From c45057466e8e40bbb36fa90faa10a2b678c25ba2 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Wed, 30 Apr 2014 16:35:20 +0200 Subject: [PATCH rpmlint] disallow /var/run and /var/lock Distros moved to having /var/run and /var/lock as symlinks to /run resp /run/lock. Therefore packages must no longer put files there at all. Also, refactor the code for dir-or-file-in-* and make it configurable. --- FilesCheck.py | 77 +++++++++++++++++++++++------------------------------------ config | 4 ++++ 2 files changed, 34 insertions(+), 47 deletions(-) Index: rpmlint-1.5/FilesCheck.py =================================================================== --- rpmlint-1.5.orig/FilesCheck.py +++ rpmlint-1.5/FilesCheck.py @@ -559,12 +559,9 @@ STANDARD_DIRS = ( '/var/lib/nobody', '/var/lib/pam_devperm', '/var/lib/wwwrun', - '/var/lock', - '/var/lock/subsys', '/var/log', '/var/mail', '/var/opt', - '/var/run', '/var/spool', '/var/spool/clientmqueue', '/var/spool/locks', @@ -589,7 +586,19 @@ DEFAULT_STANDARD_GROUPS = ('root', 'bin' 'shutdown', 'halt', 'mail', 'news', 'uucp', 'man', 'nobody',) -tmp_regex = re.compile('^(/var|/usr)?/tmp/') +DEFAULT_DISALLOWED_DIRS = ( + '/home', + '/mnt', + '/opt', + '/tmp', + '/usr/local', + '/usr/tmp', + '/var/local', + '/var/lock', + '/var/run', + '/var/tmp', +) + sub_bin_regex = re.compile('^(/usr)?/s?bin/\S+/') backup_regex = re.compile('(~|\#[^/]+\#|\.orig|\.orig\.gz|\.rej)$') compr_regex = re.compile('\.(gz|z|Z|zip|bz2|lzma|xz)$') @@ -653,6 +662,8 @@ use_relative_symlinks = Config.getOption standard_groups = Config.getOption('StandardGroups', DEFAULT_STANDARD_GROUPS) standard_users = Config.getOption('StandardUsers', DEFAULT_STANDARD_USERS) +disallowed_dirs = Config.getOption('DisallowedDirs', DEFAULT_DISALLOWED_DIRS) + non_readable_regexs = (re.compile('^/var/log/'), re.compile('^/etc/(g?shadow-?|securetty)$')) @@ -871,19 +882,13 @@ class FilesCheck(AbstractCheck.AbstractC is_kernel_package: printError(pkg, "kernel-modules-not-in-kernel-packages", f) - for i in ['mnt','opt','usr-local','var-local','home']: - if f.startswith('/%s/' % i.replace('-','/')): - printError(pkg, 'dir-or-file-in-%s' % i, f) - - if tmp_regex.search(f): - printError(pkg, 'dir-or-file-in-tmp', f) + for i in disallowed_dirs: + if f.startswith(i): + printError(pkg, 'dir-or-file-in-%s' % '-'.join(i.split('/')[1:]), f) - elif f.startswith('/var/run/'): + if f.startswith('/run/'): if f not in ghost_files: - printWarning(pkg, 'non-ghost-in-var-run', f) - elif f.startswith('/var/lock/'): - if f not in ghost_files: - printWarning(pkg, 'non-ghost-in-var-lock', f) + printWarning(pkg, 'non-ghost-in-run', f) elif sub_bin_regex.search(f): printError(pkg, 'subdir-in-bin', f) elif '/site_perl/' in f: @@ -1466,35 +1471,10 @@ install-info.''', '''You have a perl temporary file in your package. Usually, this file is beginning with a dot (.) and contain "perl" in its name.''', -'dir-or-file-in-tmp', -'''A file in the package is located in /tmp. It's not permitted -for packages to install files in this directory.''', - -'dir-or-file-in-mnt', -'''A file in the package is located in /mnt. It's not permitted -for packages to install files in this directory.''', - -'dir-or-file-in-opt', -'''A file in the package is located in /opt. It's not permitted -for packages to install files in this directory.''', - -'dir-or-file-in-usr-local', -'''A file in the package is located in /usr/local. It's not permitted -for packages to install files in this directory.''', - -'dir-or-file-in-var-local', -'''A file in the package is located in /var/local. It's not permitted -for packages to install files in this directory.''', - -'non-ghost-in-var-run', -'''A file or directory in the package is located in /var/run. Files installed -in this directory should be marked as %ghost and created at runtime to work -properly in tmpfs /var/run setups.''', - -'non-ghost-in-var-lock', -'''A file or directory in the package is located in /var/lock. Files installed +'non-ghost-in-run', +'''A file or directory in the package is located in /run. Files installed in this directory should be marked as %ghost and created at runtime to work -properly in tmpfs /var/lock setups.''', +properly in tmpfs /run setups.''', 'subdir-in-bin', '''The package contains a subdirectory in /usr/bin. It's not permitted to @@ -1505,10 +1485,6 @@ create a subdir there. Create it in /usr by an editor or resulting from applying unclean (fuzzy, or ones with line offsets) patches.''', -'dir-or-file-in-home', -'''A file in the package is located in /home. It's not permitted -for packages to install files in this directory.''', - 'version-control-internal-file', '''You have included file(s) internally used by a version control system in the package. Move these files out of the package and rebuild it.''', @@ -1832,6 +1808,13 @@ as part of the example documentation mea use it and setup a insecure configuration.''' ) +for i in disallowed_dirs: + addDetails('dir-or-file-in-%s' % '-'.join(i.split('/')[1:]), + '''A file in the package is located in %s. It's not permitted +for packages to install files in this directory.''' % i) + + + # FilesCheck.py ends here # Local variables: Index: rpmlint-1.5/config =================================================================== --- rpmlint-1.5.orig/config +++ rpmlint-1.5/config @@ -126,6 +126,10 @@ from Config import * # Type: tuple of strings, see DEFAULT_STANDARD_USERS in FilesCheck #setOption("StandardUsers", ()) +# List of directory prefixes that are not allowed in packages +# Type: tuple of strings, see DEFAULT_DISALLOWED_DIRS in FilesCheck +#setOption("DisallowedDirs", ('/home', '/mnt')) + # List of directories considered to be system default library search paths. # Type: tuple of strings, default: see DEFAULT_SYSTEM_LIB_PATHS in BinariesCheck #setOption("SystemLibPaths", ('/lib', '/lib64', '/usr/lib', '/usr/lib64'))