forked from pool/rpmlint
This commit is contained in:
parent
84f088287b
commit
b3e875aa99
105
CheckDBUSServices.py
Normal file
105
CheckDBUSServices.py
Normal file
@ -0,0 +1,105 @@
|
|||||||
|
# vim:sw=4:et
|
||||||
|
#############################################################################
|
||||||
|
# File : CheckDBUSServices.py
|
||||||
|
# Package : rpmlint
|
||||||
|
# Author : Ludwig Nussel
|
||||||
|
# Purpose : Check for DBUS services that are not authorized by the security team
|
||||||
|
#############################################################################
|
||||||
|
|
||||||
|
# http://techbase.kde.org/Development/Tutorials/D-Bus/Autostart_Services
|
||||||
|
|
||||||
|
from Filter import *
|
||||||
|
import AbstractCheck
|
||||||
|
import re
|
||||||
|
import os
|
||||||
|
import string
|
||||||
|
|
||||||
|
_services_whitelist = (
|
||||||
|
# "avahi-dbus.conf",
|
||||||
|
# "backup-manager.conf",
|
||||||
|
# "bluetooth.conf",
|
||||||
|
# "com.google.code.BackupManager.service",
|
||||||
|
# "com.novell.Pkcs11Monitor.conf",
|
||||||
|
"ConsoleKit.conf",
|
||||||
|
# "cups.conf",
|
||||||
|
# "fi.epitest.hostap.WPASupplicant.service",
|
||||||
|
# "galago-daemon.conf",
|
||||||
|
# "gdm.conf",
|
||||||
|
"hal.conf",
|
||||||
|
# "kerneloops.dbus",
|
||||||
|
# "knetworkmanager.conf",
|
||||||
|
# "NetworkManager.conf",
|
||||||
|
# "newprinternotification.conf",
|
||||||
|
# "nm-applet.conf",
|
||||||
|
# "nm-avahi-autoipd.conf",
|
||||||
|
# "nm-dhcp-client.conf",
|
||||||
|
# "nm-dispatcher.conf",
|
||||||
|
# "nm-novellvpn-service.conf",
|
||||||
|
# "nm-openvpn-service.conf",
|
||||||
|
# "nm-pptp-service.conf",
|
||||||
|
# "nm-system-settings.conf",
|
||||||
|
# "nm-vpnc-service.conf",
|
||||||
|
# "org.bluez.service",
|
||||||
|
"org.freedesktop.ConsoleKit.service",
|
||||||
|
# "org.freedesktop.ModemManager.conf",
|
||||||
|
# "org.freedesktop.ModemManager.service",
|
||||||
|
# "org.freedesktop.NetworkManagerSystemSettings.service",
|
||||||
|
# "org.freedesktop.nm_dispatcher.service",
|
||||||
|
# "org.freedesktop.PackageKit.conf",
|
||||||
|
# "org.freedesktop.PackageKit.service",
|
||||||
|
"org.freedesktop.PolicyKit.conf",
|
||||||
|
"org.freedesktop.PolicyKit.service",
|
||||||
|
# "org.gnome.ClockApplet.Mechanism.conf",
|
||||||
|
# "org.gnome.ClockApplet.Mechanism.service",
|
||||||
|
# "org.gnome.GConf.Defaults.conf",
|
||||||
|
# "org.gnome.GConf.Defaults.service",
|
||||||
|
# "org.opensuse.CupsPkHelper.Mechanism.conf",
|
||||||
|
# "org.opensuse.CupsPkHelper.Mechanism.service",
|
||||||
|
# "org.opensuse.yast.SCR.conf",
|
||||||
|
# "org.opensuse.yast.SCR.service",
|
||||||
|
# "pommed.conf",
|
||||||
|
# "powersave.conf",
|
||||||
|
# "upsd.conf",
|
||||||
|
# "wpa_supplicant.conf",
|
