Hello community,
here is the log from the commit of package rpmlint for openSUSE:Factory
checked in at Mon May 16 11:33:47 CEST 2011.
--------
--- rpmlint/rpmlint.changes 2011-05-05 09:16:21.000000000 +0200
+++ /mounts/work_src_done/STABLE/rpmlint/rpmlint.changes 2011-05-11
14:31:54.000000000 +0200
@@ -1,0 +2,12 @@
+Wed May 11 11:25:33 UTC 2011 - lnus...@suse.de
+
+- don't filter non-standard-gid anymore
+- add dir-or-file-in-var-lock check
+- remove 'nobody' from standard users
+
+-------------------------------------------------------------------
+Tue May 10 11:38:05 UTC 2011 - lnus...@suse.de
+
+- add not-a-position-independent-executable check
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
New:
----
pie.config
rpmlint-pie.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rpmlint.spec ++++++
--- /var/tmp/diff_new_pack.Xnh5Rj/_old 2011-05-16 11:31:42.000000000 +0200
+++ /var/tmp/diff_new_pack.Xnh5Rj/_new 2011-05-16 11:31:42.000000000 +0200
@@ -23,7 +23,7 @@
BuildRequires: rpm-python
Summary: Rpm correctness checker
Version: 1.1
-Release: 33
+Release: 35
Source0: %{name}-%{version}.tar.bz2
Source1: config
Source1001: config.in
@@ -49,6 +49,7 @@
Source21: BashismsCheck.py
Source22: CheckGNOMEMacros.py
Source23: CheckBuildDate.py
+Source24: pie.config
Source100: syntax-validator.py
Url: http://rpmlint.zarb.org/
License: GPLv2+
@@ -124,6 +125,7 @@
# already upstream
Patch87: rpmlint-add-details.diff
Patch88: suse-speccheck-utf8.diff
+Patch89: rpmlint-pie.diff
%py_requires
%description
@@ -150,7 +152,7 @@
%patch8
%patch9
#%patch10
-%patch11
+%patch11 -p1
%patch12
%patch13
%patch14
@@ -203,6 +205,7 @@
%patch86
%patch87 -p1
%patch88
+%patch89 -p1
cp -p %{SOURCE1} .
cp -p %{SOURCE2} .
cp -p %{SOURCE3} .
@@ -238,6 +241,7 @@
# make sure that the package is sane
python -tt %{SOURCE100} $RPM_BUILD_ROOT/usr/share/rpmlint/*.py
$RPM_BUILD_ROOT/usr/share/rpmlint/config
%__install -m 644 %{SOURCE20} %{buildroot}/%{_sysconfdir}/rpmlint/
+%__install -m 644 %{SOURCE24} %{buildroot}/%{_sysconfdir}/rpmlint/
%clean
rm -rf $RPM_BUILD_ROOT
@@ -249,6 +253,7 @@
%{_prefix}/share/rpmlint
%config(noreplace) /etc/rpmlint/config
%config %{_sysconfdir}/rpmlint/rpmgroups.config
+%config %{_sysconfdir}/rpmlint/pie.config
%dir /etc/rpmlint
/usr/share/man/man1/rpmlint.1.gz
++++++ BashismsCheck.py ++++++
--- /var/tmp/diff_new_pack.Xnh5Rj/_old 2011-05-16 11:31:42.000000000 +0200
+++ /var/tmp/diff_new_pack.Xnh5Rj/_new 2011-05-16 11:31:42.000000000 +0200
@@ -28,9 +28,12 @@
status, output = Pkg.getstatusoutput(["dash", "-n", filename])
if status == 2:
printWarning(pkg, "bin-sh-syntax-error", filename)
- status, output = Pkg.getstatusoutput(["checkbashisms",
filename])
- if status == 1:
- printInfo(pkg, "potential-bashisms", filename)
+ try:
+ status, output = Pkg.getstatusoutput(["checkbashisms",
filename])
+ if status == 1:
+ printInfo(pkg, "potential-bashisms", filename)
