Hello community,
here is the log from the commit of package rpmlint-mini for openSUSE:Factory
checked in at 2020-08-17 12:00:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rpmlint-mini (Old)
and /work/SRC/openSUSE:Factory/.rpmlint-mini.new.3399 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rpmlint-mini"
Mon Aug 17 12:00:03 2020 rev:104 rq:826022 version:1.10
Changes:
--------
--- /work/SRC/openSUSE:Factory/rpmlint-mini/rpmlint-mini.changes
2020-07-31 15:52:27.752031495 +0200
+++ /work/SRC/openSUSE:Factory/.rpmlint-mini.new.3399/rpmlint-mini.changes
2020-08-17 12:00:28.474530229 +0200
@@ -1,0 +2,6 @@
+Wed Aug 12 11:50:49 UTC 2020 - matthias.gerst...@suse.com
+
+- seucirty-whitelistings: update to version master:
+ * Introduce new metadata based whitelistings for device files and
world-writable files
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.WV4Fsr/_old 2020-08-17 12:00:34.202533421 +0200
+++ /var/tmp/diff_new_pack.WV4Fsr/_new 2020-08-17 12:00:34.206533423 +0200
@@ -1,4 +1,4 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/openSUSE/rpmlint-security-whitelistings</param>
- <param
name="changesrevision">25ed71ab5b8ad0c5dfc8f1adeba8b783c47dcd9f</param></service></servicedata>
\ No newline at end of file
+ <param
name="changesrevision">a2926238c7a310a1635935ce1faa4a097076d7b9</param></service></servicedata>
\ No newline at end of file
++++++ rpmlint-security-whitelistings-master.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rpmlint-security-whitelistings-master/README.md
new/rpmlint-security-whitelistings-master/README.md
--- old/rpmlint-security-whitelistings-master/README.md 2020-07-28
07:41:04.000000000 +0200
+++ new/rpmlint-security-whitelistings-master/README.md 2020-07-31
10:46:36.000000000 +0200
@@ -36,6 +36,21 @@
Types of Whitelistings
----------------------
+### Digest Based Whitelistings
+
+This type of whitelist cares about the contents of files in certain file
+system locations. It whitelists file system entries by name and an optional
+content digest.
+
+### Metadata Based Whitelistings
+
+This type of whitelist cares about a file's metadata like file type and UNIX
+permissions. It whitelists file system entries by comparing the file type,
+mode bits and ownership.
+
+Instances of Whitelistings
+--------------------------
+
### Cron Jobs
The file `cron-whitelist.json` contains whitelisting entries for files
@@ -45,6 +60,28 @@
restrictions on the introduction of new cron jobs or changes to existing cron
jobs.
+### Device Files
+
+The file `device-files-whitelist.json` contains whitelisting entries for
+device file packaged in RPMs. Device files in RPMs should be an unusual
+event. Since device files with bad permissions may allow unprivileged users to
+access sensitive system devices it is important to restrict packaging of this
+type of files. A metadata whitelisting is used for whitelist any occurences of
+device files in packages.
+
+### World Writable Files
+
+There shouldn't be any files packaged that are world-writable. A few
+exceptions are public sticky-bit directories or UNIX domain sockets that are
+accessible to everybody. These occurrences are covered by this metadata
+whitelisting.
+
+### Note About setuid/setgid Bits
+
+Setuid, setgid or capability bits are currently not kept track of here,
+because they are managed by the [permissions
+package](https://github.com/openSUSE/permissions).
+
Whitelisting Examples
---------------------
@@ -53,6 +90,7 @@
does *not* support such comments, however.
<pre>
+# a digest based whitelist
{
# the package name
"atop-daemon": {
@@ -92,6 +130,40 @@
}
}
}
+ }
+}
+</pre>
+
+<pre>
+# a metadata based whitelist
+{
+ "filesystem": {
+ "audits": {
+ "bsc#123456": {
+ "comment": "some typical special files",
+ # here we use a meta entry instead of a "digests" entry to
+ # whitelist file properties in contrast to file contents.
