Accepting request 70089 from devel:openSUSE:Factory:rpmlint

- don't filter non-standard-gid anymore - add dir-or-file-in-var-lock check - remove 'nobody' from standard users - add not-a-position-independent-executable check OBS-URL: https://build.opensuse.org/request/show/70089 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=111
2011-05-16 09:33:32 +00:00 · 2011-05-16 09:33:32 +00:00 · b273e49f97
commit b273e49f97
parent 097f1118dc 65422f23e3
8 changed files with 365 additions and 23 deletions
--- a/BashismsCheck.py
+++ b/BashismsCheck.py
@ -28,9 +28,12 @@ class BashismsCheck(AbstractCheck.AbstractFilesCheck):
                status, output = Pkg.getstatusoutput(["dash", "-n", filename])
                if status == 2:
                    printWarning(pkg, "bin-sh-syntax-error", filename)
-                status, output = Pkg.getstatusoutput(["checkbashisms", filename])
-                if status == 1:
-                    printInfo(pkg, "potential-bashisms", filename)
+                try:
+                    status, output = Pkg.getstatusoutput(["checkbashisms", filename])
+                    if status == 1:
+                        printInfo(pkg, "potential-bashisms", filename)
+                except Exception, x:
+                    printError(pkg, 'rpmlint-exception', "%(file)s raised an exception: %(x)s" % {'file':filename, 'x':x})
        finally:
            f.close()

--- a/CheckSUIDPermissions.py
+++ b/CheckSUIDPermissions.py
@ -135,6 +135,10 @@ class SUIDCheck(AbstractCheck.AbstractCheck):
                    else:
                        f += '/'

+                if type == 010:
+                    if not 'shared object' in pkgfile.magic:
+                        printError(pkg, 'not-a-position-independent-executable', f)
+
                m = self.perms[f]['mode']
                o = self.perms[f]['owner']

@ -159,6 +163,10 @@ class SUIDCheck(AbstractCheck.AbstractCheck):
                    else:
                        printWarning(pkg, 'permissions-directory-setuid-bit', msg)

