diff --git a/BashismsCheck.py b/BashismsCheck.py index d6bfe7a..000ae9c 100644 --- a/BashismsCheck.py +++ b/BashismsCheck.py @@ -28,9 +28,12 @@ class BashismsCheck(AbstractCheck.AbstractFilesCheck): status, output = Pkg.getstatusoutput(["dash", "-n", filename]) if status == 2: printWarning(pkg, "bin-sh-syntax-error", filename) - status, output = Pkg.getstatusoutput(["checkbashisms", filename]) - if status == 1: - printInfo(pkg, "potential-bashisms", filename) + try: + status, output = Pkg.getstatusoutput(["checkbashisms", filename]) + if status == 1: + printInfo(pkg, "potential-bashisms", filename) + except Exception, x: + printError(pkg, 'rpmlint-exception', "%(file)s raised an exception: %(x)s" % {'file':filename, 'x':x}) finally: f.close() diff --git a/CheckSUIDPermissions.py b/CheckSUIDPermissions.py index 112b568..5255d54 100644 --- a/CheckSUIDPermissions.py +++ b/CheckSUIDPermissions.py @@ -135,6 +135,10 @@ class SUIDCheck(AbstractCheck.AbstractCheck): else: f += '/' + if type == 010: + if not 'shared object' in pkgfile.magic: + printError(pkg, 'not-a-position-independent-executable', f) + m = self.perms[f]['mode'] o = self.perms[f]['owner'] @@ -159,6 +163,10 @@ class SUIDCheck(AbstractCheck.AbstractCheck): else: printWarning(pkg, 'permissions-directory-setuid-bit', msg) + if type == 010: + if not 'shared object' in pkgfile.magic: + printError(pkg, 'not-a-position-independent-executable', f) + if mode&02: need_verifyscript = True printError(pkg, 'permissions-world-writable', \ diff --git a/config b/config index e3ae6c8..d411ca2 100644 --- a/config +++ b/config @@ -139,6 +139,7 @@ setOption('StandardGroups', ( 'pulse-rt', 'quagga', 'radiusd', + 'root', 'sabayon-admin', 'sapdb', 'shadow', @@ -217,7 +218,6 @@ setOption('StandardUsers', ( 'nagios', 'named', 'news', - 'nobody', 'novell_nobody', 'novlifdr', 'novlxregd', @@ -558,7 +558,6 @@ addFilter(" multiple-specfiles") addFilter(" apache2-naming-policy-not-applied") addFilter(" no-default-runlevel ") addFilter(" setgid-binary ") -addFilter(" non-standard-gid ") addFilter(" non-readable ") addFilter(" manpage-not-bzipped ") addFilter(" postin-without-ghost-file-creation ") diff --git a/pie.config b/pie.config new file mode 100644 index 0000000..18391c6 --- /dev/null +++ b/pie.config @@ -0,0 +1,234 @@ +from Config import * + +# This file should list daemons and programs that are likely to be set setuid +# by users. Files listed in permissions.eays are automatically checked. + +setOption("PieExecutables", +( +"/bin/ping", +"/bin/ping6", +"/bin/su", +"/usr/bin/pidgin", +"/sbin/arping", +"/sbin/clockdiff", +"/sbin/dhclient", +"/sbin/dhcpcd", +"/sbin/klogd", +"/sbin/rpcbind", +"/sbin/syslogd", +"/sbin/tracepath", +"/sbin/tracepath6", +"/usr/bin/uniconv", +"/usr/bin/achfile", +"/usr/bin/adv1tov2", +"/usr/bin/aecho", +"/usr/bin/afile", +"/usr/bin/afppasswd", +"/usr/bin/at", +"/usr/bin/cadaver", +"/usr/bin/chage", +"/usr/bin/chfn", +"/usr/bin/chsh", +"/usr/bin/ciptool", +"/usr/bin/cnid_index", +"/usr/bin/dig", +"/usr/bin/dund", +"/usr/bin/expiry", +"/usr/bin/finger", +"/usr/bin