Hello community, here is the log from the commit of package rpmlint for openSUSE:Factory checked in at Mon May 16 11:33:47 CEST 2011.
-------- --- rpmlint/rpmlint.changes 2011-05-05 09:16:21.000000000 +0200 +++ /mounts/work_src_done/STABLE/rpmlint/rpmlint.changes 2011-05-11 14:31:54.000000000 +0200 @@ -1,0 +2,12 @@ +Wed May 11 11:25:33 UTC 2011 - lnus...@suse.de + +- don't filter non-standard-gid anymore +- add dir-or-file-in-var-lock check +- remove 'nobody' from standard users + +------------------------------------------------------------------- +Tue May 10 11:38:05 UTC 2011 - lnus...@suse.de + +- add not-a-position-independent-executable check + +------------------------------------------------------------------- calling whatdependson for head-i586 New: ---- pie.config rpmlint-pie.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rpmlint.spec ++++++ --- /var/tmp/diff_new_pack.Xnh5Rj/_old 2011-05-16 11:31:42.000000000 +0200 +++ /var/tmp/diff_new_pack.Xnh5Rj/_new 2011-05-16 11:31:42.000000000 +0200 @@ -23,7 +23,7 @@ BuildRequires: rpm-python Summary: Rpm correctness checker Version: 1.1 -Release: 33 +Release: 35 Source0: %{name}-%{version}.tar.bz2 Source1: config Source1001: config.in @@ -49,6 +49,7 @@ Source21: BashismsCheck.py Source22: CheckGNOMEMacros.py Source23: CheckBuildDate.py +Source24: pie.config Source100: syntax-validator.py Url: http://rpmlint.zarb.org/ License: GPLv2+ @@ -124,6 +125,7 @@ # already upstream Patch87: rpmlint-add-details.diff Patch88: suse-speccheck-utf8.diff +Patch89: rpmlint-pie.diff %py_requires %description @@ -150,7 +152,7 @@ %patch8 %patch9 #%patch10 -%patch11 +%patch11 -p1 %patch12 %patch13 %patch14 @@ -203,6 +205,7 @@ %patch86 %patch87 -p1 %patch88 +%patch89 -p1 cp -p %{SOURCE1} . cp -p %{SOURCE2} . cp -p %{SOURCE3} . @@ -238,6 +241,7 @@ # make sure that the package is sane python -tt %{SOURCE100} $RPM_BUILD_ROOT/usr/share/rpmlint/*.py $RPM_BUILD_ROOT/usr/share/rpmlint/config %__install -m 644 %{SOURCE20} %{buildroot}/%{_sysconfdir}/rpmlint/ +%__install -m 644 %{SOURCE24} %{buildroot}/%{_sysconfdir}/rpmlint/ %clean rm -rf $RPM_BUILD_ROOT @@ -249,6 +253,7 @@ %{_prefix}/share/rpmlint %config(noreplace) /etc/rpmlint/config %config %{_sysconfdir}/rpmlint/rpmgroups.config +%config %{_sysconfdir}/rpmlint/pie.config %dir /etc/rpmlint /usr/share/man/man1/rpmlint.1.gz ++++++ BashismsCheck.py ++++++ --- /var/tmp/diff_new_pack.Xnh5Rj/_old 2011-05-16 11:31:42.000000000 +0200 +++ /var/tmp/diff_new_pack.Xnh5Rj/_new 2011-05-16 11:31:42.000000000 +0200 @@ -28,9 +28,12 @@ status, output = Pkg.getstatusoutput(["dash", "-n", filename]) if status == 2: printWarning(pkg, "bin-sh-syntax-error", filename) - status, output = Pkg.getstatusoutput(["checkbashisms", filename]) - if status == 1: - printInfo(pkg, "potential-bashisms", filename) + try: + status, output = Pkg.getstatusoutput(["checkbashisms", filename]) + if status == 1: + printInfo(pkg, "potential-bashisms", filename) + except Exception, x: + printError(pkg, 'rpmlint-exception', "%(file)s raised an exception: %(x)s" % {'file':filename, 'x':x}) finally: f.close() ++++++ CheckSUIDPermissions.py ++++++ --- /var/tmp/diff_new_pack.Xnh5Rj/_old 2011-05-16 11:31:42.000000000 +0200 +++ /var/tmp/diff_new_pack.Xnh5Rj/_new 2011-05-16 11:31:42.000000000 +0200 @@ -135,6 +135,10 @@ else: f += '/' + if type == 010: + if not 'shared object' in pkgfile.magic: + printError(pkg, 'not-a-position-independent-executable', f) + m = self.perms[f]['mode'] o = self.perms[f]['owner'] @@ -159,6 +163,10 @@ else: printWarning(pkg, 'permissions-directory-setuid-bit', msg) + if type == 010: + if not 'shared object' in pkgfile.magic: + printError(pkg, 'not-a-position-independent-executable', f) + if mode&02: need_verifyscript = True printError(pkg, 'permissions-world-writable', \ ++++++ config ++++++ --- /var/tmp/diff_new_pack.Xnh5Rj/_old 2011-05-16 11:31:42.000000000 +0200 +++ /var/tmp/diff_new_pack.Xnh5Rj/_new 2011-05-16 11:31:42.000000000 +0200 @@ -139,6 +139,7 @@ 'pulse-rt', 'quagga', 'radiusd', + 'root', 'sabayon-admin', 'sapdb', 'shadow', @@ -217,7 +218,6 @@ 'nagios', 'named', 'news', - 'nobody', 'novell_nobody', 'novlifdr', 'novlxregd', @@ -558,7 +558,6 @@ addFilter(" apache2-naming-policy-not-applied") addFilter(" no-default-runlevel ") addFilter(" setgid-binary ") -addFilter(" non-standard-gid ") addFilter(" non-readable ") addFilter(" manpage-not-bzipped ") addFilter(" postin-without-ghost-file-creation ") ++++++ pie.config ++++++ from Config import * # This file should list daemons and programs that are likely to be set setuid # by users. Files listed in permissions.eays are automatically checked. setOption("PieExecutables", ( "/bin/ping", "/bin/ping6", "/bin/su", "/usr/bin/pidgin", "/sbin/arping", "/sbin/clockdiff", "/sbin/dhclient", "/sbin/dhcpcd", "/sbin/klogd", "/sbin/rpcbind", "/sbin/syslogd", "/sbin/tracepath", "/sbin/tracepath6", "/usr/bin/uniconv", "/usr/bin/achfile", "/usr/bin/adv1tov2", "/usr/bin/aecho", "/usr/bin/afile", "/usr/bin/afppasswd", "/usr/bin/at", "/usr/bin/cadaver", "/usr/bin/chage", "/usr/bin/chfn", "/usr/bin/chsh", "/usr/bin/ciptool", "/usr/bin/cnid_index", "/usr/bin/dig", "/usr/bin/dund", "/usr/bin/expiry", "/usr/bin/finger", "/usr/bin/getzones", "/usr/bin/gpasswd", "/usr/bin/gpg", "/usr/bin/gpgsplit", "/usr/bin/gpgv", "/usr/bin/hcitool", "/usr/bin/hidd", "/usr/bin/host", "/usr/bin/htpasswd", "/usr/bin/l2ping", "/usr/bin/lppasswd", "/usr/bin/megatron", "/usr/bin/nbplkup", "/usr/bin/nbprgstr", "/usr/bin/nbpunrgstr", "/usr/bin/ncplogin", "/usr/bin/ncpmap", "/usr/bin/net", "/usr/bin/newgrp", "/usr/bin/nmblookup", "/usr/bin/nslookup", "/usr/bin/nsupdate", "/usr/bin/nwsfind", "/usr/bin/omshell", "/usr/bin/pand", "/usr/bin/pap", "/usr/bin/papstatus", "/usr/bin/passwd", "/usr/bin/pdbedit", "/usr/bin/profiles", "/usr/bin/psorder", "/usr/bin/rcp", "/usr/bin/rexec", "/usr/bin/rfcomm", "/usr/bin/rlogin", "/usr/bin/rpcclient", "/usr/bin/rsh", "/usr/bin/scp", "/usr/bin/sdptool", "/usr/bin/sftp", "/usr/bin/showppd", "/usr/bin/smbcacls", "/usr/bin/smbclient", "/usr/bin/smbcontrol", "/usr/bin/smbcquotas", "/sbin/mount.cifs", "/usr/bin/smbpasswd", "/usr/bin/smbspool", "/usr/bin/smbstatus", "/usr/bin/smbtree", "/usr/bin/ssh", "/usr/bin/ssh-add", "/usr/bin/ssh-agent", "/usr/bin/ssh-keygen", "/usr/bin/ssh-keyscan", "/usr/bin/svn", "/usr/bin/svnadmin", "/usr/bin/svndumpfilter", "/usr/bin/svnlook", "/usr/bin/svnserve", "/usr/bin/svnversion", "/usr/bin/talk", "/usr/bin/tdbbackup", "/usr/bin/tdbdump", "/usr/bin/tdbtool", "/usr/bin/telnet", "/usr/bin/testparm", "/usr/bin/testprns", "/usr/bin/timeout", "/usr/bin/wbinfo", "/usr/lib/mit/bin/ftp", "/usr/lib/mit/bin/gss-client", "/usr/lib/mit/bin/kdestroy", "/usr/lib/mit/bin/kinit", "/usr/lib/mit/bin/klist", "/usr/lib/mit/bin/kpasswd", "/usr/lib/mit/bin/krb524init", "/usr/lib/mit/bin/ksu", "/usr/lib/mit/bin/kvno", "/usr/lib/mit/bin/rcp", "/usr/lib/mit/bin/rlogin", "/usr/lib/mit/bin/rsh", "/usr/lib/mit/bin/sclient", "/usr/lib/mit/bin/sim_client", "/usr/lib/mit/bin/telnet", "/usr/lib/mit/bin/uuclient", "/usr/lib/mit/bin/v4rcp", "/usr/lib/mit/sbin/ftpd", "/usr/lib/mit/sbin/gss-server", "/usr/lib/mit/sbin/kadmin", "/usr/lib/mit/sbin/kadmin.local", "/usr/lib/mit/sbin/kadmind", "/usr/lib/mit/sbin/kdb5_util", "/usr/lib/mit/sbin/klogind", "/usr/lib/mit/sbin/kprop", "/usr/lib/mit/sbin/kpropd", "/usr/lib/mit/sbin/krb524d", "/usr/lib/mit/sbin/krb5kdc", "/usr/lib/mit/sbin/kshd", "/usr/lib/mit/sbin/ktutil", "/usr/lib/mit/sbin/login.krb5", "/usr/lib/mit/sbin/sim_server", "/usr/lib/mit/sbin/sserver", "/usr/lib/mit/sbin/telnetd", "/usr/lib/mit/sbin/uuserver", "/usr/lib/news/bin/innd", "/usr/lib/news/bin/innbind", "/usr/lib/news/bin/rnews", "/usr/sbin/afpd", "/usr/sbin/amcheck", "/usr/sbin/amdd", "/usr/sbin/atalkd", "/usr/sbin/atd", "/usr/sbin/automount", "/usr/sbin/chat", "/usr/sbin/cnid_dbd", "/usr/sbin/cnid_metad", "/usr/sbin/cron", "/usr/sbin/cupsd", "/usr/sbin/dhcpd", "/usr/sbin/dhcrelay", "/usr/sbin/dnssec-keygen", "/usr/sbin/dnssec-signzone", "/usr/sbin/exim", "/usr/sbin/hciattach", "/usr/sbin/bluetoothd", "/usr/sbin/hciconfig", "/usr/sbin/hid2hci", "/usr/sbin/httpd2", "/usr/sbin/httpd2-prefork", "/usr/sbin/httpd2-worker", "/usr/sbin/in.fingerd", "/usr/sbin/in.ntalkd", "/usr/sbin/in.rexecd", "/usr/sbin/in.rlogind", "/usr/sbin/in.rshd", "/usr/sbin/in.telnetd", "/usr/sbin/irqbalance", "/usr/sbin/lwresd", "/usr/sbin/mailstats", "/usr/sbin/makemap", "/usr/sbin/named", "/usr/sbin/named-checkconf", "/usr/sbin/named-checkzone", "/usr/sbin/nmbd", "/usr/sbin/nscd", "/usr/sbin/ntlm_auth", "/usr/sbin/ntp-keygen", "/usr/sbin/ntpd", "/usr/sbin/ntpdc", "/usr/sbin/ntpq", "/usr/sbin/ntptime", "/usr/sbin/openvpn", "/usr/sbin/papd", "/usr/sbin/postfix", "/usr/sbin/pppd", "/usr/sbin/praliases", "/usr/sbin/radiusd", "/usr/sbin/rarpd", "/usr/sbin/rndc", "/usr/sbin/rndc-confgen", "/usr/sbin/rotatelogs2", "/usr/sbin/rpc.mountd", "/usr/sbin/rpc.nfsd", "/usr/sbin/rpc.rquotad", "/usr/sbin/rpc.rwalld", "/usr/sbin/rpc.yppasswdd", "/usr/sbin/rpc.ypxfrd", "/usr/sbin/safe_finger", "/usr/sbin/sendmail", "/usr/lib/sudo/sesh", "/usr/lib/openldap/slapd", "/usr/sbin/smartctl", "/usr/sbin/smartd", "/usr/sbin/smbd", "/usr/sbin/snmpd", "/usr/sbin/snmptrapd", "/usr/sbin/squid", "/usr/sbin/squidclient", "/usr/sbin/sshd", "/usr/sbin/stunnel", "/usr/sbin/suexec2", "/usr/sbin/tcpd", "/usr/sbin/tickadj", "/usr/sbin/traceroute", "/usr/sbin/traceroute6", "/usr/sbin/try-from", "/usr/sbin/utempter", "/usr/sbin/visudo", "/usr/sbin/vsftpd", "/usr/sbin/winbindd", "/usr/sbin/xinetd", "/usr/sbin/yppush", "/usr/sbin/ypserv", "/usr/bin/zone2ldap", ) ) ++++++ rpmlint-pie.diff ++++++ >From cdf3d7e6338e8133d9b2b8f19de8e5a3308327bc Mon Sep 17 00:00:00 2001 From: Ludwig Nussel <ludwig.nus...@suse.de> Date: Mon, 9 May 2011 11:54:48 +0200 Subject: [PATCH] check for position independent executables --- BinariesCheck.py | 11 +++++++++++ config | 4 ++++ 2 files changed, 15 insertions(+), 0 deletions(-) Index: rpmlint-1.1/BinariesCheck.py =================================================================== --- rpmlint-1.1.orig/BinariesCheck.py +++ rpmlint-1.1/BinariesCheck.py @@ -25,6 +25,9 @@ DEFAULT_SYSTEM_LIB_PATHS = ( '/lib', '/usr/lib', '/usr/X11R6/lib', '/lib64', '/usr/lib64', '/usr/X11R6/lib64') +DEFAULT_PIE_EXECUTABLES = ( +) + class BinaryInfo: needed_regex = re.compile('\s+\(NEEDED\).*\[(\S+)\]') @@ -189,6 +192,7 @@ so_regex = re.compile('/lib(64)?/[^/]+\. validso_regex = re.compile('(\.so\.\d+(\.\d+)*|\d\.so)$') sparc_regex = re.compile('SPARC32PLUS|SPARC V9|UltraSPARC') system_lib_paths = Config.getOption('SystemLibPaths', DEFAULT_SYSTEM_LIB_PATHS) +pie_executables = Config.getOption('PieExecutables', DEFAULT_PIE_EXECUTABLES) usr_lib_regex = re.compile('^/usr/lib(64)?/') bin_regex = re.compile('^(/usr(/X11R6)?)?/s?bin/') soversion_regex = re.compile('.*?([0-9][.0-9]*)\\.so|.*\\.so\\.([0-9][.0-9]*).*') @@ -377,6 +381,9 @@ class BinariesCheck(AbstractCheck.Abstra if not is_exec and not is_shobj: continue + if fname in pie_executables and not is_shobj: + printError(pkg, 'not-a-position-independent-executable', fname) + if is_exec: if bin_regex.search(fname): @@ -598,6 +605,10 @@ that use prelink, make sure that prelink placing a blacklist file in /etc/prelink.conf.d. For more information, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=256900#49''', +'not-a-position-independent-executable', +'''As per distribution policy the binary must be position independent. Add +-fPIE to CFLAGS and -pie to LDFLAGS''' + 'unstripped-binary-or-object', '''stripping debug info from binaries happens automatically according to global project settings. So there's normally no need to manually strip binaries. Index: rpmlint-1.1/config =================================================================== --- rpmlint-1.1.orig/config +++ rpmlint-1.1/config @@ -130,6 +130,10 @@ from Config import * # Type: tuple of strings, default: see DEFAULT_SYSTEM_LIB_PATHS in BinariesCheck #setOption("SystemLibPaths", ('/lib', '/lib64', '/usr/lib', '/usr/lib64')) +# List of binaries that must be position independent executables +# Type: tuple of strings, default: empty +#setOption("PieExecutables", ('/bin/ping', '/bin/su')) + # Whether