From 5f37cb646e3a69051eac357eed8d63a2b2160fc22f15781359e6b20263ec2129 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Mon, 5 May 2014 15:17:36 +0000 Subject: [PATCH] - disallow /var/run and /var/lock OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory:rpmlint/rpmlint?expand=0&rev=267 --- ...int-1.5-disallow-var-run-and-var-lock.diff | 165 ++++++++++++++++++ rpmlint.changes | 6 + rpmlint.spec | 3 + 3 files changed, 174 insertions(+) create mode 100644 rpmlint-1.5-disallow-var-run-and-var-lock.diff diff --git a/rpmlint-1.5-disallow-var-run-and-var-lock.diff b/rpmlint-1.5-disallow-var-run-and-var-lock.diff new file mode 100644 index 0000000..edf8922 --- /dev/null +++ b/rpmlint-1.5-disallow-var-run-and-var-lock.diff @@ -0,0 +1,165 @@ +From c45057466e8e40bbb36fa90faa10a2b678c25ba2 Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Wed, 30 Apr 2014 16:35:20 +0200 +Subject: [PATCH rpmlint] disallow /var/run and /var/lock + +Distros moved to having /var/run and /var/lock as symlinks to /run resp +/run/lock. Therefore packages must no longer put files there at all. + +Also, refactor the code for dir-or-file-in-* and make it configurable. +--- + FilesCheck.py | 77 +++++++++++++++++++++++------------------------------------ + config | 4 ++++ + 2 files changed, 34 insertions(+), 47 deletions(-) + +Index: rpmlint-1.5/FilesCheck.py +=================================================================== +--- rpmlint-1.5.orig/FilesCheck.py ++++ rpmlint-1.5/FilesCheck.py +@@ -559,12 +559,9 @@ STANDARD_DIRS = ( + '/var/lib/nobody', + '/var/lib/pam_devperm', + '/var/lib/wwwrun', +- '/var/lock', +- '/var/lock/subsys', + '/var/log', + '/var/mail', + '/var/opt', +- '/var/run', + '/var/spool', + '/var/spool/clientmqueue', + '/var/spool/locks', +@@ -589,7 +586,19 @@ DEFAULT_STANDARD_GROUPS = ('root', 'bin' + 'shutdown', 'halt', 'mail', 'news', 'uucp', + 'man', 'nobody',) + +-tmp_regex = re.compile('^(/var|/usr)?/tmp/') ++DEFAULT_DISALLOWED_DIRS = ( ++ '/home', ++ '/mnt', ++ '/opt', ++ '/tmp', ++ '/usr/local', ++ '/usr/tmp', ++ '/var/local', ++ '/var/lock', ++ '/var/run', ++ '/var/tmp', ++) ++ + sub_bin_regex = re.compile('^(/usr)?/s?bin/\S+/') + backup_regex = re.compile('(~|\#[^/]+\#|\.orig|\.orig\.gz|\.rej)$') + compr_regex = re.compile('\.(gz|z|Z|zip|bz2|lzma|xz)$') +@@ -653,6 +662,8 @@ use_relative_symlinks = Config.getOption + standard_groups = Config.getOption('StandardGroups', DEFAULT_STANDARD_GROUPS) + standard_users = Config.getOption('StandardUsers', DEFAULT_STANDARD_USERS) + ++disallowed_dirs = Config.getOption('DisallowedDirs', DEFAULT_DISALLOWED_DIRS) ++ + non_readable_regexs = (re.compile('^/var/log/'), + re.compile('^/etc/(g?shadow-?|securetty)$')) + +@@ -871,19 +882,13 @@ class FilesCheck(AbstractCheck.AbstractC + is_kernel_package: + printError(pkg, "kernel-modules-not-in-kernel-packages", f) + +- for i in ['mnt','opt','usr-local','var-local','home']: +- if f.startswith('/%s/' % i.replace('-','/')): +- printError(pkg, 'dir-or-file-in-%s' % i, f) +- +- if tmp_regex.search(f): +- printError(pkg, 'dir-or-file-in-tmp', f) ++ for i in disallowed_dirs: ++ if f.startswith(i): ++ printError(pkg, 'dir-or-file-in-%s' % '-'.join(i.split('/')[1:]), f) + +- elif f.startswith('/var/run/'): ++ if f.startswith('/run/'): + if f not in ghost_files: +- printWarning(pkg, 'non-ghost-in-var-run', f) +- elif f.startswith('/var/lock/'): +- if f not in ghost_files: +- printWarning(pkg, 'non-ghost-in-var-lock', f) ++ printWarning(pkg, 'non-ghost-in-run', f) + elif sub_bin_regex.search(f): + printError(pkg, 'subdir-in-bin', f) + elif '/site_perl/' in f: +@@ -1466,35 +1471,10 @@ install-info.''', + '''You have a perl temporary file in your package. Usually, this + file is beginning with a dot (.) and contain "perl" in its name.''', + +-'dir-or-file-in-tmp', +-'''A file in the package is located in /tmp. It's not permitted +-for packages to install files in this directory.''', +- +-'dir-or-file-in-mnt', +-'''A file in the package is located in /mnt. It's not permitted +-for packages to install