From de6c5c2d3689cca1b670f2a1faa6fd191911ff0d681b8cc258b278246b8ce6f0 Mon Sep 17 00:00:00 2001 From: Ruediger Oertel Date: Thu, 18 Nov 2010 16:53:51 +0000 Subject: [PATCH] Accepting request 53336 from Base:System Accepted submit request 53336 from user lnussel OBS-URL: https://build.opensuse.org/request/show/53336 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpmlint?expand=0&rev=82 --- CheckSUIDPermissions.py | 51 ++++++++++++++++++++++++++++++--------- rpmlint-badness-info.diff | 30 +++++++++++++++++++++++ rpmlint.changes | 16 ++++++++++++ rpmlint.spec | 2 ++ 4 files changed, 87 insertions(+), 12 deletions(-) create mode 100644 rpmlint-badness-info.diff diff --git a/CheckSUIDPermissions.py b/CheckSUIDPermissions.py index 584af6a..4e77982 100644 --- a/CheckSUIDPermissions.py +++ b/CheckSUIDPermissions.py @@ -98,11 +98,10 @@ class SUIDCheck(AbstractCheck.AbstractCheck): else: self._parsefile(f) - need_run_permissions = False + need_set_permissions = False + found_suseconfig = False # second pass, find permissions violations for f, pkgfile in files.items(): - if f in pkg.ghostFiles(): - continue if pkgfile.filecaps: printError(pkg, 'permissions-fscaps', '%(file)s has fscaps "%(caps)s"' % \ @@ -168,22 +167,46 @@ class SUIDCheck(AbstractCheck.AbstractCheck): if need_verifyscript and \ (not f in self.perms or not 'static' in self.perms[f]): - need_run_permissions = True + need_set_permissions = True script = pkg[rpm.RPMTAG_VERIFYSCRIPT] or pkg[rpm.RPMTAG_VERIFYSCRIPTPROG] - if not script or not "chkstat -n -e %s"%f in script: - printError(pkg, 'permissions-missing-verifyscript', \ + + found = False + if script: + for line in script.split("\n"): + if "/chkstat" in line and f in line: + found = True + break + + if not script or not found: + printWarning(pkg, 'permissions-missing-verifyscript', \ "missing %%verify_permissions -e %s" % f) - if need_run_permissions: - postin = pkg[rpm.RPMTAG_POSTIN] or pkg[rpm.RPMTAG_POSTINPROG] - if not postin or not "SuSEconfig --module permissions" in postin: - printError(pkg, 'permissions-missing-postin', \ - "missing %run_permissions in %post") + script = pkg[rpm.RPMTAG_POSTIN] or pkg[rpm.RPMTAG_POSTINPROG] + found = False + if script: + for line in script.split("\n"): + if "chkstat -n" in line and f in line: + found = True + break + + if "SuSEconfig --module permissions" in line: + found = True + found_suseconfig = True + break + + if not script and not found: + printError(pkg, 'permissions-missing-postin', \ + "missing %%set_permissions %s in %%post" % f) + + if need_set_permissions: if not 'permissions' in map(lambda x: x[0], pkg.prereq()): printError(pkg, 'permissions-missing-requires', \ "missing 'permissions' in PreReq") + if found_suseconfig: + printInfo(pkg, 'permissions-suseconfig-obsolete', \ + "%run_permissions is obsolete") check=SUIDCheck() @@ -226,9 +249,13 @@ use normal permissions instead. You may contact the security team to request an entry that sets capabilities in /etc/permissions instead.""", 'permissions-missing-postin', -"""Please add %run_permissions to %post""", +"""Please add an appropriate %post section""", 'permissions-missing-requires', """Please add \"PreReq: permissions\"""", 'permissions-missing-verifyscript', """Please add a %verifyscript section""", +'permissions-suseconfig-obsolete', +"""The %run_permissions macro calls SuSEconfig which sets permissions for all +files in the system. Please use %set_permissions instead +to only set permissions for files contained in this package""", ) diff --git a/rpmlint-badness-info.diff b/rpmlint-badness-info.diff new file mode 100644 index 0000000..a0b1df9 --- /dev/null +++ b/rpmlint-badness-info.diff @@ -0,0 +1,30 @@ +From c887ed177b551186dc30f7528cd23c018ca2b69d Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Thu, 4 Nov 2010 17:25:35 +0100 +Subject: [PATCH] allow info messages even if badness scoring is used + +--- + Filter.py | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +diff --git a/Filter.py b/Filter.py +index 4b5ca1e..baaee45 100644 +--- a/Filter.py ++++ b/Filter.py +@@ -47,7 +47,12 @@ def _print(msgtype, pkg, reason, details): + badness = 0 + if threshold >= 0: + badness = Config.badness(reason) +- msgtype = badness and "E" or "W" ++ # anything with badness is an error ++ if badness: ++ msgtype == 'E' ++ # errors without badness become warnings ++ elif msgtype == 'E': ++ msgtype = 'W' + + ln = "" + if pkg.current_linenum is not None: +-- +1.7.1 + diff --git a/rpmlint.changes b/rpmlint.changes index edc768d..c80f4de 100644 --- a/rpmlint.changes +++ b/rpmlint.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Thu Nov 18 10:46:19 UTC 2010 - lnussel@suse.de + +- also check ghost files for permission violations + +------------------------------------------------------------------- +Wed Nov 17 10:10:29 UTC 2010 - lnussel@suse.de + +- add check for %set_permissions + +------------------------------------------------------------------- +Tue Nov 16 15:19:41 UTC 2010 - lnussel@suse.de + +- modify match in CheckSUIDPermissions to work with new macros +- allow info messages even if badness scoring is used + ------------------------------------------------------------------- Mon Nov 15 17:14:55 CET 2010 - dmueller@suse.de diff --git a/rpmlint.spec b/rpmlint.spec index 55f5100..04eb0d3 100644 --- a/rpmlint.spec +++ b/rpmlint.spec @@ -120,6 +120,7 @@ Patch78: suse-g-ir-chech.diff Patch79: rpmlint-fscaps.diff Patch80: remove-expand-macros.diff Patch81: suse-whitelist-opensuse.diff +Patch82: rpmlint-badness-info.diff %py_requires %description @@ -196,6 +197,7 @@ Authors: %patch79 -p1 %patch80 %patch81 +%patch82 -p1 cp -p %{SOURCE1} . cp -p %{SOURCE2} . cp -p %{SOURCE3} .