forked from pool/rpmlint
This commit is contained in:
parent
84f088287b
commit
b3e875aa99
105
CheckDBUSServices.py
Normal file
105
CheckDBUSServices.py
Normal file
@ -0,0 +1,105 @@
|
||||
# vim:sw=4:et
|
||||
#############################################################################
|
||||
# File : CheckDBUSServices.py
|
||||
# Package : rpmlint
|
||||
# Author : Ludwig Nussel
|
||||
# Purpose : Check for DBUS services that are not authorized by the security team
|
||||
#############################################################################
|
||||
|
||||
# http://techbase.kde.org/Development/Tutorials/D-Bus/Autostart_Services
|
||||
|
||||
from Filter import *
|
||||
import AbstractCheck
|
||||
import re
|
||||
import os
|
||||
import string
|
||||
|
||||
_services_whitelist = (
|
||||
# "avahi-dbus.conf",
|
||||
# "backup-manager.conf",
|
||||
# "bluetooth.conf",
|
||||
# "com.google.code.BackupManager.service",
|
||||
# "com.novell.Pkcs11Monitor.conf",
|
||||
"ConsoleKit.conf",
|
||||
# "cups.conf",
|
||||
# "fi.epitest.hostap.WPASupplicant.service",
|
||||
# "galago-daemon.conf",
|
||||
# "gdm.conf",
|
||||
"hal.conf",
|
||||
# "kerneloops.dbus",
|
||||
# "knetworkmanager.conf",
|
||||
# "NetworkManager.conf",
|
||||
# "newprinternotification.conf",
|
||||
# "nm-applet.conf",
|
||||
# "nm-avahi-autoipd.conf",
|
||||
# "nm-dhcp-client.conf",
|
||||
# "nm-dispatcher.conf",
|
||||
# "nm-novellvpn-service.conf",
|
||||
# "nm-openvpn-service.conf",
|
||||
# "nm-pptp-service.conf",
|
||||
# "nm-system-settings.conf",
|
||||
# "nm-vpnc-service.conf",
|
||||
# "org.bluez.service",
|
||||
"org.freedesktop.ConsoleKit.service",
|
||||
# "org.freedesktop.ModemManager.conf",
|
||||
# "org.freedesktop.ModemManager.service",
|
||||
# "org.freedesktop.NetworkManagerSystemSettings.service",
|
||||
# "org.freedesktop.nm_dispatcher.service",
|
||||
# "org.freedesktop.PackageKit.conf",
|
||||
# "org.freedesktop.PackageKit.service",
|
||||
"org.freedesktop.PolicyKit.conf",
|
||||
"org.freedesktop.PolicyKit.service",
|
||||
# "org.gnome.ClockApplet.Mechanism.conf",
|
||||
# "org.gnome.ClockApplet.Mechanism.service",
|
||||
# "org.gnome.GConf.Defaults.conf",
|
||||
# "org.gnome.GConf.Defaults.service",
|
||||
# "org.opensuse.CupsPkHelper.Mechanism.conf",
|
||||
# "org.opensuse.CupsPkHelper.Mechanism.service",
|
||||
# "org.opensuse.yast.SCR.conf",
|
||||
# "org.opensuse.yast.SCR.service",
|
||||
# "pommed.conf",
|
||||
# "powersave.conf",
|
||||
# "upsd.conf",
|
||||
# "wpa_supplicant.conf",
|
||||
# "xorg-server.conf",
|
||||
# "yum-updatesd.conf",
|
||||
)
|
||||
|
||||
# need to end with / so we don't catch directories
|
||||
_dbus_system_paths = [
|
||||
"/usr/share/dbus-1/system-services/",
|
||||
"/etc/dbus-1/system.d/"
|
||||
]
|
||||
|
||||
class DBUSServiceCheck(AbstractCheck.AbstractCheck):
|
||||
def __init__(self):
|
||||
AbstractCheck.AbstractCheck.__init__(self, "CheckDBUSServices")
|
||||
|
||||
def check(self, pkg):
|
||||
global _services_whitelist
|
||||
global _dbus_system_paths
|
||||
|
||||
if pkg.isSource():
|
||||
return
|
||||
|
||||
files = pkg.files()
|
||||
|
||||
for f in files:
|
||||
if f in pkg.ghostFiles():
|
||||
continue
|
||||
|
||||
for p in _dbus_system_paths:
|
||||
if f.startswith(p):
|
||||
|
||||
bn = f[len(p):]
|
||||
if not bn in _services_whitelist:
|
||||
printError(pkg, "dbus-unauthorized-service", f)
|
||||
|
||||
check=DBUSServiceCheck()
|
||||
|
||||
if Config.info:
|
||||
addDetails(
|
||||
'dbus-unauthorized-service',
|
||||
"""The package installs an unauthorized DBUS service.
