- add check for pam modules (fate#313077)

OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=114
2012-05-23 12:44:03 +00:00 · 2012-05-23 12:44:03 +00:00 · 52601ad106
commit 52601ad106
parent 268b335d11
4 changed files with 169 additions and 0 deletions
--- a/CheckPAMModules.py
+++ b/CheckPAMModules.py
@ -0,0 +1,49 @@
+# vim:sw=4:et
+#############################################################################
+# File          : CheckPAMModules.py
+# Package       : rpmlint
+# Author        : Ludwig Nussel
+# Purpose       : Check for pam modules that are not authorized by the security team
+#############################################################################
+
+from Filter import *
+import AbstractCheck
+import re
+import os
+import string
+
+PAM_WHITELIST = Config.getOption('PAMModules.WhiteList', ()) # set of file names
+
+pam_module_re = re.compile('^(?:/usr)?/lib(?:64)?/security/([^/]+\.so)$')
+
+class PAMModulesCheck(AbstractCheck.AbstractCheck):
+    def __init__(self):
+        AbstractCheck.AbstractCheck.__init__(self, "CheckPAMModules")
+
+    def check(self, pkg):
+        global PAM_WHITELIST
+
+        if pkg.isSource():
+            return
+
+        files = pkg.files()
+
+        for f in files:
+            if f in pkg.ghostFiles():
+                continue
+
+            m = pam_module_re.match(f)
+            if m:
+                bn = m.groups()[0]
+                if not bn in PAM_WHITELIST:
+                    printError(pkg, "suse-pam-unauthorized-module", bn)
+
+check=PAMModulesCheck()
+
+if Config.info:
+    addDetails(
+'suse-pam-unauthorized-module',
+"""The package installs a PAM module. If the package
+is intended for inclusion in any SUSE product please open a bug
+report to request review of the service by the security team.""",
+)
--- a/114
+++ b/114
@ -497,6 +497,120 @@ setOption("DBUSServices.WhiteList", (
    "de.berlios.smb4k.mounthelper.service",
 ))

+setOption("PAMModules.WhiteList", (
+    # pam_p11
+    "pam_p11_opensc.so",
+    "pam_p11_openssh.so",
+    # pam_krb5
+    "pam_krb5.so",
+    "pam_krb5afs.so",
+    # ecryptfs-utils
+    "pam_ecryptfs.so",
+    # gnome-keyring-pam
+    "pam_gnome_keyring.so",
+    # pwdutils-rpasswd
+    "pam_rpasswd.so",
+    # samba-winbind
+    "pam_winbind.so",
+    # pam-modules
+    "pam_homecheck.so",
+    "pam_pwcheck.so",
+    "pam_unix2.so",
+    # pam_smb
+    "pam_smb_auth.so",
+    # ConsoleKit
+    "pam_ck_connector.so",
+    # pam_ssh
+    "pam_ssh.so",
+    # libcgroup1
+    "pam_cgroup.so",
+    # pam_fprint
+    "pam_fprint.so",
+    # pam_mount
+    "pam_mount.so",
+    # pam_ccreds
+    "pam_ccreds.so",
+    # pam_radius
+    "pam_radius_auth.so",
+    # pam_pkcs11
+    "pam_pkcs11.so",
+    # nss-pam-ldapd
+    "pam_ldap.so",
+    # pam_passwdqc
+    "pam_passwdqc.so",
+    # pam_userpass
+    "pam_userpass.so",
+    # pam_apparmor
+    "pam_apparmor.so",
+    # pam_ldap
+    "pam_ldap.so",
+    # cryptconfig
+    "pam_cryptpass.so",
+    # opie
+    "pam_opie.so",
+    # pam
+    "pam_access.so",
+    "pam_cracklib.so",
+    "pam_debug.so",
+    "pam_deny.so",
+    "pam_echo.so",
+    "pam_env.so",
+    "pam_exec.so",
+    "pam_faildelay.so",
+    "pam_filter.so",
+    "pam_ftp.so",
+    "pam_group.so",
+    "pam_issue.so",
+    "pam_keyinit.so",
+    "pam_lastlog.so",
+    "pam_limits.so",
+    "pam_listfile.so",
+    "pam_localuser.so",
+    "pam_loginuid.so",
+    "pam_mail.so",
+    "pam_mkhomedir.so",
+    "pam_motd.so",
+    "pam_namespace.so",
+    "pam_nologin.so",
+    "pam_permit.so",
+    "pam_pwhistory.so",
+    "pam_rhosts.so",
+    "pam_rootok.so",
+    "pam_securetty.so",
+    "pam_selinux.so",
+    "pam_sepermit.so",
+    "pam_shells.so",
+    "pam_stress.so",
+    "pam_succeed_if.so",
+    "pam_tally.so",
+    "pam_tally2.so",
+    "pam_time.so",
+    "pam_timestamp.so",
+    "pam_tty_audit.so",
+    "pam_umask.so",
+    "pam_unix.so",
+    "pam_unix_acct.so",
+    "pam_unix_auth.so",
+    "pam_unix_passwd.so",
+    "pam_unix_session.so",
+    "pam_userdb.so",
+    "pam_warn.so",
+    "pam_wheel.so",
+    "pam_xauth.so",
+    # systemd
+    "pam_systemd.so",
+    # sssd
+    "pam_sss.so",
+    # pam_mktemp
+    "pam_mktemp.so",
+    # pam_csync
+    "pam_csync.so",
+    # samba
+    "pam_smbpass.so",
+    # pam_chroot
+    "pam_chroot.so",
+))
+
 # Output filters
 addFilter(".*spurious-bracket-in-.*")
 addFilter(".*one-line-command-in-.*")
--- a/rpmlint.changes
+++ b/rpmlint.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed May 23 12:43:40 UTC 2012 - lnussel@suse.de
+
+- add check for pam modules (fate#313077)
+
 -------------------------------------------------------------------
 Tue May 15 14:33:01 UTC 2012 - lnussel@suse.de

--- a/rpmlint.spec
+++ b/rpmlint.spec
@ -54,6 +54,7 @@ Source23:       CheckBuildDate.py
 Source24:       pie.config
 Source25:       licenses.config
 Source26:       CheckLogrotate.py
+Source27:       CheckPAMModules.py
 Source100:      syntax-validator.py
 Url:            http://rpmlint.zarb.org/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build