(self, pkg): + global PAM_WHITELIST + + if pkg.isSource(): + return + + files = pkg.files() + + for f in files: + if f in pkg.ghostFiles(): + continue + + m = pam_module_re.match(f) + if m: + bn = m.groups()[0] + if not bn in PAM_WHITELIST: + printError(pkg, "suse-pam-unauthorized-module", bn) + +check=PAMModulesCheck() + +if Config.info: + addDetails( +'suse-pam-unauthorized-module', +"""The package installs a PAM module. If the package +is intended for inclusion in any SUSE product please open a bug +report to request review of the service by the security team.""", +) diff --git a/config b/config index 8c74541..e74e5e3 100644 --- a/config +++ b/config @@ -38,6 +38,7 @@ addCheck("CheckAlternativesGhostFiles") addCheck("BashismsCheck") addCheck("CheckBuildDate") addCheck("CheckLogrotate") +addCheck("CheckPAMModules") # stuff autobuild takes care about addFilter(".*invalid-version.*") @@ -497,6 +498,120 @@ setOption("DBUSServices.WhiteList", ( "de.berlios.smb4k.mounthelper.service", )) +setOption("PAMModules.WhiteList", ( + # pam_p11 + "pam_p11_opensc.so", + "pam_p11_openssh.so", + # pam_krb5 + "pam_krb5.so", + "pam_krb5afs.so", + # ecryptfs-utils + "pam_ecryptfs.so", + # gnome-keyring-pam + "pam_gnome_keyring.so", + # pwdutils-rpasswd + "pam_rpasswd.so", + # samba-winbind + "pam_winbind.so", + # pam-modules + "pam_homecheck.so", + "pam_pwcheck.so", + "pam_unix2.so", + # pam_smb + "pam_smb_auth.so", + # ConsoleKit + "pam_ck_connector.so", + # pam_ssh + "pam_ssh.so", + # libcgroup1 + "pam_cgroup.so", + # pam_fprint + "pam_fprint.so", + # pam_mount + "pam_mount.so", + # pam_ccreds + "pam_ccreds.so", + # pam_radius + "pam_radius_auth.so", + # pam_pkcs11 + "pam_pkcs11.so", + # nss-pam-ldapd + "pam_ldap.so", + # pam_passwdqc + "pam_passwdqc.so", + # pam_userpass + "pam_userpass.so", + # pam_apparmor + "pam_apparmor.so", + # pam_ldap + "pam_ldap.so", + # cryptconfig + "pam_cryptpass.so", + # opie + "pam_opie.so", + # pam + "pam_access.so", + "pam_cracklib.so", + "pam_debug.so", + "pam_deny.so", + "pam_echo.so", + "pam_env.so", + "pam_exec.so", + "pam_faildelay.so", + "pam_filter.so", + "pam_ftp.so", + "pam_group.so", + "pam_issue.so", + "pam_keyinit.so", + "pam_lastlog.so", + "pam_limits.so", + "pam_listfile.so", + "pam_localuser.so", + "pam_loginuid.so", + "pam_mail.so", + "pam_mkhomedir.so", + "pam_motd.so", + "pam_namespace.so", + "pam_nologin.so", + "pam_permit.so", + "pam_pwhistory.so", + "pam_rhosts.so", + "pam_rootok.so", + "pam_securetty.so", + "pam_selinux.so", + "pam_sepermit.so", + "pam_shells.so", + "pam_stress.so", + "pam_succeed_if.so", + "pam_tally.so", + "pam_tally2.so", + "pam_time.so", + "pam_timestamp.so", + "pam_tty_audit.so", + "pam_umask.so", + "pam_unix.so", + "pam_unix_acct.so", + "pam_unix_auth.so", + "pam_unix_passwd.so", + "pam_unix_session.so", + "pam_userdb.so", + "pam_warn.so", + "pam_wheel.so", + "pam_xauth.so", + # systemd + "pam_systemd.so", + # sssd + "pam_sss.so", + # pam_mktemp + "pam_mktemp.so", + # pam_csync + "pam_csync.so", + # samba + "pam_smbpass.so", + # pam_chroot + "pam_chroot.so", +)) + # Output filters addFilter(".*spurious-bracket-in-.*") addFilter(".*one-line-command-in-.*") diff --git a/rpmlint.changes b/rpmlint.changes index 5d17254..ea7bc43 100644 --- a/rpmlint.changes +++ b/rpmlint.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed May 23 12:43:40 UTC 2012 - lnussel@suse.de + +- add check for pam modules (fate#313077) + ------------------------------------------------------------------- Tue May 15 14:33:01 UTC 2012 - lnussel@suse.de diff --git a/rpmlint.spec b/rpmlint.spec index 5bbbaff..9eeb7aa 100644 --- a/rpmlint.spec +++ b/rpmlint.spec @@ -54,6 +54,7 @@ Source23: CheckBuildDate.py Source24: pie.config Source25: licenses.config Source26: CheckLogrotate.py +Source27: CheckPAMModules.py Source100: syntax-validator.py Url: http://rpmlint.zarb.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -236,6 +237,7 @@ cp -p %{SOURCE21} . cp -p %{SOURCE22} . cp -p %{SOURCE23} . cp -p %{SOURCE26} . +cp -p %{SOURCE27} . %build make %{?_smp_mflags}