diff --git a/CheckBuildDate.py b/CheckBuildDate.py index 67677d1..3850bf8 100644 --- a/CheckBuildDate.py +++ b/CheckBuildDate.py @@ -30,13 +30,13 @@ class BuildDateCheck(AbstractCheck.AbstractFilesCheck): grep_date = pkg.grep(self.istoday, filename) - if len(grep_date): - printWarning(pkg, "file-contains-current-date", filename) - grep_time = pkg.grep(self.looksliketime, filename) - if len(grep_date) and len(grep_time): - printError(pkg, "file-contains-date-and-time", filename) + if len(grep_date): + if len(grep_time): + printError(pkg, "file-contains-date-and-time", filename) + else: + printWarning(pkg, "file-contains-current-date", filename) check=BuildDateCheck() diff --git a/CheckPolkitPrivs.py b/CheckPolkitPrivs.py index 7219e78..9097c96 100644 --- a/CheckPolkitPrivs.py +++ b/CheckPolkitPrivs.py @@ -77,37 +77,50 @@ class PolkitCheck(AbstractCheck.AbstractCheck): try: if f.startswith("/usr/share/PolicyKit/policy/")\ or f.startswith("/usr/share/polkit-1/actions/"): - f = pkg.dirName() + f - xml = parse(f) + xml = parse(pkg.dirName() + f) for a in xml.getElementsByTagName("action"): action = a.getAttribute('id') if not action in self.privs: iserr = 0 foundno = 0 - anyseen = 0 + foundundef = 0 + settings = {} try: defaults = a.getElementsByTagName("defaults")[0] for i in defaults.childNodes: if not i.nodeType == i.ELEMENT_NODE: continue - if i.nodeName == 'allow_any': - anyseen = 1 - if i.firstChild.data.find("auth_admin") != 0: - if i.firstChild.data == 'no': - foundno = 1 - else: - iserr = 1 + + if i.nodeName in ('allow_any', 'allow_inactive', 'allow_active'): + settings[i.nodeName] = i.firstChild.data + except: iserr = 1 - if iserr: - printError(pkg, 'polkit-unauthorized-privilege', action) - else: - printInfo(pkg, 'polkit-unauthorized-privilege', action) + for i in ('allow_any', 'allow_inactive', 'allow_active'): + if not i in settings: + foundundef = 1 + settings[i] = '??' + elif settings[i].find("auth_admin") != 0: + if settings[i] == 'no': + foundno = 1 + else: + iserr = 1 - if foundno or not anyseen: - printWarning(pkg, 'polkit-cant-acquire-privilege', action) - except: + if iserr: + printError(pkg, 'polkit-unauthorized-privilege', '%s (%s:%s:%s)' % (action, \ + settings['allow_any'], settings['allow_inactive'], settings['allow_active'])) + else: + printInfo(pkg, 'polkit-untracked-privilege', '%s (%s:%s:%s)' % (action, \ + settings['allow_any'], settings['allow_inactive'], settings['allow_active'])) + + if foundno or foundundef: + printInfo(pkg, + 'polkit-cant-acquire-privilege', '%s (%s:%s:%s)' % (action, \ + settings['allow_any'], settings['allow_inactive'], settings['allow_active'])) + + except Exception, x: + printError(pkg, 'rpmlint-exception', "%(file)s raised an exception: %(x)s" % {'file':f, 'x':x}) continue check=PolkitCheck() @@ -119,10 +132,18 @@ if Config.info: please open a bug report to request review of the package by the security team""", 'polkit-unauthorized-privilege', -"""If the package is intended for inclusion in any SUSE product -please open a bug report to request review of the package by the -security team""", +"""The package allows unprivileged users to carry out privileged +operations without authentication. This could cause security +problems if not done carefully. If the package is intended for +inclusion in any SUSE product please open a bug report to request +review of the package by the security team""", +'polkit-untracked-privilege', +"""The privilege is not listed in /etc/polkit-default-privs.* +which makes it harder for admins to find. If the package is intended +for inclusion in any SUSE product please open a bug report to +request review of the package by the security team""", 'polkit-cant-acquire-privilege', """Usability can be improved by allowing users to acquire privileges via authentication. Use e.g. 'auth_admin' instead of 'no' and make -sure to define 'allow_any'.""") +sure to define 'allow_any'. This is an issue only if the privilege +is not listed in /etc/polkit-default-privs.*""") diff --git a/rpmlint.changes b/rpmlint.changes index f390982..30fffa7 100644 --- a/rpmlint.changes +++ b/rpmlint.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Jun 7 15:03:54 UTC 2011 - lnussel@suse.de + +- CheckPolkitPrivs.py: use different tag for non-fatal issues +- CheckBuildDate.py: print either file-contains-current-date or + file-contains-current-date but not both + ------------------------------------------------------------------- Tue May 31 11:29:52 UTC 2011 - lnussel@suse.de