Accepting request 53336 from Base:System

Accepted submit request 53336 from user lnussel

OBS-URL: https://build.opensuse.org/request/show/53336
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=82

CheckSUIDPermissions.py

@@ -98,11 +98,10 @@ class SUIDCheck(AbstractCheck.AbstractCheck):
             else:
                 self._parsefile(f)
 
-        need_run_permissions = False
+        need_set_permissions = False
+        found_suseconfig = False
         # second pass, find permissions violations
         for f, pkgfile in files.items():
-            if f in pkg.ghostFiles():
-                continue
 
             if pkgfile.filecaps:
                 printError(pkg, 'permissions-fscaps', '%(file)s has fscaps "%(caps)s"' % \
@@ -168,22 +167,46 @@ class SUIDCheck(AbstractCheck.AbstractCheck):
 
             if need_verifyscript and \
                     (not f in self.perms or not 'static' in self.perms[f]):
-                need_run_permissions = True
+                need_set_permissions = True
                 script = pkg[rpm.RPMTAG_VERIFYSCRIPT] or pkg[rpm.RPMTAG_VERIFYSCRIPTPROG]
-                if not script or not "chkstat -n -e %s"%f in script:
-                    printError(pkg, 'permissions-missing-verifyscript', \
+
+                found = False
+                if script:
+                    for line in script.split("\n"):
+                        if "/chkstat" in line and f in line:
+                            found = True
+                            break
+
+                if not script or not found:
+                    printWarning(pkg, 'permissions-missing-verifyscript', \
                             "missing %%verify_permissions -e %s" % f)
 
-        if need_run_permissions:
-            postin = pkg[rpm.RPMTAG_POSTIN] or pkg[rpm.RPMTAG_POSTINPROG]
-            if not postin or not "SuSEconfig --module permissions" in postin:
-                printError(pkg, 'permissions-missing-postin', \
-                        "missing %run_permissions in %post")
 
+                script = pkg[rpm.RPMTAG_POSTIN] or pkg[rpm.RPMTAG_POSTINPROG]
+                found = False
+                if script:
+                    for line in script.split("\n"):
+                        if "chkstat -n" in line and f in line:
+                            found = True
+                            break
+
+                        if "SuSEconfig --module permissions" in line:
+                            found = True
+                            found_suseconfig = True
+                            break
+
+                if not script and not found:
+                    printError(pkg, 'permissions-missing-postin', \
+                            "missing %%set_permissions %s in %%post" % f)
+
+        if need_set_permissions:
             if not 'permissions' in map(lambda x: x[0], pkg.prereq()):
                 printError(pkg, 'permissions-missing-requires', \
                         "missing 'permissions' in PreReq")
 
+        if found_suseconfig:
+            printInfo(pkg, 'permissions-suseconfig-obsolete', \
+                    "%run_permissions is obsolete")
 
 check=SUIDCheck()
 
@@ -226,9 +249,13 @@ use normal permissions instead. You may contact the security team to
 request an entry that sets capabilities in /etc/permissions
 instead.""",
 'permissions-missing-postin',
-"""Please add %run_permissions to %post""",
+"""Please add an appropriate %post section""",
 'permissions-missing-requires',
 """Please add \"PreReq: permissions\"""",
 'permissions-missing-verifyscript',
 """Please add a %verifyscript section""",
+'permissions-suseconfig-obsolete',
+"""The %run_permissions macro calls SuSEconfig which sets permissions for all
+files in the system. Please use %set_permissions <filename> instead
+to only set permissions for files contained in this package""",
 )

rpmlint-badness-info.diff

@@ -0,0 +1,30 @@
+From c887ed177b551186dc30f7528cd23c018ca2b69d Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Thu, 4 Nov 2010 17:25:35 +0100
+Subject: [PATCH] allow info messages even if badness scoring is used
+
+---
+ Filter.py |    7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+diff --git a/Filter.py b/Filter.py
+index 4b5ca1e..baaee45 100644
+--- a/Filter.py
++++ b/Filter.py
+@@ -47,7 +47,12 @@ def _print(msgtype, pkg, reason, details):
+     badness = 0
+     if threshold >= 0:
+         badness = Config.badness(reason)
+-        msgtype = badness and "E" or "W"
++        # anything with badness is an error
++        if badness:
++            msgtype == 'E'
++        # errors without badness become warnings
++        elif msgtype == 'E':
++            msgtype = 'W'
+ 
+     ln = ""
+     if pkg.current_linenum is not None:
+-- 
+1.7.1
+

rpmlint.changes

@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Thu Nov 18 10:46:19 UTC 2010 - lnussel@suse.de
+
+- also check ghost files for permission violations
+
+-------------------------------------------------------------------
+Wed Nov 17 10:10:29 UTC 2010 - lnussel@suse.de
+
+- add check for %set_permissions
+
+-------------------------------------------------------------------
+Tue Nov 16 15:19:41 UTC 2010 - lnussel@suse.de
+
+- modify match in CheckSUIDPermissions to work with new macros
+- allow info messages even if badness scoring is used
+
 -------------------------------------------------------------------
 Mon Nov 15 17:14:55 CET 2010 - dmueller@suse.de
 

rpmlint.spec

@@ -120,6 +120,7 @@ Patch78:        suse-g-ir-chech.diff
 Patch79:        rpmlint-fscaps.diff
 Patch80:        remove-expand-macros.diff
 Patch81:        suse-whitelist-opensuse.diff
+Patch82:        rpmlint-badness-info.diff
 %py_requires
 
 %description
@@ -196,6 +197,7 @@ Authors:
 %patch79 -p1
 %patch80
 %patch81
+%patch82 -p1
 cp -p %{SOURCE1} .
 cp -p %{SOURCE2} .
 cp -p %{SOURCE3} .