SHA256
1
0
forked from pool/rpmlint
OBS User unknown 2008-12-15 14:05:00 +00:00 committed by Git OBS Bridge
parent 84f088287b
commit b3e875aa99
6 changed files with 249 additions and 1 deletions

105
CheckDBUSServices.py Normal file
View File

@ -0,0 +1,105 @@
# vim:sw=4:et
#############################################################################
# File : CheckDBUSServices.py
# Package : rpmlint
# Author : Ludwig Nussel
# Purpose : Check for DBUS services that are not authorized by the security team
#############################################################################
# http://techbase.kde.org/Development/Tutorials/D-Bus/Autostart_Services
from Filter import *
import AbstractCheck
import re
import os
import string
_services_whitelist = (
# "avahi-dbus.conf",
# "backup-manager.conf",
# "bluetooth.conf",
# "com.google.code.BackupManager.service",
# "com.novell.Pkcs11Monitor.conf",
"ConsoleKit.conf",
# "cups.conf",
# "fi.epitest.hostap.WPASupplicant.service",
# "galago-daemon.conf",
# "gdm.conf",
"hal.conf",
# "kerneloops.dbus",
# "knetworkmanager.conf",
# "NetworkManager.conf",
# "newprinternotification.conf",
# "nm-applet.conf",
# "nm-avahi-autoipd.conf",
# "nm-dhcp-client.conf",
# "nm-dispatcher.conf",
# "nm-novellvpn-service.conf",
# "nm-openvpn-service.conf",
# "nm-pptp-service.conf",
# "nm-system-settings.conf",
# "nm-vpnc-service.conf",
# "org.bluez.service",
"org.freedesktop.ConsoleKit.service",
# "org.freedesktop.ModemManager.conf",
# "org.freedesktop.ModemManager.service",
# "org.freedesktop.NetworkManagerSystemSettings.service",
# "org.freedesktop.nm_dispatcher.service",
# "org.freedesktop.PackageKit.conf",
# "org.freedesktop.PackageKit.service",
"org.freedesktop.PolicyKit.conf",
"org.freedesktop.PolicyKit.service",
# "org.gnome.ClockApplet.Mechanism.conf",
# "org.gnome.ClockApplet.Mechanism.service",
# "org.gnome.GConf.Defaults.conf",
# "org.gnome.GConf.Defaults.service",
# "org.opensuse.CupsPkHelper.Mechanism.conf",
# "org.opensuse.CupsPkHelper.Mechanism.service",
# "org.opensuse.yast.SCR.conf",
# "org.opensuse.yast.SCR.service",
# "pommed.conf",
# "powersave.conf",
# "upsd.conf",
# "wpa_supplicant.conf",
# "xorg-server.conf",
# "yum-updatesd.conf",
)
# need to end with / so we don't catch directories
_dbus_system_paths = [
"/usr/share/dbus-1/system-services/",
"/etc/dbus-1/system.d/"
]
class DBUSServiceCheck(AbstractCheck.AbstractCheck):
def __init__(self):
AbstractCheck.AbstractCheck.__init__(self, "CheckDBUSServices")
def check(self, pkg):
global _services_whitelist
global _dbus_system_paths
if pkg.isSource():
return
files = pkg.files()
for f in files:
if f in pkg.ghostFiles():
continue
for p in _dbus_system_paths:
if f.startswith(p):
bn = f[len(p):]
if not bn in _services_whitelist:
printError(pkg, "dbus-unauthorized-service", f)
check=DBUSServiceCheck()
if Config.info:
addDetails(
'dbus-unauthorized-service',
"""The package installs an unauthorized DBUS service.
Please contact security@suse.de for review.""",
)