+                    if type == 010:
+                        if not 'shared object' in pkgfile.magic:
+                            printError(pkg, 'not-a-position-independent-executable', f)
+
                if mode&02:
                    need_verifyscript = True
                    printError(pkg, 'permissions-world-writable', \
--- a/3
+++ b/3
@ -139,6 +139,7 @@ setOption('StandardGroups', (
    'pulse-rt',
    'quagga',
    'radiusd',
+    'root',
    'sabayon-admin',
    'sapdb',
    'shadow',
@ -217,7 +218,6 @@ setOption('StandardUsers', (
    'nagios',
    'named',
    'news',
-    'nobody',
    'novell_nobody',
    'novlifdr',
    'novlxregd',
@ -558,7 +558,6 @@ addFilter(" multiple-specfiles")
 addFilter(" apache2-naming-policy-not-applied")
 addFilter(" no-default-runlevel ")
 addFilter(" setgid-binary ")
-addFilter(" non-standard-gid ")
 addFilter(" non-readable ")
 addFilter(" manpage-not-bzipped ")
 addFilter(" postin-without-ghost-file-creation ")
--- a/pie.config
+++ b/pie.config
@ -0,0 +1,234 @@
+from Config import *
+
+# This file should list daemons and programs that are likely to be set setuid
+# by users. Files listed in permissions.eays are automatically checked.
+
+setOption("PieExecutables",
+(
+"/bin/ping",
+"/bin/ping6",
+"/bin/su",
+"/usr/bin/pidgin",
+"/sbin/arping",
+"/sbin/clockdiff",
+"/sbin/dhclient",
+"/sbin/dhcpcd",
+"/sbin/klogd",
+"/sbin/rpcbind",
+"/sbin/syslogd",
+"/sbin/tracepath",
+"/sbin/tracepath6",
+"/usr/bin/uniconv",
+"/usr/bin/achfile",
+"/usr/bin/adv1tov2",
+"/usr/bin/aecho",
+"/usr/bin/afile",
+"/usr/bin/afppasswd",
+"/usr/bin/at",
+"/usr/bin/cadaver",
+"/usr/bin/chage",
+"/usr/bin/chfn",
+"/usr/bin/chsh",
+"/usr/bin/ciptool",
+"/usr/bin/cnid_index",
+"/usr/bin/dig",
+"/usr/bin/dund",
+"/usr/bin/expiry",
+"/usr/bin/finger",
+"/usr/bin/getzones",
+"/usr/bin/gpasswd",
+"/usr/bin/gpg",
+"/usr/bin/gpgsplit",
+"/usr/bin/gpgv",
+"/usr/bin/hcitool",
+"/usr/bin/hidd",
+"/usr/bin/host",
+"/usr/bin/htpasswd",
+"/usr/bin/l2ping",
+"/usr/bin/lppasswd",
+"/usr/bin/megatron",
+"/usr/bin/nbplkup",
+"/usr/bin/nbprgstr",
+"/usr/bin/nbpunrgstr",
+"/usr/bin/ncplogin",
+"/usr/bin/ncpmap",
+"/usr/bin/net",
+"/usr/bin/newgrp",
+"/usr/bin/nmblookup",
+"/usr/bin/nslookup",
+"/usr/bin/nsupdate",
+"/usr/bin/nwsfind",
+"/usr/bin/omshell",
+"/usr/bin/pand",
+"/usr/bin/pap",
+"/usr/bin/papstatus",
+"/usr/bin/passwd",
+"/usr/bin/pdbedit",
+"/usr/bin/profiles",
+"/usr/bin/psorder",
+"/usr/bin/rcp",
+"/usr/bin/rexec",
+"/usr/bin/rfcomm",
+"/usr/bin/rlogin",
+"/usr/bin/rpcclient",
+"/usr/bin/rsh",
+"/usr/bin/scp",
+"/usr/bin/sdptool",
+"/usr/bin/sftp",
+"/usr/bin/showppd",
+"/usr/bin/smbcacls",
+"/usr/bin/smbclient",
+"/usr/bin/smbcontrol",
+"/usr/bin/smbcquotas",
+"/sbin/mount.cifs",
+"/usr/bin/smbpasswd",
+"/usr/bin/smbspool",
+"/usr/bin/smbstatus",
+"/usr/bin/smbtree",
+"/usr/bin/ssh",
+"/usr/bin/ssh-add",
+"/usr/bin/ssh-agent",
+"/usr/bin/ssh-keygen",
+"/usr/bin/ssh-keyscan",
+"/usr/bin/svn",
+"/usr/bin/svnadmin",
+"/usr/bin/svndumpfilter",
+"/usr/bin/svnlook",
+"/usr/bin/svnserve",
+"/usr/bin/svnversion",
+"/usr/bin/talk",
+"/usr/bin/tdbbackup",
+"/usr/bin/tdbdump",
+"/usr/bin/tdbtool",
+"/usr/bin/telnet",
+"/usr/bin/testparm",
+"/usr/bin/testprns",
+"/usr/bin/timeout",
+"/usr/bin/wbinfo",
+"/usr/lib/mit/bin/ftp",
+"/usr/lib/mit/bin/gss-client",
+"/usr/lib/mit/bin/kdestroy",
+"/usr/lib/mit/bin/kinit",
+"/usr/lib/mit/bin/klist",
+"/usr/lib/mit/bin/kpasswd",
+"/usr/lib/mit/bin/krb524init",
+"/usr/lib/mit/bin/ksu",
+"/usr/lib/mit/bin/kvno",
+"/usr/lib/mit/bin/rcp",
+"/usr/lib/mit/bin/rlogin",
+"/usr/lib/mit/bin/rsh",
+"/usr/lib/mit/bin/sclient",
+"/usr/lib/mit/bin/sim_client",
+"/usr/lib/mit/bin/telnet",
+"/usr/lib/mit/bin/uuclient",
+"/usr/lib/mit/bin/v4rcp",
+"/usr/lib/mit/sbin/ftpd",
+"/usr/lib/mit/sbin/gss-server",
+"/usr/lib/mit/sbin/kadmin",
+"/usr/lib/mit/sbin/kadmin.local",
+"/usr/lib/mit/sbin/kadmind",
+"/usr/lib/mit/sbin/kdb5_util",
+"/usr/lib/mit/sbin/klogind",
+"/usr/lib/mit/sbin/kprop",
+"/usr/lib/mit/sbin/kpropd",
+"/usr/lib/mit/sbin/krb524d",
+"/usr/lib/mit/sbin/krb5kdc",
+"/usr/lib/mit/sbin/kshd",
+"/usr/lib/mit/sbin/ktutil",
+"/usr/lib/mit/sbin/login.krb5",
+"/usr/lib/mit/sbin/sim_server",
+"/usr/lib/mit/sbin/sserver",
+"/usr/lib/mit/sbin/telnetd",
+"/usr/lib/mit/sbin/uuserver",
+"/usr/lib/news/bin/innd",
+"/usr/lib/news/bin/innbind",
+"/usr/lib/news/bin/rnews",
+"/usr/sbin/afpd",
+"/usr/sbin/amcheck",
+"/usr/sbin/amdd",
+"/usr/sbin/atalkd",
+"/usr/sbin/atd",
+"/usr/sbin/automount",
+"/usr/sbin/chat",
+"/usr/sbin/cnid_dbd",
+"/usr/sbin/cnid_metad",
+"/usr/sbin/cron",
+"/usr/sbin/cupsd",
+"/usr/sbin/dhcpd",
+"/usr/sbin/dhcrelay",
+"/usr/sbin/dnssec-keygen",
+"/usr/sbin/dnssec-signzone",
+"/usr/sbin/exim",
+"/usr/sbin/hciattach",
+"/usr/sbin/bluetoothd",
+"/usr/sbin/hciconfig",
+"/usr/sbin/hid2hci",
+"/usr/sbin/httpd2",
+"/usr/sbin/httpd2-prefork",
+"/usr/sbin/httpd2-worker",
+"/usr/sbin/in.fingerd",