+ except Exception, x:
+ printError(pkg, 'rpmlint-exception', "%(file)s raised an
exception: %(x)s" % {'file':filename, 'x':x})
finally:
f.close()
++++++ CheckSUIDPermissions.py ++++++
--- /var/tmp/diff_new_pack.Xnh5Rj/_old 2011-05-16 11:31:42.000000000 +0200
+++ /var/tmp/diff_new_pack.Xnh5Rj/_new 2011-05-16 11:31:42.000000000 +0200
@@ -135,6 +135,10 @@
else:
f += '/'
+ if type == 010:
+ if not 'shared object' in pkgfile.magic:
+ printError(pkg,
'not-a-position-independent-executable', f)
+
m = self.perms[f]['mode']
o = self.perms[f]['owner']
@@ -159,6 +163,10 @@
else:
printWarning(pkg, 'permissions-directory-setuid-bit',
msg)
+ if type == 010:
+ if not 'shared object' in pkgfile.magic:
+ printError(pkg,
'not-a-position-independent-executable', f)
+
if mode&02:
need_verifyscript = True
printError(pkg, 'permissions-world-writable', \
++++++ config ++++++
--- /var/tmp/diff_new_pack.Xnh5Rj/_old 2011-05-16 11:31:42.000000000 +0200
+++ /var/tmp/diff_new_pack.Xnh5Rj/_new 2011-05-16 11:31:42.000000000 +0200
@@ -139,6 +139,7 @@
'pulse-rt',
'quagga',
'radiusd',
+ 'root',
'sabayon-admin',
'sapdb',
'shadow',
@@ -217,7 +218,6 @@
'nagios',
'named',
'news',
- 'nobody',
'novell_nobody',
'novlifdr',
'novlxregd',
@@ -558,7 +558,6 @@
addFilter(" apache2-naming-policy-not-applied")
addFilter(" no-default-runlevel ")
addFilter(" setgid-binary ")
-addFilter(" non-standard-gid ")
addFilter(" non-readable ")
addFilter(" manpage-not-bzipped ")
addFilter(" postin-without-ghost-file-creation ")
++++++ pie.config ++++++
from Config import *
# This file should list daemons and programs that are likely to be set setuid
# by users. Files listed in permissions.eays are automatically checked.
setOption("PieExecutables",
(
"/bin/ping",
"/bin/ping6",
"/bin/su",
"/usr/bin/pidgin",
"/sbin/arping",
"/sbin/clockdiff",
"/sbin/dhclient",
"/sbin/dhcpcd",
"/sbin/klogd",
"/sbin/rpcbind",
"/sbin/syslogd",
"/sbin/tracepath",
"/sbin/tracepath6",
"/usr/bin/uniconv",
"/usr/bin/achfile",
"/usr/bin/adv1tov2",
"/usr/bin/aecho",
"/usr/bin/afile",
"/usr/bin/afppasswd",
"/usr/bin/at",
"/usr/bin/cadaver",
"/usr/bin/chage",
"/usr/bin/chfn",
"/usr/bin/chsh",
"/usr/bin/ciptool",
"/usr/bin/cnid_index",
"/usr/bin/dig",
"/usr/bin/dund",
"/usr/bin/expiry",
"/usr/bin/finger",
"/usr/bin/getzones",
"/usr/bin/gpasswd",
"/usr/bin/gpg",
"/usr/bin/gpgsplit",
"/usr/bin/gpgv",
"/usr/bin/hcitool",
"/usr/bin/hidd",
"/usr/bin/host",
"/usr/bin/htpasswd",
"/usr/bin/l2ping",
"/usr/bin/lppasswd",
"/usr/bin/megatron",
"/usr/bin/nbplkup",
"/usr/bin/nbprgstr",
"/usr/bin/nbpunrgstr",
"/usr/bin/ncplogin",
"/usr/bin/ncpmap",
"/usr/bin/net",
"/usr/bin/newgrp",
"/usr/bin/nmblookup",
"/usr/bin/nslookup",
"/usr/bin/nsupdate",
"/usr/bin/nwsfind",
"/usr/bin/omshell",
"/usr/bin/pand",
"/usr/bin/pap",
"/usr/bin/papstatus",
"/usr/bin/passwd",
"/usr/bin/pdbedit",
"/usr/bin/profiles",
"/usr/bin/psorder",
"/usr/bin/rcp",
"/usr/bin/rexec",
