Accepting request 70089 from devel:openSUSE:Factory:rpmlint

- don't filter non-standard-gid anymore - add dir-or-file-in-var-lock check - remove 'nobody' from standard users - add not-a-position-independent-executable check OBS-URL: https://build.opensuse.org/request/show/70089 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=111
2011-05-16 09:33:32 +00:00 · 2011-05-16 09:33:32 +00:00 · b273e49f97
commit b273e49f97
parent 097f1118dc 65422f23e3
8 changed files with 365 additions and 23 deletions
--- a/BashismsCheck.py
+++ b/BashismsCheck.py
@ -28,9 +28,12 @@ class BashismsCheck(AbstractCheck.AbstractFilesCheck):
                status, output = Pkg.getstatusoutput(["dash", "-n", filename])
                if status == 2:
                    printWarning(pkg, "bin-sh-syntax-error", filename)
-                status, output = Pkg.getstatusoutput(["checkbashisms", filename])
+                try:
-                if status == 1:
+                    status, output = Pkg.getstatusoutput(["checkbashisms", filename])
-                    printInfo(pkg, "potential-bashisms", filename)
+                    if status == 1:
                        printInfo(pkg, "potential-bashisms", filename)
                except Exception, x:
                    printError(pkg, 'rpmlint-exception', "%(file)s raised an exception: %(x)s" % {'file':filename, 'x':x})
        finally:
            f.close()
--- a/CheckSUIDPermissions.py
+++ b/CheckSUIDPermissions.py
@ -135,6 +135,10 @@ class SUIDCheck(AbstractCheck.AbstractCheck):
                    else:
                        f += '/'
                if type == 010:
                    if not 'shared object' in pkgfile.magic:
                        printError(pkg, 'not-a-position-independent-executable', f)
                m = self.perms[f]['mode']
                o = self.perms[f]['owner']
@ -159,6 +163,10 @@ class SUIDCheck(AbstractCheck.AbstractCheck):
                    else:
                        printWarning(pkg, 'permissions-directory-setuid-bit', msg)
                    if type == 010:
                        if not 'shared object' in pkgfile.magic:
                            printError(pkg, 'not-a-position-independent-executable', f)
                if mode&02:
                    need_verifyscript = True
                    printError(pkg, 'permissions-world-writable', \
--- a/3
+++ b/3
@ -139,6 +139,7 @@ setOption('StandardGroups', (
    'pulse-rt',
    'quagga',
    'radiusd',
    'root',
    'sabayon-admin',
    'sapdb',
    'shadow',
@ -217,7 +218,6 @@ setOption('StandardUsers', (
    'nagios',
    'named',
    'news',
    'nobody',
    'novell_nobody',
    'novlifdr',
    'novlxregd',
@ -558,7 +558,6 @@ addFilter(" multiple-specfiles")
 addFilter(" apache2-naming-policy-not-applied")
 addFilter(" no-default-runlevel ")
 addFilter(" setgid-binary ")
 addFilter(" non-standard-gid ")
 addFilter(" non-readable ")
 addFilter(" manpage-not-bzipped ")
 addFilter(" postin-without-ghost-file-creation ")