+"/usr/sbin/in.ntalkd",
+"/usr/sbin/in.rexecd",
+"/usr/sbin/in.rlogind",
+"/usr/sbin/in.rshd",
+"/usr/sbin/in.telnetd",
+"/usr/sbin/irqbalance",
+"/usr/sbin/lwresd",
+"/usr/sbin/mailstats",
+"/usr/sbin/makemap",
+"/usr/sbin/named",
+"/usr/sbin/named-checkconf",
+"/usr/sbin/named-checkzone",
+"/usr/sbin/nmbd",
+"/usr/sbin/nscd",
+"/usr/sbin/ntlm_auth",
+"/usr/sbin/ntp-keygen",
+"/usr/sbin/ntpd",
+"/usr/sbin/ntpdc",
+"/usr/sbin/ntpq",
+"/usr/sbin/ntptime",
+"/usr/sbin/openvpn",
+"/usr/sbin/papd",
+"/usr/sbin/postfix",
+"/usr/sbin/pppd",
+"/usr/sbin/praliases",
+"/usr/sbin/radiusd",
+"/usr/sbin/rarpd",
+"/usr/sbin/rndc",
+"/usr/sbin/rndc-confgen",
+"/usr/sbin/rotatelogs2",
+"/usr/sbin/rpc.mountd",
+"/usr/sbin/rpc.nfsd",
+"/usr/sbin/rpc.rquotad",
+"/usr/sbin/rpc.rwalld",
+"/usr/sbin/rpc.yppasswdd",
+"/usr/sbin/rpc.ypxfrd",
+"/usr/sbin/safe_finger",
+"/usr/sbin/sendmail",
+"/usr/lib/sudo/sesh",
+"/usr/lib/openldap/slapd",
+"/usr/sbin/smartctl",
+"/usr/sbin/smartd",
+"/usr/sbin/smbd",
+"/usr/sbin/snmpd",
+"/usr/sbin/snmptrapd",
+"/usr/sbin/squid",
+"/usr/sbin/squidclient",
+"/usr/sbin/sshd",
+"/usr/sbin/stunnel",
+"/usr/sbin/suexec2",
+"/usr/sbin/tcpd",
+"/usr/sbin/tickadj",
+"/usr/sbin/traceroute",
+"/usr/sbin/traceroute6",
+"/usr/sbin/try-from",
+"/usr/sbin/utempter",
+"/usr/sbin/visudo",
+"/usr/sbin/vsftpd",
+"/usr/sbin/winbindd",
+"/usr/sbin/xinetd",
+"/usr/sbin/yppush",
+"/usr/sbin/ypserv",
+"/usr/bin/zone2ldap",
+)
+)
--- a/rpmlint-pie.diff
+++ b/rpmlint-pie.diff
@ -0,0 +1,68 @@
+From cdf3d7e6338e8133d9b2b8f19de8e5a3308327bc Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Mon, 9 May 2011 11:54:48 +0200
+Subject: [PATCH] check for position independent executables
+
+---
+ BinariesCheck.py |   11 +++++++++++
+ config           |    4 ++++
+ 2 files changed, 15 insertions(+), 0 deletions(-)
+
+Index: rpmlint-1.1/BinariesCheck.py
+===================================================================
+--- rpmlint-1.1.orig/BinariesCheck.py
+++ rpmlint-1.1/BinariesCheck.py
+@@ -25,6 +25,9 @@ DEFAULT_SYSTEM_LIB_PATHS = (
+     '/lib', '/usr/lib', '/usr/X11R6/lib',
+     '/lib64', '/usr/lib64', '/usr/X11R6/lib64')
+ 
+DEFAULT_PIE_EXECUTABLES = (
+)
+
+ class BinaryInfo:
+ 
+     needed_regex = re.compile('\s+\(NEEDED\).*\[(\S+)\]')
+@@ -189,6 +192,7 @@ so_regex = re.compile('/lib(64)?/[^/]+\.
+ validso_regex = re.compile('(\.so\.\d+(\.\d+)*|\d\.so)$')
+ sparc_regex = re.compile('SPARC32PLUS|SPARC V9|UltraSPARC')
+ system_lib_paths = Config.getOption('SystemLibPaths', DEFAULT_SYSTEM_LIB_PATHS)
+pie_executables = Config.getOption('PieExecutables', DEFAULT_PIE_EXECUTABLES)
+ usr_lib_regex = re.compile('^/usr/lib(64)?/')
+ bin_regex = re.compile('^(/usr(/X11R6)?)?/s?bin/')
+ soversion_regex = re.compile('.*?([0-9][.0-9]*)\\.so|.*\\.so\\.([0-9][.0-9]*).*')
+@@ -377,6 +381,9 @@ class BinariesCheck(AbstractCheck.Abstra
+             if not is_exec and not is_shobj:
+                 continue
+ 
+            if fname in pie_executables and not is_shobj:
+                printError(pkg, 'not-a-position-independent-executable', fname)
+
+             if is_exec:
+ 
+                 if bin_regex.search(fname):
+@@ -598,6 +605,10 @@ that use prelink, make sure that prelink
+ placing a blacklist file in /etc/prelink.conf.d.  For more information, see
+ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=256900#49''',
+ 
+'not-a-position-independent-executable',
+'''As per distribution policy the binary must be position independent. Add
+-fPIE to CFLAGS and -pie to LDFLAGS'''
+
+ 'unstripped-binary-or-object',
+ '''stripping debug info from binaries happens automatically according to global
+ project settings. So there's normally no need to manually strip binaries.
+Index: rpmlint-1.1/config
+===================================================================
+--- rpmlint-1.1.orig/config
+++ rpmlint-1.1/config
+@@ -130,6 +130,10 @@ from Config import *
+ # Type: tuple of strings, default: see DEFAULT_SYSTEM_LIB_PATHS in BinariesCheck
+ #setOption("SystemLibPaths", ('/lib', '/lib64', '/usr/lib', '/usr/lib64'))
+ 
+# List of binaries that must be position independent executables
+# Type: tuple of strings, default: empty
+#setOption("PieExecutables", ('/bin/ping', '/bin/su'))
+
+ # Whether to want default start/stop runlevels specified in init scripts.
+ # Type: boolean, default: True
+ #setOption("UseDefaultRunlevels", True)
--- a/rpmlint.changes
+++ b/rpmlint.changes
@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Wed May 11 11:25:33 UTC 2011 - lnussel@suse.de
+
+- don't filter non-standard-gid anymore
+- add dir-or-file-in-var-lock check
+- remove 'nobody' from standard users
+
+-------------------------------------------------------------------
+Tue May 10 11:38:05 UTC 2011 - lnussel@suse.de
+
+- add not-a-position-independent-executable check
+
 -------------------------------------------------------------------
 Thu May  5 07:15:39 UTC 2011 - lnussel@suse.de

