The following commit has been merged in the master branch:
commit 3a6f65a94ab1f687f0494180b1987c1a7b08b93a
Author: Niels Thykier <[email protected]>
Date: Sat Jun 4 23:42:25 2011 +0200
Added bad-perm-for-file-in-etc-sudoers.d tag
diff --git a/checks/files b/checks/files
index e907333..4d0c501 100644
--- a/checks/files
+++ b/checks/files
@@ -1097,8 +1097,10 @@ foreach my $file (@{$info->sorted_index}) {
# everything is ok
} elsif ($operm == 0600 and $file =~ m,^etc/backup.d/,) {
# backupninja expects configurations files to be 0600
- } elsif ($operm == 0440 and $file =~ m,^etc/sudoers.d/,) {
- # sudo recommends sudoers files be mode 0440
+ } elsif ($file =~ m,^etc/sudoers.d/,) {
+ # sudo requires sudoers files to be mode 0440
+ tag 'bad-perm-for-file-in-etc-sudoers.d', $file,
+ sprintf('%04o != 0440', $operm) unless $operm == 0440;
} elsif ($operm != 0644) {
tag 'non-standard-file-perm', $file,
sprintf('%04o != 0644',$operm);
diff --git a/checks/files.desc b/checks/files.desc
index 5245613..b05015e 100644
--- a/checks/files.desc
+++ b/checks/files.desc
@@ -243,6 +243,14 @@ Info: The file has a mode different from 0644. In some
cases this is
intentional, but in other cases this is a bug.
Ref: policy 10.9
+Tag: bad-perm-for-file-in-etc-sudoers.d
+Severity: serious
+Certainty: certain
+Info: Files in /etc/sudoers.d/ must be 0440 or sudo will refuse to
+ parse them.
+Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=588831,
+ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=576527
+
Tag: special-file
Severity: serious
Certainty: certain
diff --git a/debian/changelog b/debian/changelog
index 619eb29..3949e14 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,8 +4,9 @@ lintian (2.5.1) UNRELEASED; urgency=low
+ Added:
- dh_pycentral-is-obsolete
- dh_python-is-obsolete
- - non-empty-dependency_libs-in-la-file
- illegal-multi-arch-value
+ - non-empty-dependency_libs-in-la-file
+ - bad-perm-for-file-in-etc-sudoers.d
+ Removed:
- uses-dh-python-with-no-pycompat
@@ -20,6 +21,8 @@ lintian (2.5.1) UNRELEASED; urgency=low
+ [NT] Fixed two misnamed udeb tags, which lead to an internal
error if triggered. Thanks to Guillem Jover for the report.
(Closes: #628754)
+ + [NT] Added bad-perm-for-file-in-etc-sudoers.d tag.
+ (Closes: #588831)
* checks/java{,.desc}:
+ [NT] Sort the jar files by name, so they are checked in the same
order.
diff --git a/t/tests/files-general/debian/debian/install
b/t/tests/files-general/debian/debian/install
index 0e50eb3..98c7ba8 100644
--- a/t/tests/files-general/debian/debian/install
+++ b/t/tests/files-general/debian/debian/install
@@ -11,3 +11,4 @@ php-foo.ini etc/php5/conf.d
types usr/share/mime
mimeinfo.cache usr/share/applications
file-in-new-top-level-dir new-top-level-dir/
+sudotest etc/sudoers.d/
diff --git a/t/tests/files-general/debian/debian/rules
b/t/tests/files-general/debian/debian/rules
index 1ce5593..7c4d2dd 100755
--- a/t/tests/files-general/debian/debian/rules
+++ b/t/tests/files-general/debian/debian/rules
@@ -13,6 +13,7 @@ override_dh_install:
override_dh_fixperms:
dh_fixperms
chmod 755 $(tmp)/usr/share/man/man5/foo.5.gz
+ chmod 644 $(tmp)/etc/sudoers.d/*
override_dh_compress:
dh_compress
diff --git a/reporting/lintian-dummy.cfg b/t/tests/files-general/debian/sudotest
similarity index 100%
copy from reporting/lintian-dummy.cfg
copy to t/tests/files-general/debian/sudotest
diff --git a/t/tests/files-general/desc b/t/tests/files-general/desc
index 3a83141..33fbd64 100644
--- a/t/tests/files-general/desc
+++ b/t/tests/files-general/desc
@@ -3,6 +3,7 @@ Sequence: 6000
Version: 1.0
Description: Test tags for file paths, names, and modes
Test-For:
+ bad-perm-for-file-in-etc-sudoers.d
dir-or-file-in-var-lock
dir-or-file-in-var-run
duplicated-compressed-file
diff --git a/t/tests/files-general/tags b/t/tests/files-general/tags
index 7b7d278..f1c2bb8 100644
--- a/t/tests/files-general/tags
+++ b/t/tests/files-general/tags
@@ -1,3 +1,4 @@
+E: files-general: bad-perm-for-file-in-etc-sudoers.d etc/sudoers.d/sudotest
0644 != 0440
E: files-general: dir-or-file-in-var-lock var/lock/lintian/
E: files-general: dir-or-file-in-var-run var/run/lintian/
E: files-general: executable-manpage usr/share/man/man5/foo.5.gz
--
Debian package checker
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: http://lists.debian.org/[email protected]