|
||||
Please contact security@suse.de for review.""",
|
||||
)
|
124
CheckPolkitPrivs.py
Normal file
124
CheckPolkitPrivs.py
Normal file
@ -0,0 +1,124 @@
|
||||
# vim:sw=4:et
|
||||
#############################################################################
|
||||
# File : CheckPolkitPrivs.py
|
||||
# Package : rpmlint
|
||||
# Author : Ludwig Nussel
|
||||
# Purpose : Check for /etc/polkit-default-privs violations
|
||||
#############################################################################
|
||||
|
||||
from Filter import *
|
||||
import AbstractCheck
|
||||
import re
|
||||
import os
|
||||
from xml.dom.minidom import parse
|
||||
|
||||
_whitelist = ()
|
||||
|
||||
class PolkitCheck(AbstractCheck.AbstractCheck):
|
||||
def __init__(self):
|
||||
AbstractCheck.AbstractCheck.__init__(self, "CheckPolkitPrivs")
|
||||
self.privs = {}
|
||||
|
||||
files = [ "/etc/polkit-default-privs.standard" ]
|
||||
|
||||
for file in files:
|
||||
if os.path.exists(file):
|
||||
self._parsefile(file)
|
||||
|
||||
def _parsefile(self,file):
|
||||
for line in open(file):
|
||||
line = line.split('#')[0].split('\n')[0]
|
||||
if len(line):
|
||||
line = re.split(r'\s+', line)
|
||||
priv = line[0]
|
||||
value = line[1]
|
||||
|
||||
self.privs[priv] = value
|
||||
|
||||
def check(self, pkg):
|
||||
global _whitelist
|
||||
|
||||
if pkg.isSource():
|
||||
return
|
||||
|
||||
files = pkg.files()
|
||||
|
||||
permfiles = {}
|
||||
# first pass, find additional files
|
||||
for f in files:
|
||||
if f in pkg.ghostFiles():
|
||||
continue
|
||||
|
||||
if f.startswith("/etc/polkit-default-privs.d/"):
|
||||
|
||||
bn = f[28:]
|
||||
if not bn in _whitelist:
|
||||
printError(pkg, "polkit-unauthorized-file", f)
|
||||
|
||||
bn = bn.split('.')[0]
|
||||
if not bn in permfiles:
|
||||
permfiles[bn] = 1
|
||||
|
||||
for f in permfiles:
|
||||
f = pkg.dirName() + "/etc/polkit-default-privs.d/" + f
|
||||
if os.path.exists(f+".restrictive"):
|
||||
self._parsefile(f + ".restrictive")
|
||||
elif os.path.exists(f+".standard"):
|
||||
self._parsefile(f + ".standard")
|
||||
elif os.path.exists(f+".relaxed"):
|
||||
self._parsefile(f + ".relaxed")
|
||||
else:
|
||||
self._parsefile(f)
|
||||
|
||||
for f in files:
|
||||
if f in pkg.ghostFiles():
|
||||
continue
|
||||
|
||||
# catch xml exceptions
|
||||
try:
|
||||
if f.startswith("/usr/share/PolicyKit/policy/"):
|
||||
f = pkg.dirName() + f
|
||||
xml = parse(f)
|
||||
for a in xml.getElementsByTagName("action"):
|
||||
action = a.getAttribute('id')
|
||||
if not action in self.privs:
|
||||
iserr = 0
|
||||
foundno = 0
|
||||
anyseen = 0
|
||||
try:
|
||||
defaults = a.getElementsByTagName("defaults")[0]
|
||||
for i in defaults.childNodes:
|
||||
if not i.nodeType == i.ELEMENT_NODE:
|
||||
continue
|
||||
if i.nodeName == 'allow_any':
|
||||
anyseen = 1
|
||||
if i.firstChild.data.find("auth_admin") != 0:
|
||||
if i.firstChild.data == 'no':
|
||||
foundno = 1
|
||||
else:
|
||||
iserr = 1
|
||||
except:
|
||||
iserr = 1
|
||||
|
||||
if iserr:
|
||||
printError(pkg, 'polkit-unauthorized-privilege', action)
|
||||
else:
|
||||
printWarning(pkg, 'polkit-unauthorized-privilege', action)
|
||||
|
||||
if foundno or not anyseen:
|
||||
printWarning(pkg, 'polkit-cant-acquire-privilege', action)
|
||||
except:
|
||||
continue
|
||||
|
||||
check=PolkitCheck()
|
||||
|
||||
if Config.info:
|
||||
addDetails(
|
||||
'polkit-unauthorized-file',
|
||||
"""Please contact security@suse.de for review.""",
|
||||
'polkit-unauthorized-privilege',
|
||||
"""Please contact security@suse.de for review.""",
|
||||
'polkit-cant-acquire-privilege',
|
||||
"""Usability can be improved by allowing users to acquire privileges
|
||||
via authentication. Use e.g. 'auth_admin' instead of 'no' and make
|
||||
sure to define 'allow_any'.""")
