diff --git a/CheckDBUSServices.py b/CheckDBUSServices.py new file mode 100644 index 0000000..fb4f4c3 --- /dev/null +++ b/CheckDBUSServices.py @@ -0,0 +1,105 @@ +# vim:sw=4:et +############################################################################# +# File : CheckDBUSServices.py +# Package : rpmlint +# Author : Ludwig Nussel +# Purpose : Check for DBUS services that are not authorized by the security team +############################################################################# + +# http://techbase.kde.org/Development/Tutorials/D-Bus/Autostart_Services + +from Filter import * +import AbstractCheck +import re +import os +import string + +_services_whitelist = ( +# "avahi-dbus.conf", +# "backup-manager.conf", +# "bluetooth.conf", +# "com.google.code.BackupManager.service", +# "com.novell.Pkcs11Monitor.conf", + "ConsoleKit.conf", +# "cups.conf", +# "fi.epitest.hostap.WPASupplicant.service", +# "galago-daemon.conf", +# "gdm.conf", + "hal.conf", +# "kerneloops.dbus", +# "knetworkmanager.conf", +# "NetworkManager.conf", +# "newprinternotification.conf", +# "nm-applet.conf", +# "nm-avahi-autoipd.conf", +# "nm-dhcp-client.conf", +# "nm-dispatcher.conf", +# "nm-novellvpn-service.conf", +# "nm-openvpn-service.conf", +# "nm-pptp-service.conf", +# "nm-system-settings.conf", +# "nm-vpnc-service.conf", +# "org.bluez.service", + "org.freedesktop.ConsoleKit.service", +# "org.freedesktop.ModemManager.conf", +# "org.freedesktop.ModemManager.service", +# "org.freedesktop.NetworkManagerSystemSettings.service", +# "org.freedesktop.nm_dispatcher.service", +# "org.freedesktop.PackageKit.conf", +# "org.freedesktop.PackageKit.service", + "org.freedesktop.PolicyKit.conf", + "org.freedesktop.PolicyKit.service", +# "org.gnome.ClockApplet.Mechanism.conf", +# "org.gnome.ClockApplet.Mechanism.service", +# "org.gnome.GConf.Defaults.conf", +# "org.gnome.GConf.Defaults.service", +# "org.opensuse.CupsPkHelper.Mechanism.conf", +# "org.opensuse.CupsPkHelper.Mechanism.service", +# "org.opensuse.yast.SCR.conf", +# "org.opensuse.yast.SCR.service", +# "pommed.conf", +# "powersave.conf", +# "upsd.conf", +# "wpa_supplicant.conf", +# "xorg-server.conf", +# "yum-updatesd.conf", +) + +# need to end with / so we don't catch directories +_dbus_system_paths = [ + "/usr/share/dbus-1/system-services/", + "/etc/dbus-1/system.d/" +] + +class DBUSServiceCheck(AbstractCheck.AbstractCheck): + def __init__(self): + AbstractCheck.AbstractCheck.__init__(self, "CheckDBUSServices") + + def check(self, pkg): + global _services_whitelist + global _dbus_system_paths + + if pkg.isSource(): + return + + files = pkg.files() + + for f in files: + if f in pkg.ghostFiles(): + continue + + for p in _dbus_system_paths: + if f.startswith(p): + + bn = f[len(p):] + if not bn in _services_whitelist: + printError(pkg, "dbus-unauthorized-service", f) + +check=DBUSServiceCheck() + +if Config.info: + addDetails( +'dbus-unauthorized-service', +"""The package installs an unauthorized DBUS service. +Please contact security@suse.de for review.""", +) diff --git a/CheckPolkitPrivs.py b/CheckPolkitPrivs.py new file mode 100644 index 0000000..4205015 --- /dev/null +++ b/CheckPolkitPrivs.py @@ -0,0 +1,124 @@ +# vim:sw=4:et +############################################################################# +# File : CheckPolkitPrivs.py +# Package : rpmlint +# Author : Ludwig Nussel +# Purpose : Check for /etc/polkit-default-privs violations +############################################################################# + +from Filter import * +import AbstractCheck +import re +import os +from xml.dom.minidom import parse + +_whitelist = () + +class PolkitCheck(AbstractCheck.AbstractCheck): + def __init__(self): + AbstractCheck.AbstractCheck.__init__(self, "CheckPolkitPrivs") + self.privs = {} + + files = [ "/etc/polkit-default-privs.standard" ] + + for file in files: + if os.path.exists(file): + self._parsefile(file) + + def _parsefile(self,file): + for line in open(file): + line = line.split('#')[0].split('\n')[0] + if len(line): + line = re.split(r'\s+', line) + priv = line[0] + value = line[1] + + self.privs[priv] = value + + def check(self, pkg): + global _whitelist + + if pkg.isSource(): + return + + files = pkg.files() + + permfiles = {} + # first pass, find additional files + for f in files: + if f in pkg.ghostFiles(): + continue + + if f.startswith("/etc/polkit-default-privs.d/"): + + bn = f[28:] + if not bn in _whitelist: + printError(pkg, "polkit-unauthorized-file", f) + + bn = bn.split('.')