--- a/rpmlint.spec
+++ b/rpmlint.spec
@ -49,6 +49,7 @@ Source20:       rpmgroups.config
 Source21:       BashismsCheck.py
 Source22:       CheckGNOMEMacros.py
 Source23:       CheckBuildDate.py
+Source24:       pie.config
 Source100:      syntax-validator.py
 Url:            http://rpmlint.zarb.org/
 License:        GPLv2+
@ -124,6 +125,7 @@ Patch86:        suse-rclink-check.diff
 # already upstream
 Patch87:        rpmlint-add-details.diff
 Patch88:        suse-speccheck-utf8.diff
+Patch89:        rpmlint-pie.diff
 %py_requires

 %description
@ -150,7 +152,7 @@ Authors:
 %patch8
 %patch9
 #%patch10
-%patch11
+%patch11 -p1
 %patch12
 %patch13
 %patch14
@ -203,6 +205,7 @@ Authors:
 %patch86
 %patch87 -p1
 %patch88
+%patch89 -p1
 cp -p %{SOURCE1} .
 cp -p %{SOURCE2} .
 cp -p %{SOURCE3} .
@ -238,6 +241,7 @@ head -n 8 $RPM_BUILD_ROOT/usr/share/rpmlint/config > $RPM_BUILD_ROOT/etc/rpmlint
 # make sure that the package is sane
 python -tt %{SOURCE100} $RPM_BUILD_ROOT/usr/share/rpmlint/*.py $RPM_BUILD_ROOT/usr/share/rpmlint/config
 %__install -m 644 %{SOURCE20} %{buildroot}/%{_sysconfdir}/rpmlint/
+%__install -m 644 %{SOURCE24} %{buildroot}/%{_sysconfdir}/rpmlint/