124
CheckPolkitPrivs.py Normal file
View File

@ -0,0 +1,124 @@
# vim:sw=4:et
#############################################################################
# File : CheckPolkitPrivs.py
# Package : rpmlint
# Author : Ludwig Nussel
# Purpose : Check for /etc/polkit-default-privs violations
#############################################################################
from Filter import *
import AbstractCheck
import re
import os
from xml.dom.minidom import parse
_whitelist = ()
class PolkitCheck(AbstractCheck.AbstractCheck):
def __init__(self):
AbstractCheck.AbstractCheck.__init__(self, "CheckPolkitPrivs")
self.privs = {}
files = [ "/etc/polkit-default-privs.standard" ]
for file in files:
if os.path.exists(file):
self._parsefile(file)
def _parsefile(self,file):
for line in open(file):
line = line.split('#')[0].split('\n')[0]
if len(line):
line = re.split(r'\s+', line)
priv = line[0]
value = line[1]
self.privs[priv] = value
def check(self, pkg):
global _whitelist
if pkg.isSource():
return
files = pkg.files()
permfiles = {}
# first pass, find additional files
for f in files:
if f in pkg.ghostFiles():
continue
if f.startswith("/etc/polkit-default-privs.d/"):
bn = f[28:]
if not bn in _whitelist:
printError(pkg, "polkit-unauthorized-file", f)
bn = bn.split('.')[0]
if not bn in permfiles:
permfiles[bn] = 1
for f in permfiles:
f = pkg.dirName() + "/etc/polkit-default-privs.d/" + f
if os.path.exists(f+".restrictive"):
self._parsefile(f + ".restrictive")
elif os.path.exists(f+".standard"):
self._parsefile(f + ".standard")
elif os.path.exists(f+".relaxed"):
self._parsefile(f + ".relaxed")
else:
self._parsefile(f)
for f in files:
if f in pkg.ghostFiles():
continue
# catch xml exceptions
try:
if f.startswith("/usr/share/PolicyKit/policy/"):
f = pkg.dirName() + f
xml = parse(f)
for a in xml.getElementsByTagName("action"):
action = a.getAttribute('id')
if not action in self.privs:
iserr = 0
foundno = 0
anyseen = 0
try:
defaults = a.getElementsByTagName("defaults")[0]
for i in defaults.childNodes:
if not i.nodeType == i.ELEMENT_NODE:
continue
if i.nodeName == 'allow_any':
anyseen = 1
if i.firstChild.data.find("auth_admin") != 0:
if i.firstChild.data == 'no':
foundno = 1
else:
iserr = 1
except:
iserr = 1
if iserr:
printError(pkg, 'polkit-unauthorized-privilege', action)
else:
printWarning(pkg, 'polkit-unauthorized-privilege', action)
if foundno or not anyseen:
printWarning(pkg, 'polkit-cant-acquire-privilege', action)
except:
continue
check=PolkitCheck()
if Config.info:
addDetails(
'polkit-unauthorized-file',
"""Please contact security@suse.de for review.""",
'polkit-unauthorized-privilege',
"""Please contact security@suse.de for review.""",
'polkit-cant-acquire-privilege',
"""Usability can be improved by allowing users to acquire privileges
via authentication. Use e.g. 'auth_admin' instead of 'no' and make
sure to define 'allow_any'.""")

3
config
View File

@ -26,6 +26,9 @@ addCheck("CheckIconSizes")
#addCheck("CheckStaticLibraries")
addCheck("BrandingPolicyCheck")
addCheck("CheckSUIDPermissions")
# polkit-default-privs would need to be installed always
#addCheck("CheckPolkitPrivs")
addCheck("CheckDBUSServices")
addCheck("CheckKDE4Deps")
addCheck("KMPPolicyCheck")

View File

@ -26,6 +26,9 @@ addCheck("CheckIconSizes")
#addCheck("CheckStaticLibraries")
addCheck("BrandingPolicyCheck")
addCheck("CheckSUIDPermissions")
# polkit-default-privs would need to be installed always
#addCheck("CheckPolkitPrivs")
addCheck("CheckDBUSServices")
# stuff autobuild takes care about
addFilter(".*invalid-version.*")

View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Thu Dec 11 14:07:19 CET 2008 - lnussel@suse.de
- add a check for PolicyKit privileges (disabled atm)
- add check for DBUS services
-------------------------------------------------------------------
Wed Dec 3 08:50:33 CET 2008 - dmueller@suse.de

View File

@ -22,7 +22,7 @@ Name: rpmlint
BuildRequires: rpm-python
Summary: Rpm correctness checker
Version: 0.84
Release: 4
Release: 5
Source0: %{name}-%{version}.tar.bz2
Source1: config
Source1001: config.in
@ -39,6 +39,8 @@ Source11: BrandingPolicyCheck.py
Source12: CheckKDE4Deps.py
Source13: KMPPolicyCheck.py
Source14: CheckSUIDPermissions.py
Source15: CheckPolkitPrivs.py
Source16: CheckDBUSServices.py
Source100: syntax-validator.py
Url: http://rpmlint.zarb.org/
License: GPL v2 or later
@ -188,6 +190,8 @@ cp -p %{SOURCE11} .
cp -p %{SOURCE12} .
cp -p %{SOURCE13} .
cp -p %{SOURCE14} .
cp -p %{SOURCE15} .
cp -p %{SOURCE16} .
%build
make
@ -214,6 +218,9 @@ rm -rf $RPM_BUILD_ROOT
/usr/share/man/man1/rpmlint.1.gz
%changelog
* Thu Dec 11 2008 lnussel@suse.de
- add a check for PolicyKit privileges (disabled atm)
- add check for DBUS services
* Wed Dec 03 2008 dmueller@suse.de
- update suse version check (add 11.1, drop 10.2)
- check library packages more strict (bnc#456053)