--- a/pie.config
+++ b/pie.config
@ -0,0 +1,234 @@
 from Config import *
 # This file should list daemons and programs that are likely to be set setuid
 # by users. Files listed in permissions.eays are automatically checked.
 setOption("PieExecutables",
 (
 "/bin/ping",
 "/bin/ping6",
 "/bin/su",
 "/usr/bin/pidgin",
 "/sbin/arping",
 "/sbin/clockdiff",
 "/sbin/dhclient",
 "/sbin/dhcpcd",
 "/sbin/klogd",
 "/sbin/rpcbind",
 "/sbin/syslogd",
 "/sbin/tracepath",
 "/sbin/tracepath6",
 "/usr/bin/uniconv",
 "/usr/bin/achfile",
 "/usr/bin/adv1tov2",
 "/usr/bin/aecho",
 "/usr/bin/afile",
 "/usr/bin/afppasswd",
 "/usr/bin/at",
 "/usr/bin/cadaver",
 "/usr/bin/chage",
 "/usr/bin/chfn",
 "/usr/bin/chsh",
 "/usr/bin/ciptool",
 "/usr/bin/cnid_index",
 "/usr/bin/dig",
 "/usr/bin/dund",
 "/usr/bin/expiry",
 "/usr/bin/finger",
 "/usr/bin/getzones",
 "/usr/bin/gpasswd",
 "/usr/bin/gpg",
 "/usr/bin/gpgsplit",
 "/usr/bin/gpgv",
 "/usr/bin/hcitool",
 "/usr/bin/hidd",
 "/usr/bin/host",
 "/usr/bin/htpasswd",
 "/usr/bin/l2ping",
 "/usr/bin/lppasswd",
 "/usr/bin/megatron",
 "/usr/bin/nbplkup",
 "/usr/bin/nbprgstr",
 "/usr/bin/nbpunrgstr",
 "/usr/bin/ncplogin",
 "/usr/bin/ncpmap",
 "/usr/bin/net",
 "/usr/bin/newgrp",
 "/usr/bin/nmblookup",
 "/usr/bin/nslookup",
 "/usr/bin/nsupdate",
 "/usr/bin/nwsfind",
 "/usr/bin/omshell",
 "/usr/bin/pand",
 "/usr/bin/pap",
 "/usr/bin/papstatus",
 "/usr/bin/passwd",
 "/usr/bin/pdbedit",
 "/usr/bin/profiles",
 "/usr/bin/psorder",
 "/usr/bin/rcp",
 "/usr/bin/rexec",
 "/usr/bin/rfcomm",
 "/usr/bin/rlogin",
 "/usr/bin/rpcclient",
 "/usr/bin/rsh",
 "/usr/bin/scp",
 "/usr/bin/sdptool",
 "/usr/bin/sftp",
 "/usr/bin/showppd",
 "/usr/bin/smbcacls",
 "/usr/bin/smbclient",
 "/usr/bin/smbcontrol",
 "/usr/bin/smbcquotas",
 "/sbin/mount.cifs",
 "/usr/bin/smbpasswd",
 "/usr/bin/smbspool",
 "/usr/bin/smbstatus",
 "/usr/bin/smbtree",
 "/usr/bin/ssh",
 "/usr/bin/ssh-add",
 "/usr/bin/ssh-agent",
 "/usr/bin/ssh-keygen",
 "/usr/bin/ssh-keyscan",
 "/usr/bin/svn",
 "/usr/bin/svnadmin",
 "/usr/bin/svndumpfilter",
 "/usr/bin/svnlook",
 "/usr/bin/svnserve",
 "/usr/bin/svnversion",
 "/usr/bin/talk",
 "/usr/bin/tdbbackup",
 "/usr/bin/tdbdump",
 "/usr/bin/tdbtool",
 "/usr/bin/telnet",
 "/usr/bin/testparm",
 "/usr/bin/testprns",
 "/usr/bin/timeout",
 "/usr/bin/wbinfo",
 "/usr/lib/mit/bin/ftp",
 "/usr/lib/mit/bin/gss-client",
 "/usr/lib/mit/bin/kdestroy",
 "/usr/lib/mit/bin/kinit",
 "/usr/lib/mit/bin/klist",
 "/usr/lib/mit/bin/kpasswd",
 "/usr/lib/mit/bin/krb524init",
 "/usr/lib/mit/bin/ksu",
 "/usr/lib/mit/bin/kvno",
 "/usr/lib/mit/bin/rcp",
 "/usr/lib/mit/bin/rlogin",
 "/usr/lib/mit/bin/rsh",
 "/usr/lib/mit/bin/sclient",
 "/usr/lib/mit/bin/sim_client",
 "/usr/lib/mit/bin/telnet",
 "/usr/lib/mit/bin/uuclient",
 "/usr/lib/mit/bin/v4rcp",
 "/usr/lib/mit/sbin/ftpd",
 "/usr/lib/mit/sbin/gss-server",
 "/usr/lib/mit/sbin/kadmin",
 "/usr/lib/mit/sbin/kadmin.local",
 "/usr/lib/mit/sbin/kadmind",
 "/usr/lib/mit/sbin/kdb5_util",
 "/usr/lib/mit/sbin/klogind",
 "/usr/lib/mit/sbin/kprop",
 "/usr/lib/mit/sbin/kpropd",
 "/usr/lib/mit/sbin/krb524d",
 "/usr/lib/mit/sbin/krb5kdc",
 "/usr/lib/mit/sbin/kshd",
 "/usr/lib/mit/sbin/ktutil",