/getzones", +"/usr/bin/gpasswd", +"/usr/bin/gpg", +"/usr/bin/gpgsplit", +"/usr/bin/gpgv", +"/usr/bin/hcitool", +"/usr/bin/hidd", +"/usr/bin/host", +"/usr/bin/htpasswd", +"/usr/bin/l2ping", +"/usr/bin/lppasswd", +"/usr/bin/megatron", +"/usr/bin/nbplkup", +"/usr/bin/nbprgstr", +"/usr/bin/nbpunrgstr", +"/usr/bin/ncplogin", +"/usr/bin/ncpmap", +"/usr/bin/net", +"/usr/bin/newgrp", +"/usr/bin/nmblookup", +"/usr/bin/nslookup", +"/usr/bin/nsupdate", +"/usr/bin/nwsfind", +"/usr/bin/omshell", +"/usr/bin/pand", +"/usr/bin/pap", +"/usr/bin/papstatus", +"/usr/bin/passwd", +"/usr/bin/pdbedit", +"/usr/bin/profiles", +"/usr/bin/psorder", +"/usr/bin/rcp", +"/usr/bin/rexec", +"/usr/bin/rfcomm", +"/usr/bin/rlogin", +"/usr/bin/rpcclient", +"/usr/bin/rsh", +"/usr/bin/scp", +"/usr/bin/sdptool", +"/usr/bin/sftp", +"/usr/bin/showppd", +"/usr/bin/smbcacls", +"/usr/bin/smbclient", +"/usr/bin/smbcontrol", +"/usr/bin/smbcquotas", +"/sbin/mount.cifs", +"/usr/bin/smbpasswd", +"/usr/bin/smbspool", +"/usr/bin/smbstatus", +"/usr/bin/smbtree", +"/usr/bin/ssh", +"/usr/bin/ssh-add", +"/usr/bin/ssh-agent", +"/usr/bin/ssh-keygen", +"/usr/bin/ssh-keyscan", +"/usr/bin/svn", +"/usr/bin/svnadmin", +"/usr/bin/svndumpfilter", +"/usr/bin/svnlook", +"/usr/bin/svnserve", +"/usr/bin/svnversion", +"/usr/bin/talk", +"/usr/bin/tdbbackup", +"/usr/bin/tdbdump", +"/usr/bin/tdbtool", +"/usr/bin/telnet", +"/usr/bin/testparm", +"/usr/bin/testprns", +"/usr/bin/timeout", +"/usr/bin/wbinfo", +"/usr/lib/mit/bin/ftp", +"/usr/lib/mit/bin/gss-client", +"/usr/lib/mit/bin/kdestroy", +"/usr/lib/mit/bin/kinit", +"/usr/lib/mit/bin/klist", +"/usr/lib/mit/bin/kpasswd", +"/usr/lib/mit/bin/krb524init", +"/usr/lib/mit/bin/ksu", +"/usr/lib/mit/bin/kvno", +"/usr/lib/mit/bin/rcp", +"/usr/lib/mit/bin/rlogin", +"/usr/lib/mit/bin/rsh", +"/usr/lib/mit/bin/sclient", +"/usr/lib/mit/bin/sim_client", +"/usr/lib/mit/bin/telnet", +"/usr/lib/mit/bin/uuclient", +"/usr/lib/mit/bin/v4rcp", +"/usr/lib/mit/sbin/ftpd", +"/usr/lib/mit/sbin/gss-server", +"/usr/lib/mit/sbin/kadmin", +"/usr/lib/mit/sbin/kadmin.local", +"/usr/lib/mit/sbin/kadmind", +"/usr/lib/mit/sbin/kdb5_util", +"/usr/lib/mit/sbin/klogind", +"/usr/lib/mit/sbin/kprop", +"/usr/lib/mit/sbin/kpropd", +"/usr/lib/mit/sbin/krb524d", +"/usr/lib/mit/sbin/krb5kdc", +"/usr/lib/mit/sbin/kshd", +"/usr/lib/mit/sbin/ktutil", +"/usr/lib/mit/sbin/login.krb5", +"/usr/lib/mit/sbin/sim_server", +"/usr/lib/mit/sbin/sserver", +"/usr/lib/mit/sbin/telnetd", +"/usr/lib/mit/sbin/uuserver", +"/usr/lib/news/bin/innd", +"/usr/lib/news/bin/innbind", +"/usr/lib/news/bin/rnews", +"/usr/sbin/afpd", +"/usr/sbin/amcheck", +"/usr/sbin/amdd", +"/usr/sbin/atalkd", +"/usr/sbin/atd", +"/usr/sbin/automount", +"/usr/sbin/chat", +"/usr/sbin/cnid_dbd", +"/usr/sbin/cnid_metad", +"/usr/sbin/cron", +"/usr/sbin/cupsd", +"/usr/sbin/dhcpd", +"/usr/sbin/dhcrelay", +"/usr/sbin/dnssec-keygen", +"/usr/sbin/dnssec-signzone", +"/usr/sbin/exim", +"/usr/sbin/hciattach", +"/usr/sbin/bluetoothd", +"/usr/sbin/hciconfig", +"/usr/sbin/hid2hci", +"/usr/sbin/httpd2", +"/usr/sbin/httpd2-prefork", +"/usr/sbin/httpd2-worker", +"/usr/sbin/in.fingerd", +"/usr/sbin/in.ntalkd", +"/usr/sbin/in.rexecd", +"/usr/sbin/in.rlogind", +"/usr/sbin/in.rshd", +"/usr/sbin/in.telnetd", +"/usr/sbin/irqbalance", +"/usr/sbin/lwresd", +"/usr/sbin/mailstats", +"/usr/sbin/makemap", +"/usr/sbin/named", +"/usr/sbin/named-checkconf", +"/usr/sbin/named-checkzone", +"/usr/sbin/nmbd", +"/usr/sbin/nscd", +"/usr/sbin/ntlm_auth", +"/usr/sbin/ntp-keygen", +"/usr/sbin/ntpd", +"/usr/sbin/ntpdc", +"/usr/sbin/ntpq", +"/usr/sbin/ntptime", +"/usr/sbin/openvpn", +"/usr/sbin/papd", +"/usr/sbin/postfix", +"/usr/sbin/pppd", +"/usr/sbin/praliases", +"/usr/sbin/radiusd", +"/usr/sbin/rarpd", +"/usr/sbin/rndc", +"/usr/sbin/rndc-confgen", +"/usr/sbin/rotatelogs2", +"/usr/sbin/rpc.mountd", +"/usr/sbin/rpc.nfsd", +"/usr/sbin/rpc.rquotad", +"/usr/sbin/rpc.rwalld", +"/usr/sbin/rpc.yppasswdd", +"/usr/sbin/rpc.ypxfrd", +"/usr/sbin/safe_finger", +"/usr/sbin/sendmail", +"/usr/lib/sudo/sesh", +"/usr/lib/openldap/slapd", +"/usr/sbin/smartctl", +"/usr/sbin/smartd", +"/usr/sbin/smbd", +"/usr/sbin/snmpd", +"/usr/sbin/snmptrapd", +"/usr/sbin/squid", +"/usr/sbin/squidclient", +"/usr/sbin/sshd", +"/usr/sbin/stunnel", +"/usr/sbin/suexec2", +"/usr/sbin/tcpd", +"/usr/sbin/tickadj", +"/usr/sbin/traceroute", +"/usr/sbin/traceroute6", +"/usr/sbin/try-from", +"/usr/sbin/utempter", +"/usr/sbin/visudo", +"/usr/sbin/vsftpd", +"/usr/sbin/winbindd", +"/usr/sbin/xinetd", +"/usr/sbin/yppush", +"/usr/sbin/ypserv", +"/usr/bin/zone2ldap", +) +) diff --git a/rpmlint-pie.diff b/rpmlint-pie.diff new file mode 100644 index 0000000..3facb6d --- /dev/null +++ b/rpmlint-pie.diff @@ -0,0 +1,68 @@ +From cdf3d7e6338e8133d9b2b8f19de8e5a3308327bc Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Mon, 9 May 2011 11:54:48 +0200 +Subject: [PATCH] check for position independent executables + +--- + BinariesCheck.py | 11 +++++++++++ + config | 4 ++++ + 2 files changed, 15 insertions(+), 0 deletions(-) + +Index: rpmlint-1.1/BinariesCheck.py +=================================================================== +--- rpmlint-1.1.orig/BinariesCheck.py ++++ rpmlint-1.1/BinariesCheck.py +@@ -25,6 +25,9 @@ DEFAULT_SYSTEM_LIB_PATHS = ( + '/lib', '/usr/lib', '/usr/X11R6/lib', + '/lib64', '/usr/lib64', '/usr/X11R6/lib64') + ++DEFAULT_PIE_EXECUTABLES = ( ++) ++ + class BinaryInfo: + + needed_regex = re.compile('\s+\(NEEDED\).*\[(\S+)\]') +@@ -189,6 +192,7 @@ so_regex = re.compile('/lib(64)?/[^/]+\. + validso_regex = re.compile('(\.so\.\d+(\.\d+)*|\d\.so)$') + sparc_regex = re.compile('SPARC32PLUS|SPARC V9|UltraSPARC') + system_lib_paths = Config.getOption('SystemLibPaths', DEFAULT_SYSTEM_LIB_PATHS) ++pie_executables = Config.getOption('PieExecutables', DEFAULT_PIE_EXECUTABLES) + usr_lib_regex = re.compile('^/usr/lib(64)?/') + bin_regex = re.compile('^(/usr(/X11R6)?)?/s?bin/') + soversion_regex = re.compile('.*?([0-9][.0-9]*)\\.so|.*\\.so\\.([0-9][.0-9]*).