"/usr/bin/rfcomm",
"/usr/bin/rlogin",
"/usr/bin/rpcclient",
"/usr/bin/rsh",
"/usr/bin/scp",
"/usr/bin/sdptool",
"/usr/bin/sftp",
"/usr/bin/showppd",
"/usr/bin/smbcacls",
"/usr/bin/smbclient",
"/usr/bin/smbcontrol",
"/usr/bin/smbcquotas",
"/sbin/mount.cifs",
"/usr/bin/smbpasswd",
"/usr/bin/smbspool",
"/usr/bin/smbstatus",
"/usr/bin/smbtree",
"/usr/bin/ssh",
"/usr/bin/ssh-add",
"/usr/bin/ssh-agent",
"/usr/bin/ssh-keygen",
"/usr/bin/ssh-keyscan",
"/usr/bin/svn",
"/usr/bin/svnadmin",
"/usr/bin/svndumpfilter",
"/usr/bin/svnlook",
"/usr/bin/svnserve",
"/usr/bin/svnversion",
"/usr/bin/talk",
"/usr/bin/tdbbackup",
"/usr/bin/tdbdump",
"/usr/bin/tdbtool",
"/usr/bin/telnet",
"/usr/bin/testparm",
"/usr/bin/testprns",
"/usr/bin/timeout",
"/usr/bin/wbinfo",
"/usr/lib/mit/bin/ftp",
"/usr/lib/mit/bin/gss-client",
"/usr/lib/mit/bin/kdestroy",
"/usr/lib/mit/bin/kinit",
"/usr/lib/mit/bin/klist",
"/usr/lib/mit/bin/kpasswd",
"/usr/lib/mit/bin/krb524init",
"/usr/lib/mit/bin/ksu",
"/usr/lib/mit/bin/kvno",
"/usr/lib/mit/bin/rcp",
"/usr/lib/mit/bin/rlogin",
"/usr/lib/mit/bin/rsh",
"/usr/lib/mit/bin/sclient",
"/usr/lib/mit/bin/sim_client",
"/usr/lib/mit/bin/telnet",
"/usr/lib/mit/bin/uuclient",
"/usr/lib/mit/bin/v4rcp",
"/usr/lib/mit/sbin/ftpd",
"/usr/lib/mit/sbin/gss-server",
"/usr/lib/mit/sbin/kadmin",
"/usr/lib/mit/sbin/kadmin.local",
"/usr/lib/mit/sbin/kadmind",
"/usr/lib/mit/sbin/kdb5_util",
"/usr/lib/mit/sbin/klogind",
"/usr/lib/mit/sbin/kprop",
"/usr/lib/mit/sbin/kpropd",
"/usr/lib/mit/sbin/krb524d",
"/usr/lib/mit/sbin/krb5kdc",
"/usr/lib/mit/sbin/kshd",
"/usr/lib/mit/sbin/ktutil",
"/usr/lib/mit/sbin/login.krb5",
"/usr/lib/mit/sbin/sim_server",
"/usr/lib/mit/sbin/sserver",
"/usr/lib/mit/sbin/telnetd",
"/usr/lib/mit/sbin/uuserver",
"/usr/lib/news/bin/innd",
"/usr/lib/news/bin/innbind",
"/usr/lib/news/bin/rnews",
"/usr/sbin/afpd",
"/usr/sbin/amcheck",
"/usr/sbin/amdd",
"/usr/sbin/atalkd",
"/usr/sbin/atd",
"/usr/sbin/automount",
"/usr/sbin/chat",
"/usr/sbin/cnid_dbd",
"/usr/sbin/cnid_metad",
"/usr/sbin/cron",
"/usr/sbin/cupsd",
"/usr/sbin/dhcpd",
"/usr/sbin/dhcrelay",
"/usr/sbin/dnssec-keygen",
"/usr/sbin/dnssec-signzone",
"/usr/sbin/exim",
"/usr/sbin/hciattach",
"/usr/sbin/bluetoothd",
"/usr/sbin/hciconfig",
"/usr/sbin/hid2hci",
"/usr/sbin/httpd2",
"/usr/sbin/httpd2-prefork",
"/usr/sbin/httpd2-worker",
"/usr/sbin/in.fingerd",
"/usr/sbin/in.ntalkd",
"/usr/sbin/in.rexecd",
"/usr/sbin/in.rlogind",
"/usr/sbin/in.rshd",
"/usr/sbin/in.telnetd",
"/usr/sbin/irqbalance",
"/usr/sbin/lwresd",
"/usr/sbin/mailstats",
"/usr/sbin/makemap",
"/usr/sbin/named",
"/usr/sbin/named-checkconf",
"/usr/sbin/named-checkzone",
"/usr/sbin/nmbd",
"/usr/sbin/nscd",
"/usr/sbin/ntlm_auth",
"/usr/sbin/ntp-keygen",
"/usr/sbin/ntpd",
"/usr/sbin/ntpdc",
"/usr/sbin/ntpq",
"/usr/sbin/ntptime",
"/usr/sbin/openvpn",
"/usr/sbin/papd",
"/usr/sbin/postfix",
"/usr/sbin/pppd",
"/usr/sbin/praliases",
"/usr/sbin/radiusd",