[0] + if not bn in permfiles: + permfiles[bn] = 1 + + for f in permfiles: + f = pkg.dirName() + "/etc/polkit-default-privs.d/" + f + if os.path.exists(f+".restrictive"): + self._parsefile(f + ".restrictive") + elif os.path.exists(f+".standard"): + self._parsefile(f + ".standard") + elif os.path.exists(f+".relaxed"): + self._parsefile(f + ".relaxed") + else: + self._parsefile(f) + + for f in files: + if f in pkg.ghostFiles(): + continue + + # catch xml exceptions + try: + if f.startswith("/usr/share/PolicyKit/policy/"): + f = pkg.dirName() + f + xml = parse(f) + for a in xml.getElementsByTagName("action"): + action = a.getAttribute('id') + if not action in self.privs: + iserr = 0 + foundno = 0 + anyseen = 0 + try: + defaults = a.getElementsByTagName("defaults")[0] + for i in defaults.childNodes: + if not i.nodeType == i.ELEMENT_NODE: + continue + if i.nodeName == 'allow_any': + anyseen = 1 + if i.firstChild.data.find("auth_admin") != 0: + if i.firstChild.data == 'no': + foundno = 1 + else: + iserr = 1 + except: + iserr = 1 + + if iserr: + printError(pkg, 'polkit-unauthorized-privilege', action) + else: + printWarning(pkg, 'polkit-unauthorized-privilege', action) + + if foundno or not anyseen: + printWarning(pkg, 'polkit-cant-acquire-privilege', action) + except: + continue + +check=PolkitCheck() + +if Config.info: + addDetails( +'polkit-unauthorized-file', +"""Please contact security@suse.de for review.""", +'polkit-unauthorized-privilege', +"""Please contact security@suse.de for review.""", +'polkit-cant-acquire-privilege', +"""Usability can be improved by allowing users to acquire privileges +via authentication. Use e.g. 'auth_admin' instead of 'no' and make +sure to define 'allow_any'.""") diff --git a/config b/config index c7787ed..8178123 100644 --- a/config +++ b/config @@ -26,6 +26,9 @@ addCheck("CheckIconSizes") #addCheck("CheckStaticLibraries") addCheck("BrandingPolicyCheck") addCheck("CheckSUIDPermissions") +# polkit-default-privs would need to be installed always +#addCheck("CheckPolkitPrivs") +addCheck("CheckDBUSServices") addCheck("CheckKDE4Deps") addCheck("KMPPolicyCheck") diff --git a/config.in b/config.in index 9d10e3b..a00b83c 100644 --- a/config.in +++ b/config.in @@ -26,6 +26,9 @@ addCheck("CheckIconSizes") #addCheck("CheckStaticLibraries") addCheck("BrandingPolicyCheck") addCheck("CheckSUIDPermissions") +# polkit-default-privs would need to be installed always +#addCheck("CheckPolkitPrivs") +addCheck("CheckDBUSServices") # stuff autobuild takes care about addFilter(".*invalid-version.*") diff --git a/rpmlint.changes b/rpmlint.changes index fd5adb8..f0d5d96 100644 --- a/rpmlint.changes +++ b/rpmlint.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Dec 11 14:07:19 CET 2008 - lnussel@suse.de + +- add a check for PolicyKit privileges (disabled atm) +- add check for DBUS services + ------------------------------------------------------------------- Wed Dec 3 08:50:33 CET 2008 - dmueller@suse.de diff --git a/rpmlint.spec b/rpmlint.spec index 4ecae70..8f5d8fd 100644 --- a/rpmlint.spec +++ b/rpmlint.spec @@ -22,7 +22,7 @@ Name: rpmlint BuildRequires: rpm-python Summary: Rpm correctness checker Version: 0.84 -Release: 4 +Release: 5 Source0: %{name}-%{version}.tar.bz2 Source1: config Source1001: config.in @@ -39,6 +39,8 @@ Source11: BrandingPolicyCheck.py Source12: CheckKDE4Deps.py Source13: KMPPolicyCheck.py Source14: CheckSUIDPermissions.py +Source15: CheckPolkitPrivs.py +Source16: CheckDBUSServices.py Source100: syntax-validator.py Url: http://rpmlint.zarb.org/ License: GPL v2 or later @@ -188,6 +190,8 @@ cp -p %{SOURCE11} . cp -p %{SOURCE12} . cp -p %{SOURCE13} . cp -p %{SOURCE14} . +cp -p %{SOURCE15} . +cp -p %{SOURCE16} . %build make @@ -214,6 +218,9 @@ rm -rf $RPM_BUILD_ROOT /usr/share/man/man1/rpmlint.1.gz %changelog +* Thu Dec 11 2008 lnussel@suse.de +- add a check for PolicyKit privileges (disabled atm) +- add check for DBUS services * Wed Dec 03 2008 dmueller@suse.de - update suse version check (add 11.1, drop 10.2) - check library packages more strict (bnc#456053)