*') +@@ -377,6 +381,9 @@ class BinariesCheck(AbstractCheck.Abstra + if not is_exec and not is_shobj: + continue + ++ if fname in pie_executables and not is_shobj: ++ printError(pkg, 'not-a-position-independent-executable', fname) ++ + if is_exec: + + if bin_regex.search(fname): +@@ -598,6 +605,10 @@ that use prelink, make sure that prelink + placing a blacklist file in /etc/prelink.conf.d. For more information, see + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=256900#49''', + ++'not-a-position-independent-executable', ++'''As per distribution policy the binary must be position independent. Add ++-fPIE to CFLAGS and -pie to LDFLAGS''' ++ + 'unstripped-binary-or-object', + '''stripping debug info from binaries happens automatically according to global + project settings. So there's normally no need to manually strip binaries. +Index: rpmlint-1.1/config +=================================================================== +--- rpmlint-1.1.orig/config ++++ rpmlint-1.1/config +@@ -130,6 +130,10 @@ from Config import * + # Type: tuple of strings, default: see DEFAULT_SYSTEM_LIB_PATHS in BinariesCheck + #setOption("SystemLibPaths", ('/lib', '/lib64', '/usr/lib', '/usr/lib64')) + ++# List of binaries that must be position independent executables ++# Type: tuple of strings, default: empty ++#setOption("PieExecutables", ('/bin/ping', '/bin/su')) ++ + # Whether to want default start/stop runlevels specified in init scripts. + # Type: boolean, default: True + #setOption("UseDefaultRunlevels", True) diff --git a/rpmlint.changes b/rpmlint.changes index 5405844..7cfc532 100644 --- a/rpmlint.changes +++ b/rpmlint.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Wed May 11 11:25:33 UTC 2011 - lnussel@suse.de + +- don't filter non-standard-gid anymore +- add dir-or-file-in-var-lock check +- remove 'nobody' from standard users + +------------------------------------------------------------------- +Tue May 10 11:38:05 UTC 2011 - lnussel@suse.de + +- add not-a-position-independent-executable check + ------------------------------------------------------------------- Thu May 5 07:15:39 UTC 2011 - lnussel@suse.de diff --git a/rpmlint.spec b/rpmlint.spec index ddc2348..d630d76 100644 --- a/rpmlint.spec +++ b/rpmlint.spec @@ -49,6 +49,7 @@ Source20: rpmgroups.config Source21: BashismsCheck.py Source22: CheckGNOMEMacros.py Source23: CheckBuildDate.py +Source24: pie.config Source100: syntax-validator.py Url: http://rpmlint.zarb.org/ License: GPLv2+ @@ -124,6 +125,7 @@ Patch86: suse-rclink-check.diff # already upstream Patch87: rpmlint-add-details.diff Patch88: suse-speccheck-utf8.diff +Patch89: rpmlint-pie.diff %py_requires %description @@ -150,7 +152,7 @@ Authors: %patch8 %patch9 #%patch10 -%patch11 +%patch11 -p1 %patch12 %patch13 %patch14 @@ -203,6 +205,7 @@ Authors: %patch86 %patch87 -p1 %patch88 +%patch89 -p1 cp -p %{SOURCE1} . cp -p %{SOURCE2} . cp -p %{SOURCE3} . @@ -238,6 +241,7 @@ head -n 8 $RPM_BUILD_ROOT/usr/share/rpmlint/config > $RPM_BUILD_ROOT/etc/rpmlint # make sure that the package is sane python -tt %{SOURCE100} $RPM_BUILD_ROOT/usr/share/rpmlint/*.py $RPM_BUILD_ROOT/usr/share/rpmlint/config %__install -m 644 %{SOURCE20} %{buildroot}/%{_sysconfdir}/rpmlint/ +%__install -m 644 %{SOURCE24} %{buildroot}/%{_sysconfdir}/rpmlint/ %clean rm -rf $RPM_BUILD_ROOT @@ -249,6 +253,7 @@ rm -rf $RPM_BUILD_ROOT %{_prefix}/share/rpmlint %config(noreplace) /etc/rpmlint/config %config %{_sysconfdir}/rpmlint/rpmgroups.config +%config %{_sysconfdir}/rpmlint/pie.config %dir /etc/rpmlint /usr/share/man/man1/rpmlint.1.gz diff --git a/suse-file-var-run.diff b/suse-file-var-run.diff index 44ee708..7d4a8fe 100644 --- a/suse-file-var-run.diff +++ b/suse-file-var-run.diff @@ -1,35 +1,48 @@ -Index: FilesCheck.py -=================================================================== ---- FilesCheck.py.orig -+++ FilesCheck.py -@@ -901,7 +901,7 @@ class FilesCheck(AbstractCheck.AbstractC - is_kernel_package: - printError(pkg, "kernel-modules-not-in-kernel-packages", f) - -- if tmp_regex.search(f): -+ if tmp_regex.search(f) and f not in ghost_files: - printError(pkg, 'dir-or-file-in-tmp', f) - elif f.startswith('/mnt/'): - printError(pkg, 'dir-or-file-in-mnt', f) -@@ -911,6 +911,8 @@ class FilesCheck(AbstractCheck.AbstractC +From 811469ebe70ea65029d64ae2e7bc6e9828f59c9e Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Wed, 11 May 2011 13:15:22 +0200 +Subject: [PATCH] check for files in /var/run and /var/lock + +nowadays /var/run and /var/lock move to using tmpfs so disallow +packaging files there +--- + FilesCheck.py | 16 ++++++++++++++++ + 1 files changed, 16 insertions(+), 0 deletions(-) + +diff --git a/FilesCheck.py b/FilesCheck.py +index a82b4b8..0f43927 100644 +--- a/FilesCheck.py ++++ b/FilesCheck.py +@@ -443,6 +443,10 @@ class FilesCheck(AbstractCheck.AbstractCheck): printError(pkg, 'dir-or-file-in-usr-local', f) elif f.startswith('/var/local/'): printError(pkg, 'dir-or-file-in-var-local', f) + elif f.startswith('/var/run/') and f not in ghost_files: + printError(pkg, 'dir-or-file-in-var-run', f) ++ elif f.startswith('/var/lock/'): ++ printError(pkg, 'dir-or-file-in-var-lock', f) elif sub_bin_regex.search(f): printError(pkg, 'subdir-in-bin', f) elif f.startswith('/home/'): -@@ -1478,6 +1480,12 @@ for packages to install files in this di +@@ -1019,6 +1023,18 @@ for packages to install files in this directory.''', '''A file in the package is located in /var/local. It's not permitted for packages to install files in this directory.''', +'dir-or-file-in-var-run', +'''A file or directory in the package is located in /var/run. It's not +permitted for packages to install files in this directory as it might -+be created as tmpfs during boot. Modify your package to create the -+necessary files during runtime.''', ++be created as tmpfs during boot. Mark the files in question as %ghost and ++create them at run time instead.''', ++ ++'dir-or-file-in-var-lock', ++'''A file or directory in the package is located in /var/lock. It's ++not permitted for packages to install files in this directory as it ++is a) reserved for legacy device lock files and b) might be created ++as tmpfs during boot.''', + 'subdir-in-bin', '''The package contains a subdirectory in /usr/bin. It's not permitted to create a subdir there. Create it in /usr/lib/ instead.''', +-- +1.7.3.4 +