 "/usr/lib/mit/sbin/login.krb5",
 "/usr/lib/mit/sbin/sim_server",
 "/usr/lib/mit/sbin/sserver",
 "/usr/lib/mit/sbin/telnetd",
 "/usr/lib/mit/sbin/uuserver",
 "/usr/lib/news/bin/innd",
 "/usr/lib/news/bin/innbind",
 "/usr/lib/news/bin/rnews",
 "/usr/sbin/afpd",
 "/usr/sbin/amcheck",
 "/usr/sbin/amdd",
 "/usr/sbin/atalkd",
 "/usr/sbin/atd",
 "/usr/sbin/automount",
 "/usr/sbin/chat",
 "/usr/sbin/cnid_dbd",
 "/usr/sbin/cnid_metad",
 "/usr/sbin/cron",
 "/usr/sbin/cupsd",
 "/usr/sbin/dhcpd",
 "/usr/sbin/dhcrelay",
 "/usr/sbin/dnssec-keygen",
 "/usr/sbin/dnssec-signzone",
 "/usr/sbin/exim",
 "/usr/sbin/hciattach",
 "/usr/sbin/bluetoothd",
 "/usr/sbin/hciconfig",
 "/usr/sbin/hid2hci",
 "/usr/sbin/httpd2",
 "/usr/sbin/httpd2-prefork",
 "/usr/sbin/httpd2-worker",
 "/usr/sbin/in.fingerd",
 "/usr/sbin/in.ntalkd",
 "/usr/sbin/in.rexecd",
 "/usr/sbin/in.rlogind",
 "/usr/sbin/in.rshd",
 "/usr/sbin/in.telnetd",
 "/usr/sbin/irqbalance",
 "/usr/sbin/lwresd",
 "/usr/sbin/mailstats",
 "/usr/sbin/makemap",
 "/usr/sbin/named",
 "/usr/sbin/named-checkconf",
 "/usr/sbin/named-checkzone",
 "/usr/sbin/nmbd",
 "/usr/sbin/nscd",
 "/usr/sbin/ntlm_auth",
 "/usr/sbin/ntp-keygen",
 "/usr/sbin/ntpd",
 "/usr/sbin/ntpdc",
 "/usr/sbin/ntpq",
 "/usr/sbin/ntptime",
 "/usr/sbin/openvpn",
 "/usr/sbin/papd",
 "/usr/sbin/postfix",
 "/usr/sbin/pppd",
 "/usr/sbin/praliases",
 "/usr/sbin/radiusd",
 "/usr/sbin/rarpd",
 "/usr/sbin/rndc",
 "/usr/sbin/rndc-confgen",
 "/usr/sbin/rotatelogs2",
 "/usr/sbin/rpc.mountd",
 "/usr/sbin/rpc.nfsd",
 "/usr/sbin/rpc.rquotad",
 "/usr/sbin/rpc.rwalld",
 "/usr/sbin/rpc.yppasswdd",
 "/usr/sbin/rpc.ypxfrd",
 "/usr/sbin/safe_finger",
 "/usr/sbin/sendmail",
 "/usr/lib/sudo/sesh",
 "/usr/lib/openldap/slapd",
 "/usr/sbin/smartctl",
 "/usr/sbin/smartd",
 "/usr/sbin/smbd",
 "/usr/sbin/snmpd",
 "/usr/sbin/snmptrapd",
 "/usr/sbin/squid",
 "/usr/sbin/squidclient",
 "/usr/sbin/sshd",
 "/usr/sbin/stunnel",
 "/usr/sbin/suexec2",
 "/usr/sbin/tcpd",
 "/usr/sbin/tickadj",
 "/usr/sbin/traceroute",
 "/usr/sbin/traceroute6",
 "/usr/sbin/try-from",
 "/usr/sbin/utempter",
 "/usr/sbin/visudo",
 "/usr/sbin/vsftpd",
 "/usr/sbin/winbindd",
 "/usr/sbin/xinetd",
 "/usr/sbin/yppush",
 "/usr/sbin/ypserv",
 "/usr/bin/zone2ldap",
 )
 )
--- a/rpmlint-pie.diff
+++ b/rpmlint-pie.diff
@ -0,0 +1,68 @@
 From cdf3d7e6338e8133d9b2b8f19de8e5a3308327bc Mon Sep 17 00:00:00 2001
 From: Ludwig Nussel <ludwig.nussel@suse.de>
 Date: Mon, 9 May 2011 11:54:48 +0200
 Subject: [PATCH] check for position independent executables
 ---
 BinariesCheck.py |   11 +++++++++++
 config           |    4 ++++
 2 files changed, 15 insertions(+), 0 deletions(-)
 Index: rpmlint-1.1/BinariesCheck.py
 ===================================================================
 --- rpmlint-1.1.orig/BinariesCheck.py
 +++ rpmlint-1.1/BinariesCheck.py
@@ -25,6 +25,9 @@ DEFAULT_SYSTEM_LIB_PATHS = (
     '/lib', '/usr/lib', '/usr/X11R6/lib',
     '/lib64', '/usr/lib64', '/usr/X11R6/lib64')
 +DEFAULT_PIE_EXECUTABLES = (
 +)
 +
 class BinaryInfo:
     needed_regex = re.compile('\s+\(NEEDED\).*\[(\S+)\]')
@@ -189,6 +192,7 @@ so_regex = re.compile('/lib(64)?/[^/]+\.