 %clean
 rm -rf $RPM_BUILD_ROOT
@ -249,6 +253,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_prefix}/share/rpmlint
 %config(noreplace) /etc/rpmlint/config
 %config %{_sysconfdir}/rpmlint/rpmgroups.config
+%config %{_sysconfdir}/rpmlint/pie.config
 %dir /etc/rpmlint
 /usr/share/man/man1/rpmlint.1.gz

--- a/suse-file-var-run.diff
+++ b/suse-file-var-run.diff
@ -1,35 +1,48 @@
-Index: FilesCheck.py
-===================================================================
--- FilesCheck.py.orig
-+++ FilesCheck.py
-@@ -901,7 +901,7 @@ class FilesCheck(AbstractCheck.AbstractC
-                     is_kernel_package:
-                 printError(pkg, "kernel-modules-not-in-kernel-packages", f)
- 
-            if tmp_regex.search(f):
-+            if tmp_regex.search(f) and f not in ghost_files:
-                 printError(pkg, 'dir-or-file-in-tmp', f)
-             elif f.startswith('/mnt/'):
-                 printError(pkg, 'dir-or-file-in-mnt', f)
-@@ -911,6 +911,8 @@ class FilesCheck(AbstractCheck.AbstractC
+From 811469ebe70ea65029d64ae2e7bc6e9828f59c9e Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Wed, 11 May 2011 13:15:22 +0200
+Subject: [PATCH] check for files in /var/run and /var/lock
+
+nowadays /var/run and /var/lock move to using tmpfs so disallow
+packaging files there
+---
+ FilesCheck.py |   16 ++++++++++++++++
+ 1 files changed, 16 insertions(+), 0 deletions(-)
+
+diff --git a/FilesCheck.py b/FilesCheck.py
+index a82b4b8..0f43927 100644
+--- a/FilesCheck.py
+++ b/FilesCheck.py
+@@ -443,6 +443,10 @@ class FilesCheck(AbstractCheck.AbstractCheck):
                 printError(pkg, 'dir-or-file-in-usr-local', f)
             elif f.startswith('/var/local/'):
                 printError(pkg, 'dir-or-file-in-var-local', f)
 +            elif f.startswith('/var/run/') and f not in ghost_files:
 +                printError(pkg, 'dir-or-file-in-var-run', f)
+            elif f.startswith('/var/lock/'):
+                printError(pkg, 'dir-or-file-in-var-lock', f)
             elif sub_bin_regex.search(f):
                 printError(pkg, 'subdir-in-bin', f)
             elif f.startswith('/home/'):
-@@ -1478,6 +1480,12 @@ for packages to install files in this di
+@@ -1019,6 +1023,18 @@ for packages to install files in this directory.''',
 '''A file in the package is located in /var/local. It's not permitted
 for packages to install files in this directory.''',
 
 +'dir-or-file-in-var-run',
 +'''A file or directory in the package is located in /var/run. It's not
 +permitted for packages to install files in this directory as it might
-+be created as tmpfs during boot. Modify your package to create the 
-+necessary files during runtime.''',
+be created as tmpfs during boot. Mark the files in question as %ghost and
+create them at run time instead.''',
+
+'dir-or-file-in-var-lock',
+'''A file or directory in the package is located in /var/lock. It's
+not permitted for packages to install files in this directory as it
+is a) reserved for legacy device lock files and b) might be created
+as tmpfs during boot.''',
 +
 'subdir-in-bin',
 '''The package contains a subdirectory in /usr/bin. It's not permitted to
 create a subdir there. Create it in /usr/lib/ instead.''',
+-- 
+1.7.3.4
+