"/usr/sbin/rarpd",
"/usr/sbin/rndc",
"/usr/sbin/rndc-confgen",
"/usr/sbin/rotatelogs2",
"/usr/sbin/rpc.mountd",
"/usr/sbin/rpc.nfsd",
"/usr/sbin/rpc.rquotad",
"/usr/sbin/rpc.rwalld",
"/usr/sbin/rpc.yppasswdd",
"/usr/sbin/rpc.ypxfrd",
"/usr/sbin/safe_finger",
"/usr/sbin/sendmail",
"/usr/lib/sudo/sesh",
"/usr/lib/openldap/slapd",
"/usr/sbin/smartctl",
"/usr/sbin/smartd",
"/usr/sbin/smbd",
"/usr/sbin/snmpd",
"/usr/sbin/snmptrapd",
"/usr/sbin/squid",
"/usr/sbin/squidclient",
"/usr/sbin/sshd",
"/usr/sbin/stunnel",
"/usr/sbin/suexec2",
"/usr/sbin/tcpd",
"/usr/sbin/tickadj",
"/usr/sbin/traceroute",
"/usr/sbin/traceroute6",
"/usr/sbin/try-from",
"/usr/sbin/utempter",
"/usr/sbin/visudo",
"/usr/sbin/vsftpd",
"/usr/sbin/winbindd",
"/usr/sbin/xinetd",
"/usr/sbin/yppush",
"/usr/sbin/ypserv",
"/usr/bin/zone2ldap",
)
)
++++++ rpmlint-pie.diff ++++++
>From cdf3d7e6338e8133d9b2b8f19de8e5a3308327bc Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nus...@suse.de>
Date: Mon, 9 May 2011 11:54:48 +0200
Subject: [PATCH] check for position independent executables
---
BinariesCheck.py | 11 +++++++++++
config | 4 ++++
2 files changed, 15 insertions(+), 0 deletions(-)
Index: rpmlint-1.1/BinariesCheck.py
===================================================================
--- rpmlint-1.1.orig/BinariesCheck.py
+++ rpmlint-1.1/BinariesCheck.py
@@ -25,6 +25,9 @@ DEFAULT_SYSTEM_LIB_PATHS = (
'/lib', '/usr/lib', '/usr/X11R6/lib',
'/lib64', '/usr/lib64', '/usr/X11R6/lib64')
+DEFAULT_PIE_EXECUTABLES = (
+)
+
class BinaryInfo:
needed_regex = re.compile('\s+\(NEEDED\).*\[(\S+)\]')
@@ -189,6 +192,7 @@ so_regex = re.compile('/lib(64)?/[^/]+\.
validso_regex = re.compile('(\.so\.\d+(\.\d+)*|\d\.so)$')
sparc_regex = re.compile('SPARC32PLUS|SPARC V9|UltraSPARC')
system_lib_paths = Config.getOption('SystemLibPaths', DEFAULT_SYSTEM_LIB_PATHS)
+pie_executables = Config.getOption('PieExecutables', DEFAULT_PIE_EXECUTABLES)
usr_lib_regex = re.compile('^/usr/lib(64)?/')
bin_regex = re.compile('^(/usr(/X11R6)?)?/s?bin/')
soversion_regex =
re.compile('.*?([0-9][.0-9]*)\\.so|.*\\.so\\.([0-9][.0-9]*).*')
@@ -377,6 +381,9 @@ class BinariesCheck(AbstractCheck.Abstra
if not is_exec and not is_shobj:
continue
+ if fname in pie_executables and not is_shobj:
+ printError(pkg, 'not-a-position-independent-executable', fname)
+
if is_exec:
if bin_regex.search(fname):
@@ -598,6 +605,10 @@ that use prelink, make sure that prelink
placing a blacklist file in /etc/prelink.conf.d. For more information, see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=256900#49''',
+'not-a-position-independent-executable',
+'''As per distribution policy the binary must be position independent. Add
+-fPIE to CFLAGS and -pie to LDFLAGS'''
+
'unstripped-binary-or-object',
'''stripping debug info from binaries happens automatically according to global
project settings. So there's normally no need to manually strip binaries.