||||||
|
# "xorg-server.conf",
|
||||||
|
# "yum-updatesd.conf",
|
||||||
|
)
|
||||||
|
|
||||||
|
# need to end with / so we don't catch directories
|
||||||
|
_dbus_system_paths = [
|
||||||
|
"/usr/share/dbus-1/system-services/",
|
||||||
|
"/etc/dbus-1/system.d/"
|
||||||
|
]
|
||||||
|
|
||||||
|
class DBUSServiceCheck(AbstractCheck.AbstractCheck):
|
||||||
|
def __init__(self):
|
||||||
|
AbstractCheck.AbstractCheck.__init__(self, "CheckDBUSServices")
|
||||||
|
|
||||||
|
def check(self, pkg):
|
||||||
|
global _services_whitelist
|
||||||
|
global _dbus_system_paths
|
||||||
|
|
||||||
|
if pkg.isSource():
|
||||||
|
return
|
||||||
|
|
||||||
|
files = pkg.files()
|
||||||
|
|
||||||
|
for f in files:
|
||||||
|
if f in pkg.ghostFiles():
|
||||||
|
continue
|
||||||
|
|
||||||
|
for p in _dbus_system_paths:
|
||||||
|
if f.startswith(p):
|
||||||
|
|
||||||
|
bn = f[len(p):]
|
||||||
|
if not bn in _services_whitelist:
|
||||||
|
printError(pkg, "dbus-unauthorized-service", f)
|
||||||
|
|
||||||
|
check=DBUSServiceCheck()
|
||||||
|
|
||||||
|
if Config.info:
|
||||||
|
addDetails(
|
||||||
|
'dbus-unauthorized-service',
|
||||||
|
"""The package installs an unauthorized DBUS service.
|
||||||
|
Please contact security@suse.de for review.""",
|
||||||
|
)
|
124
CheckPolkitPrivs.py
Normal file
124
CheckPolkitPrivs.py
Normal file
@ -0,0 +1,124 @@
|
|||||||
|
# vim:sw=4:et
|
||||||
|
#############################################################################
|
||||||
|
# File : CheckPolkitPrivs.py
|
||||||
|
# Package : rpmlint
|
||||||
|
# Author : Ludwig Nussel
|
||||||
|
# Purpose : Check for /etc/polkit-default-privs violations
|
||||||
|
#############################################################################
|
||||||
|
|
||||||
|
from Filter import *
|
||||||
|
import AbstractCheck
|
||||||
|
import re
|
||||||
|
import os
|
||||||
|
from xml.dom.minidom import parse
|
||||||
|
|
||||||
|
_whitelist = ()
|
||||||
|
|
||||||
|
class PolkitCheck(AbstractCheck.AbstractCheck):
|
||||||
|
def __init__(self):
|
||||||
|
AbstractCheck.AbstractCheck.__init__(self, "CheckPolkitPrivs")
|
||||||
|
self.privs = {}
|
||||||
|
|
||||||
|
files = [ "/etc/polkit-default-privs.standard" ]
|
||||||
|
|
||||||
|
for file in files:
|
||||||
|
if os.path.exists(file):
|
||||||
|
self._parsefile(file)
|
||||||
|
|
||||||
|
def _parsefile(self,file):
|
||||||
|
for line in open(file):
|
||||||
|
line = line.split('#')[0].split('\n')[0]
|
||||||
|
if len(line):
|
||||||
|
line = re.split(r'\s+', line)
|
||||||
|
priv = line[0]
|
||||||
|
value = line[1]
|
||||||
|
|
||||||
|
self.privs[priv] = value
|
||||||
|
|
||||||
|
def check(self, pkg):
|
||||||
|
global _whitelist
|
||||||
|
|
||||||
|
if pkg.isSource():
|
||||||
|
return