|
3
config
3
config
@ -26,6 +26,9 @@ addCheck("CheckIconSizes")
|
||||
#addCheck("CheckStaticLibraries")
|
||||
addCheck("BrandingPolicyCheck")
|
||||
addCheck("CheckSUIDPermissions")
|
||||
# polkit-default-privs would need to be installed always
|
||||
#addCheck("CheckPolkitPrivs")
|
||||
addCheck("CheckDBUSServices")
|
||||
addCheck("CheckKDE4Deps")
|
||||
addCheck("KMPPolicyCheck")
|
||||
|
||||
|
@ -26,6 +26,9 @@ addCheck("CheckIconSizes")
|
||||
#addCheck("CheckStaticLibraries")
|
||||
addCheck("BrandingPolicyCheck")
|
||||
addCheck("CheckSUIDPermissions")
|
||||
# polkit-default-privs would need to be installed always
|
||||
#addCheck("CheckPolkitPrivs")
|
||||
addCheck("CheckDBUSServices")
|
||||
|
||||
# stuff autobuild takes care about
|
||||
addFilter(".*invalid-version.*")
|
||||
|
@ -1,3 +1,9 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Dec 11 14:07:19 CET 2008 - lnussel@suse.de
|
||||
|
||||
- add a check for PolicyKit privileges (disabled atm)
|
||||
- add check for DBUS services
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Dec 3 08:50:33 CET 2008 - dmueller@suse.de
|
||||
|
||||
|
@ -22,7 +22,7 @@ Name: rpmlint
|
||||
BuildRequires: rpm-python
|
||||
Summary: Rpm correctness checker
|
||||
Version: 0.84
|
||||
Release: 4
|
||||
Release: 5
|
||||
Source0: %{name}-%{version}.tar.bz2
|
||||
Source1: config
|
||||
Source1001: config.in
|
||||
@ -39,6 +39,8 @@ Source11: BrandingPolicyCheck.py
|
||||
Source12: CheckKDE4Deps.py
|
||||
Source13: KMPPolicyCheck.py
|
||||
Source14: CheckSUIDPermissions.py
|
||||
Source15: CheckPolkitPrivs.py
|
||||
Source16: CheckDBUSServices.py
|
||||
Source100: syntax-validator.py
|
||||
Url: http://rpmlint.zarb.org/
|
||||
License: GPL v2 or later
|
||||
@ -188,6 +190,8 @@ cp -p %{SOURCE11} .
|
||||
cp -p %{SOURCE12} .
|
||||
cp -p %{SOURCE13} .
|
||||
cp -p %{SOURCE14} .
|
||||
cp -p %{SOURCE15} .
|
||||
cp -p %{SOURCE16} .
|
||||
|
||||
%build
|
||||
make
|
||||
@ -214,6 +218,9 @@ rm -rf $RPM_BUILD_ROOT
|
||||
/usr/share/man/man1/rpmlint.1.gz
|
||||
|
||||
%changelog
|
||||
* Thu Dec 11 2008 lnussel@suse.de
|
||||
- add a check for PolicyKit privileges (disabled atm)
|
||||
- add check for DBUS services
|
||||
* Wed Dec 03 2008 dmueller@suse.de
|
||||
- update suse version check (add 11.1, drop 10.2)
|
||||
- check library packages more strict (bnc#456053)
|
||||
|
Loading…
Reference in New Issue
Block a user