 validso_regex = re.compile('(\.so\.\d+(\.\d+)*|\d\.so)$')
 sparc_regex = re.compile('SPARC32PLUS|SPARC V9|UltraSPARC')
 system_lib_paths = Config.getOption('SystemLibPaths', DEFAULT_SYSTEM_LIB_PATHS)
 +pie_executables = Config.getOption('PieExecutables', DEFAULT_PIE_EXECUTABLES)
 usr_lib_regex = re.compile('^/usr/lib(64)?/')
 bin_regex = re.compile('^(/usr(/X11R6)?)?/s?bin/')
 soversion_regex = re.compile('.*?([0-9][.0-9]*)\\.so|.*\\.so\\.([0-9][.0-9]*).*')
@@ -377,6 +381,9 @@ class BinariesCheck(AbstractCheck.Abstra
             if not is_exec and not is_shobj:
                 continue
 +            if fname in pie_executables and not is_shobj:
 +                printError(pkg, 'not-a-position-independent-executable', fname)
 +
             if is_exec:
                 if bin_regex.search(fname):
@@ -598,6 +605,10 @@ that use prelink, make sure that prelink
 placing a blacklist file in /etc/prelink.conf.d.  For more information, see
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=256900#49''',
 +'not-a-position-independent-executable',
 +'''As per distribution policy the binary must be position independent. Add
 +-fPIE to CFLAGS and -pie to LDFLAGS'''
 +
 'unstripped-binary-or-object',
 '''stripping debug info from binaries happens automatically according to global
 project settings. So there's normally no need to manually strip binaries.
 Index: rpmlint-1.1/config
 ===================================================================
 --- rpmlint-1.1.orig/config
 +++ rpmlint-1.1/config
@@ -130,6 +130,10 @@ from Config import *
 # Type: tuple of strings, default: see DEFAULT_SYSTEM_LIB_PATHS in BinariesCheck
 #setOption("SystemLibPaths", ('/lib', '/lib64', '/usr/lib', '/usr/lib64'))
 +# List of binaries that must be position independent executables
 +# Type: tuple of strings, default: empty
 +#setOption("PieExecutables", ('/bin/ping', '/bin/su'))
 +
 # Whether to want default start/stop runlevels specified in init scripts.
 # Type: boolean, default: True
 #setOption("UseDefaultRunlevels", True)
--- a/rpmlint.changes
+++ b/rpmlint.changes
@ -1,3 +1,15 @@
 -------------------------------------------------------------------
 Wed May 11 11:25:33 UTC 2011 - lnussel@suse.de
 - don't filter non-standard-gid anymore
 - add dir-or-file-in-var-lock check
 - remove 'nobody' from standard users
 -------------------------------------------------------------------
 Tue May 10 11:38:05 UTC 2011 - lnussel@suse.de
 - add not-a-position-independent-executable check
 -------------------------------------------------------------------
 Thu May  5 07:15:39 UTC 2011 - lnussel@suse.de
--- a/rpmlint.spec
+++ b/rpmlint.spec
@ -49,6 +49,7 @@ Source20:       rpmgroups.config
 Source21:       BashismsCheck.py
 Source22:       CheckGNOMEMacros.py
 Source23:       CheckBuildDate.py
 Source24:       pie.config
 Source100:      syntax-validator.py
 Url:            http://rpmlint.zarb.org/
 License:        GPLv2+
@ -124,6 +125,7 @@ Patch86:        suse-rclink-check.diff
 # already upstream
 Patch87:        rpmlint-add-details.diff
 Patch88:        suse-speccheck-utf8.diff
 Patch89:        rpmlint-pie.diff
 %py_requires
 %description
@ -150,7 +152,7 @@ Authors:
 %patch8
 %patch9
 #%patch10
-%patch11
+%patch11 -p1
 %patch12
 %patch13
 %patch14
@ -203,6 +205,7 @@ Authors:
 %patch86
 %patch87 -p1
 %patch88
 %patch89 -p1
 cp -p %{SOURCE1} .
 cp -p %{SOURCE2} .
 cp -p %{SOURCE3} .