|
||||||
|
|
||||||
|
files = pkg.files()
|
||||||
|
|
||||||
|
permfiles = {}
|
||||||
|
# first pass, find additional files
|
||||||
|
for f in files:
|
||||||
|
if f in pkg.ghostFiles():
|
||||||
|
continue
|
||||||
|
|
||||||
|
if f.startswith("/etc/polkit-default-privs.d/"):
|
||||||
|
|
||||||
|
bn = f[28:]
|
||||||
|
if not bn in _whitelist:
|
||||||
|
printError(pkg, "polkit-unauthorized-file", f)
|
||||||
|
|
||||||
|
bn = bn.split('.')[0]
|
||||||
|
if not bn in permfiles:
|
||||||
|
permfiles[bn] = 1
|
||||||
|
|
||||||
|
for f in permfiles:
|
||||||
|
f = pkg.dirName() + "/etc/polkit-default-privs.d/" + f
|
||||||
|
if os.path.exists(f+".restrictive"):
|
||||||
|
self._parsefile(f + ".restrictive")
|
||||||
|
elif os.path.exists(f+".standard"):
|
||||||
|
self._parsefile(f + ".standard")
|
||||||
|
elif os.path.exists(f+".relaxed"):
|
||||||
|
self._parsefile(f + ".relaxed")
|
||||||
|
else:
|
||||||
|
self._parsefile(f)
|
||||||
|
|
||||||
|
for f in files:
|
||||||
|
if f in pkg.ghostFiles():
|
||||||
|
continue
|
||||||
|
|
||||||
|
# catch xml exceptions
|
||||||
|
try:
|
||||||
|
if f.startswith("/usr/share/PolicyKit/policy/"):
|
||||||
|
f = pkg.dirName() + f
|
||||||
|
xml = parse(f)
|
||||||
|
for a in xml.getElementsByTagName("action"):
|
||||||
|
action = a.getAttribute('id')
|
||||||
|
if not action in self.privs:
|
||||||
|
iserr = 0
|
||||||
|
foundno = 0
|
||||||
|
anyseen = 0
|
||||||
|
try:
|
||||||
|
defaults = a.getElementsByTagName("defaults")[0]
|
||||||
|
for i in defaults.childNodes:
|
||||||
|
if not i.nodeType == i.ELEMENT_NODE:
|
||||||
|
continue
|
||||||
|
if i.nodeName == 'allow_any':
|
||||||
|
anyseen = 1
|
||||||
|
if i.firstChild.data.find("auth_admin") != 0:
|
||||||
|
if i.firstChild.data == 'no':
|
||||||
|
foundno = 1
|
||||||
|
else:
|
||||||
|
iserr = 1
|
||||||
|
except:
|
||||||
|
iserr = 1
|
||||||
|
|
||||||
|
if iserr:
|
||||||
|
printError(pkg, 'polkit-unauthorized-privilege', action)
|
||||||
|
else:
|
||||||
|
printWarning(pkg, 'polkit-unauthorized-privilege', action)
|
||||||
|
|
||||||
|
if foundno or not anyseen:
|
||||||
|
printWarning(pkg, 'polkit-cant-acquire-privilege', action)
|
||||||
|
except:
|
||||||
|
continue
|
||||||
|
|
||||||
|
check=PolkitCheck()
|
||||||
|
|
||||||
|
if Config.info:
|
||||||
|
addDetails(
|
||||||
|
'polkit-unauthorized-file',
|
||||||
|
"""Please contact security@suse.de for review.""",
|
||||||
|
'polkit-unauthorized-privilege',
|
||||||
|
"""Please contact security@suse.de for review.""",
|
||||||
|
'polkit-cant-acquire-privilege',
|
||||||
|
"""Usability can be improved by allowing users to acquire privileges
|
||||||
|
via authentication. Use e.g. 'auth_admin' instead of 'no' and make
|
||||||
|
sure to define 'allow_any'.""")