to want default start/stop runlevels specified in init scripts. # Type: boolean, default: True #setOption("UseDefaultRunlevels", True) ++++++ suse-file-var-run.diff ++++++ --- /var/tmp/diff_new_pack.Xnh5Rj/_old 2011-05-16 11:31:42.000000000 +0200 +++ /var/tmp/diff_new_pack.Xnh5Rj/_new 2011-05-16 11:31:42.000000000 +0200 @@ -1,35 +1,48 @@ -Index: FilesCheck.py -=================================================================== ---- FilesCheck.py.orig -+++ FilesCheck.py -@@ -901,7 +901,7 @@ class FilesCheck(AbstractCheck.AbstractC - is_kernel_package: - printError(pkg, "kernel-modules-not-in-kernel-packages", f) - -- if tmp_regex.search(f): -+ if tmp_regex.search(f) and f not in ghost_files: - printError(pkg, 'dir-or-file-in-tmp', f) - elif f.startswith('/mnt/'): - printError(pkg, 'dir-or-file-in-mnt', f) -@@ -911,6 +911,8 @@ class FilesCheck(AbstractCheck.AbstractC +From 811469ebe70ea65029d64ae2e7bc6e9828f59c9e Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel <ludwig.nus...@suse.de> +Date: Wed, 11 May 2011 13:15:22 +0200 +Subject: [PATCH] check for files in /var/run and /var/lock + +nowadays /var/run and /var/lock move to using tmpfs so disallow +packaging files there +--- + FilesCheck.py | 16 ++++++++++++++++ + 1 files changed, 16 insertions(+), 0 deletions(-) + +diff --git a/FilesCheck.py b/FilesCheck.py +index a82b4b8..0f43927 100644 +--- a/FilesCheck.py ++++ b/FilesCheck.py +@@ -443,6 +443,10 @@ class FilesCheck(AbstractCheck.AbstractCheck): printError(pkg, 'dir-or-file-in-usr-local', f) elif f.startswith('/var/local/'): printError(pkg, 'dir-or-file-in-var-local', f) + elif f.startswith('/var/run/') and f not in ghost_files: + printError(pkg, 'dir-or-file-in-var-run', f) ++ elif f.startswith('/var/lock/'): ++ printError(pkg, 'dir-or-file-in-var-lock', f) elif sub_bin_regex.search(f): printError(pkg, 'subdir-in-bin', f) elif f.startswith('/home/'): -@@ -1478,6 +1480,12 @@ for packages to install files in this di +@@ -1019,6 +1023,18 @@ for packages to install files in this directory.''', '''A file in the package is located in /var/local. It's not permitted for packages to install files in this directory.''', +'dir-or-file-in-var-run', +'''A file or directory in the package is located in /var/run. It's not +permitted for packages to install files in this directory as it might -+be created as tmpfs during boot. Modify your package to create the -+necessary files during runtime.''', ++be created as tmpfs during boot. Mark the files in question as %ghost and ++create them at run time instead.''', ++ ++'dir-or-file-in-var-lock', ++'''A file or directory in the package is located in /var/lock. It's ++not permitted for packages to install files in this directory as it ++is a) reserved for legacy device lock files and b) might be created ++as tmpfs during boot.''', + 'subdir-in-bin', '''The package contains a subdirectory in /usr/bin. It's not permitted to create a subdir there. Create it in /usr/lib/ instead.''', +-- +1.7.3.4 + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org