files in this directory.''', +- +-'dir-or-file-in-opt', +-'''A file in the package is located in /opt. It's not permitted +-for packages to install files in this directory.''', +- +-'dir-or-file-in-usr-local', +-'''A file in the package is located in /usr/local. It's not permitted +-for packages to install files in this directory.''', +- +-'dir-or-file-in-var-local', +-'''A file in the package is located in /var/local. It's not permitted +-for packages to install files in this directory.''', +- +-'non-ghost-in-var-run', +-'''A file or directory in the package is located in /var/run. Files installed +-in this directory should be marked as %ghost and created at runtime to work +-properly in tmpfs /var/run setups.''', +- +-'non-ghost-in-var-lock', +-'''A file or directory in the package is located in /var/lock. Files installed ++'non-ghost-in-run', ++'''A file or directory in the package is located in /run. Files installed + in this directory should be marked as %ghost and created at runtime to work +-properly in tmpfs /var/lock setups.''', ++properly in tmpfs /run setups.''', + + 'subdir-in-bin', + '''The package contains a subdirectory in /usr/bin. It's not permitted to +@@ -1505,10 +1485,6 @@ create a subdir there. Create it in /usr + by an editor or resulting from applying unclean (fuzzy, or ones with line + offsets) patches.''', + +-'dir-or-file-in-home', +-'''A file in the package is located in /home. It's not permitted +-for packages to install files in this directory.''', +- + 'version-control-internal-file', + '''You have included file(s) internally used by a version control system + in the package. Move these files out of the package and rebuild it.''', +@@ -1832,6 +1808,13 @@ as part of the example documentation mea + use it and setup a insecure configuration.''' + ) + ++for i in disallowed_dirs: ++ addDetails('dir-or-file-in-%s' % '-'.join(i.split('/')[1:]), ++ '''A file in the package is located in %s. It's not permitted ++for packages to install files in this directory.''' % i) ++ ++ ++ + # FilesCheck.py ends here + + # Local variables: +Index: rpmlint-1.5/config +=================================================================== +--- rpmlint-1.5.orig/config ++++ rpmlint-1.5/config +@@ -126,6 +126,10 @@ from Config import * + # Type: tuple of strings, see DEFAULT_STANDARD_USERS in FilesCheck + #setOption("StandardUsers", ()) + ++# List of directory prefixes that are not allowed in packages ++# Type: tuple of strings, see DEFAULT_DISALLOWED_DIRS in FilesCheck ++#setOption("DisallowedDirs", ('/home', '/mnt')) ++ + # List of directories considered to be system default library search paths. + # Type: tuple of strings, default: see DEFAULT_SYSTEM_LIB_PATHS in BinariesCheck + #setOption("SystemLibPaths", ('/lib', '/lib64', '/usr/lib', '/usr/lib64')) diff --git a/rpmlint.changes b/rpmlint.changes index 853a12d..559dcbf 100644 --- a/rpmlint.changes +++ b/rpmlint.changes @@ -1,7 +1,13 @@ +------------------------------------------------------------------- +Mon May 5 15:17:24 UTC 2014 - lnussel@suse.de + +- disallow /var/run and /var/lock + ------------------------------------------------------------------- Fri Apr 25 08:50:00 UTC 2014 - evilissimo@redhat.com - adding ovirtagent standard user and standard group names (uid/gid 175) + ------------------------------------------------------------------- Tue Apr 22 06:04:00 UTC 2014 - krahmer@suse.com diff --git a/rpmlint.spec b/rpmlint.spec index 4ba4d4c..894401e 100644 --- a/rpmlint.spec +++ b/rpmlint.spec @@ -128,6 +128,8 @@ Patch94: suse-ignore-specfile-errors.diff Patch95: invalid-filerequires.diff Patch96: rpmlint-decode-fix.diff Patch97: rpmlint-fix-unexpanded-macros-for-array-values.patch +# PATCH-FIX-UPSTREAM: lnussel@suse.de - disallow /var/run and /var/lock +Patch98: rpmlint-1.5-disallow-var-run-and-var-lock.diff %py_requires @@ -208,6 +210,7 @@ source packages can be checked. %patch95 %patch96 -p1 %patch97 -p1 +%patch98 -p1 cp -p %{SOURCE2} . # Only move top-level python files chmod 0755 rpmlint-checks-master/*.py