|
3
config
3
config
@ -26,6 +26,9 @@ addCheck("CheckIconSizes")
|
|||||||
#addCheck("CheckStaticLibraries")
|
#addCheck("CheckStaticLibraries")
|
||||||
addCheck("BrandingPolicyCheck")
|
addCheck("BrandingPolicyCheck")
|
||||||
addCheck("CheckSUIDPermissions")
|
addCheck("CheckSUIDPermissions")
|
||||||
|
# polkit-default-privs would need to be installed always
|
||||||
|
#addCheck("CheckPolkitPrivs")
|
||||||
|
addCheck("CheckDBUSServices")
|
||||||
addCheck("CheckKDE4Deps")
|
addCheck("CheckKDE4Deps")
|
||||||
addCheck("KMPPolicyCheck")
|
addCheck("KMPPolicyCheck")
|
||||||
|
|
||||||
|
@ -26,6 +26,9 @@ addCheck("CheckIconSizes")
|
|||||||
#addCheck("CheckStaticLibraries")
|
#addCheck("CheckStaticLibraries")
|
||||||
addCheck("BrandingPolicyCheck")
|
addCheck("BrandingPolicyCheck")
|
||||||
addCheck("CheckSUIDPermissions")
|
addCheck("CheckSUIDPermissions")
|
||||||
|
# polkit-default-privs would need to be installed always
|
||||||
|
#addCheck("CheckPolkitPrivs")
|
||||||
|
addCheck("CheckDBUSServices")
|
||||||
|
|
||||||
# stuff autobuild takes care about
|
# stuff autobuild takes care about
|
||||||
addFilter(".*invalid-version.*")
|
addFilter(".*invalid-version.*")
|
||||||
|
@ -1,3 +1,9 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Dec 11 14:07:19 CET 2008 - lnussel@suse.de
|
||||||
|
|
||||||
|
- add a check for PolicyKit privileges (disabled atm)
|
||||||
|
- add check for DBUS services
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Dec 3 08:50:33 CET 2008 - dmueller@suse.de
|
Wed Dec 3 08:50:33 CET 2008 - dmueller@suse.de
|
||||||
|
|
||||||
|
@ -22,7 +22,7 @@ Name: rpmlint
|
|||||||
BuildRequires: rpm-python
|
BuildRequires: rpm-python
|
||||||
Summary: Rpm correctness checker
|
Summary: Rpm correctness checker
|
||||||
Version: 0.84
|
Version: 0.84
|
||||||
Release: 4
|
Release: 5
|
||||||
Source0: %{name}-%{version}.tar.bz2
|
Source0: %{name}-%{version}.tar.bz2
|
||||||
Source1: config
|
Source1: config
|
||||||
Source1001: config.in
|
Source1001: config.in
|
||||||
@ -39,6 +39,8 @@ Source11: BrandingPolicyCheck.py
|
|||||||
Source12: CheckKDE4Deps.py
|
Source12: CheckKDE4Deps.py
|
||||||
Source13: KMPPolicyCheck.py
|
Source13: KMPPolicyCheck.py
|
||||||
Source14: CheckSUIDPermissions.py
|
Source14: CheckSUIDPermissions.py
|
||||||
|
Source15: CheckPolkitPrivs.py
|
||||||
|
Source16: CheckDBUSServices.py
|
||||||
Source100: syntax-validator.py
|
Source100: syntax-validator.py
|
||||||
Url: http://rpmlint.zarb.org/
|
Url: http://rpmlint.zarb.org/
|
||||||
License: GPL v2 or later
|
License: GPL v2 or later
|
||||||
@ -188,6 +190,8 @@ cp -p %{SOURCE11} .
|
|||||||
cp -p %{SOURCE12} .
|
cp -p %{SOURCE12} .
|
||||||
cp -p %{SOURCE13} .
|
cp -p %{SOURCE13} .
|
||||||
cp -p %{SOURCE14} .
|
cp -p %{SOURCE14} .
|
||||||
|
cp -p %{SOURCE15} .
|
||||||
|
cp -p %{SOURCE16} .
|
||||||
|
|
||||||
%build
|
%build
|
||||||
make
|
make
|
||||||
@ -214,6 +218,9 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
/usr/share/man/man1/rpmlint.1.gz
|
/usr/share/man/man1/rpmlint.1.gz
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Dec 11 2008 lnussel@suse.de
|
||||||
|
- add a check for PolicyKit privileges (disabled atm)
|
||||||
|
- add check for DBUS services
|
||||||
* Wed Dec 03 2008 dmueller@suse.de
|
* Wed Dec 03 2008 dmueller@suse.de
|
||||||
- update suse version check (add 11.1, drop 10.2)
|
- update suse version check (add 11.1, drop 10.2)
|
||||||
- check library packages more strict (bnc#456053)
|
- check library packages more strict (bnc#456053)
|
||||||
|
Loading…
Reference in New Issue
Block a user