Index: rpmlint-1.1/config
===================================================================
--- rpmlint-1.1.orig/config
+++ rpmlint-1.1/config
@@ -130,6 +130,10 @@ from Config import *
# Type: tuple of strings, default: see DEFAULT_SYSTEM_LIB_PATHS in
BinariesCheck
#setOption("SystemLibPaths", ('/lib', '/lib64', '/usr/lib', '/usr/lib64'))
+# List of binaries that must be position independent executables
+# Type: tuple of strings, default: empty
+#setOption("PieExecutables", ('/bin/ping', '/bin/su'))
+
# Whether to want default start/stop runlevels specified in init scripts.
# Type: boolean, default: True
#setOption("UseDefaultRunlevels", True)
++++++ suse-file-var-run.diff ++++++
--- /var/tmp/diff_new_pack.Xnh5Rj/_old 2011-05-16 11:31:42.000000000 +0200
+++ /var/tmp/diff_new_pack.Xnh5Rj/_new 2011-05-16 11:31:42.000000000 +0200
@@ -1,35 +1,48 @@
-Index: FilesCheck.py
-===================================================================
---- FilesCheck.py.orig
-+++ FilesCheck.py
-@@ -901,7 +901,7 @@ class FilesCheck(AbstractCheck.AbstractC
- is_kernel_package:
- printError(pkg, "kernel-modules-not-in-kernel-packages", f)
-
-- if tmp_regex.search(f):
-+ if tmp_regex.search(f) and f not in ghost_files:
- printError(pkg, 'dir-or-file-in-tmp', f)
- elif f.startswith('/mnt/'):
- printError(pkg, 'dir-or-file-in-mnt', f)
-@@ -911,6 +911,8 @@ class FilesCheck(AbstractCheck.AbstractC
+From 811469ebe70ea65029d64ae2e7bc6e9828f59c9e Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nus...@suse.de>
+Date: Wed, 11 May 2011 13:15:22 +0200
+Subject: [PATCH] check for files in /var/run and /var/lock
+
+nowadays /var/run and /var/lock move to using tmpfs so disallow
+packaging files there
+---
+ FilesCheck.py | 16 ++++++++++++++++
+ 1 files changed, 16 insertions(+), 0 deletions(-)
+
+diff --git a/FilesCheck.py b/FilesCheck.py
+index a82b4b8..0f43927 100644
+--- a/FilesCheck.py
++++ b/FilesCheck.py
+@@ -443,6 +443,10 @@ class FilesCheck(AbstractCheck.AbstractCheck):
printError(pkg, 'dir-or-file-in-usr-local', f)
elif f.startswith('/var/local/'):
printError(pkg, 'dir-or-file-in-var-local', f)
+ elif f.startswith('/var/run/') and f not in ghost_files:
+ printError(pkg, 'dir-or-file-in-var-run', f)
++ elif f.startswith('/var/lock/'):
++ printError(pkg, 'dir-or-file-in-var-lock', f)
elif sub_bin_regex.search(f):
printError(pkg, 'subdir-in-bin', f)
elif f.startswith('/home/'):
-@@ -1478,6 +1480,12 @@ for packages to install files in this di
+@@ -1019,6 +1023,18 @@ for packages to install files in this directory.''',
'''A file in the package is located in /var/local. It's not permitted
for packages to install files in this directory.''',
+'dir-or-file-in-var-run',
+'''A file or directory in the package is located in /var/run. It's not
+permitted for packages to install files in this directory as it might
-+be created as tmpfs during boot. Modify your package to create the
-+necessary files during runtime.''',
++be created as tmpfs during boot. Mark the files in question as %ghost and
++create them at run time instead.''',
++
++'dir-or-file-in-var-lock',
++'''A file or directory in the package is located in /var/lock. It's
++not permitted for packages to install files in this directory as it
++is a) reserved for legacy device lock files and b) might be created
++as tmpfs during boot.''',
+
'subdir-in-bin',
'''The package contains a subdirectory in /usr/bin. It's not permitted to
create a subdir there. Create it in /usr/lib/ instead.''',
+--
+1.7.3.4
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