@ -238,6 +241,7 @@ head -n 8 $RPM_BUILD_ROOT/usr/share/rpmlint/config > $RPM_BUILD_ROOT/etc/rpmlint
 # make sure that the package is sane
 python -tt %{SOURCE100} $RPM_BUILD_ROOT/usr/share/rpmlint/*.py $RPM_BUILD_ROOT/usr/share/rpmlint/config
 %__install -m 644 %{SOURCE20} %{buildroot}/%{_sysconfdir}/rpmlint/
 %__install -m 644 %{SOURCE24} %{buildroot}/%{_sysconfdir}/rpmlint/
 %clean
 rm -rf $RPM_BUILD_ROOT
@ -249,6 +253,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_prefix}/share/rpmlint
 %config(noreplace) /etc/rpmlint/config
 %config %{_sysconfdir}/rpmlint/rpmgroups.config
 %config %{_sysconfdir}/rpmlint/pie.config
 %dir /etc/rpmlint
 /usr/share/man/man1/rpmlint.1.gz
--- a/suse-file-var-run.diff
+++ b/suse-file-var-run.diff
@ -1,35 +1,48 @@
-Index: FilesCheck.py
+From 811469ebe70ea65029d64ae2e7bc6e9828f59c9e Mon Sep 17 00:00:00 2001
-===================================================================
+From: Ludwig Nussel <ludwig.nussel@suse.de>
--- FilesCheck.py.orig
+Date: Wed, 11 May 2011 13:15:22 +0200
-+++ FilesCheck.py
+Subject: [PATCH] check for files in /var/run and /var/lock
-@@ -901,7 +901,7 @@ class FilesCheck(AbstractCheck.AbstractC
+
-                     is_kernel_package:
+nowadays /var/run and /var/lock move to using tmpfs so disallow
-                 printError(pkg, "kernel-modules-not-in-kernel-packages", f)
+packaging files there
- 
+---
-            if tmp_regex.search(f):
+ FilesCheck.py |   16 ++++++++++++++++
-+            if tmp_regex.search(f) and f not in ghost_files:
+ 1 files changed, 16 insertions(+), 0 deletions(-)
-                 printError(pkg, 'dir-or-file-in-tmp', f)
+
-             elif f.startswith('/mnt/'):
+diff --git a/FilesCheck.py b/FilesCheck.py
-                 printError(pkg, 'dir-or-file-in-mnt', f)
+index a82b4b8..0f43927 100644
-@@ -911,6 +911,8 @@ class FilesCheck(AbstractCheck.AbstractC
+--- a/FilesCheck.py
 +++ b/FilesCheck.py
@@ -443,6 +443,10 @@ class FilesCheck(AbstractCheck.AbstractCheck):
                 printError(pkg, 'dir-or-file-in-usr-local', f)
             elif f.startswith('/var/local/'):
                 printError(pkg, 'dir-or-file-in-var-local', f)
 +            elif f.startswith('/var/run/') and f not in ghost_files:
 +                printError(pkg, 'dir-or-file-in-var-run', f)
 +            elif f.startswith('/var/lock/'):
 +                printError(pkg, 'dir-or-file-in-var-lock', f)
             elif sub_bin_regex.search(f):
                 printError(pkg, 'subdir-in-bin', f)
             elif f.startswith('/home/'):
-@@ -1478,6 +1480,12 @@ for packages to install files in this di
+@@ -1019,6 +1023,18 @@ for packages to install files in this directory.''',
 '''A file in the package is located in /var/local. It's not permitted
 for packages to install files in this directory.''',
 +'dir-or-file-in-var-run',
 +'''A file or directory in the package is located in /var/run. It's not
 +permitted for packages to install files in this directory as it might
-+be created as tmpfs during boot. Modify your package to create the 
+be created as tmpfs during boot. Mark the files in question as %ghost and
-+necessary files during runtime.''',
+create them at run time instead.''',
 +
 +'dir-or-file-in-var-lock',
 +'''A file or directory in the package is located in /var/lock. It's
 +not permitted for packages to install files in this directory as it
 +is a) reserved for legacy device lock files and b) might be created
 +as tmpfs during boot.''',
 +
 'subdir-in-bin',
 '''The package contains a subdirectory in /usr/bin. It's not permitted to
 create a subdir there. Create it in /usr/lib/ instead.''',
 -- 
 1.7.3.4