+ "meta": {
+ "/some/dev": {
+ # denotes the whitelisted type of file. supported
+ # characters are currently:
+ # '-': regular file
+ # 'd': directory
+ # 'c': character device
+ # 'b': block device
+ # 's': UNIX domain socket
+ "type": "b",
+ # the allowed UNIX octal file mode
+ "mode": "0666",
+ # for device files this denotes the allowed minor and
+ # major device number separated by comma
+ "dev": "1,2",
+ # the allowed user and group ownership for the file
+ "owner": "root:root"
+ }
+ }
+ }
+ }
}
}
</pre>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/rpmlint-security-whitelistings-master/device-files-whitelist.json
new/rpmlint-security-whitelistings-master/device-files-whitelist.json
--- old/rpmlint-security-whitelistings-master/device-files-whitelist.json
1970-01-01 01:00:00.000000000 +0100
+++ new/rpmlint-security-whitelistings-master/device-files-whitelist.json
2020-07-31 10:46:36.000000000 +0200
@@ -0,0 +1,29 @@
+{
+ "bind-chrootenv": {
+ "audits": {
+ "bsc#1174642": {
+ "comment": "Chroot duplicates of some
uncritical character devices. urandom was historically packaged
non-world-writable, probably to avoid the rpmlint error triggering.",
+ "meta": {
+ "/var/lib/named/dev/null": {
+ "type": "c",
+ "mode": "0666",
+ "dev": "1,3",
+ "owner": "root:root"
+ },
+ "/var/lib/named/dev/random": {
+ "type": "c",
+ "mode": "0666",
+ "dev": "1,8",
+ "owner": "root:root"
+ },
+ "/var/lib/named/dev/urandom": {
+ "type": "c",
+ "mode": "0660",
+ "dev": "1,9",
+ "owner": "root:root"
+ }
+ }
+ }
+ }
+ }
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rpmlint-security-whitelistings-master/verify.py
new/rpmlint-security-whitelistings-master/verify.py
--- old/rpmlint-security-whitelistings-master/verify.py 2020-07-28
07:41:04.000000000 +0200
+++ new/rpmlint-security-whitelistings-master/verify.py 2020-07-31
10:46:36.000000000 +0200
@@ -78,30 +78,47 @@
whitelisting = None
-def fetchWhitelistingModule():
- whitelisting_module_url =
"https://raw.githubusercontent.com/openSUSE/rpmlint-checks/master/Whitelisting.py";
-
+def loadLocalModule(path, name):
# only available from python3.5 and newer
import importlib.util
+ spec = importlib.util.spec_from_file_location(name, path)
+ module = importlib.util.module_from_spec(spec)
+ spec.loader.exec_module(module)
+ return module
+
+
+def fetchWhitelistingModule():
+ whitelisting_module_url =
"https://raw.githubusercontent.com/openSUSE/rpmlint-checks/master/Whitelisting.py";
with tempfile.NamedTemporaryFile(suffix = ".py") as temp:
req = urllib.request.urlopen(whitelisting_module_url)
temp.write(req.read())
temp.flush()
- spec = importlib.util.spec_from_file_location("Whitelisting",
temp.name)
- whitelisting = importlib.util.module_from_spec(spec)
- spec.loader.exec_module(whitelisting)
- return whitelisting
+ return loadLocalModule(temp.name, "Whitelisting")
+
+
+def getWhitelistingModule():
+ wm = os.environ.get("WHITELISTING_MODULE")
+
+ if wm:
+ return loadLocalModule(wm, "Whitelisting")
+ else:
+ return fetchWhitelistingModule()
def checkParsing(path):
global whitelisting
if not whitelisting:
- whitelisting = fetchWhitelistingModule()
+ whitelisting = getWhitelistingModule()
+
+ meta_whitelists = ("device-files-whitelist.json",
"world-writable-whitelist.json")
- parser = whitelisting.WhitelistParser(path)
+ if os.path.basename(path) in meta_whitelists:
+ parser = whitelisting.MetaWhitelistParser(path)
+ else:
+ parser = whitelisting.DigestWhitelistParser(path)
try:
entries = parser.parse()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/rpmlint-security-whitelistings-master/world-writable-whitelist.json
new/rpmlint-security-whitelistings-master/world-writable-whitelist.json
--- old/rpmlint-security-whitelistings-master/world-writable-whitelist.json
1970-01-01 01:00:00.000000000 +0100
+++ new/rpmlint-security-whitelistings-master/world-writable-whitelist.json
2020-07-31 10:46:36.000000000 +0200
@@ -0,0 +1,64 @@
+{
+ "bind-chrootenv": {
+ "audits": {
+ "bsc#1174642": {
+ "comment": "Chroot duplicate of the log socket.
Packaged as %ghost, therefore 'appears' as a regular file.",
+ "meta": {
+ "/var/lib/named/dev/log": {
+ "type": "-",
+ "mode": "0666",
+ "owner": "root:root"
+ }
+ }
+ }
+ }
+ },
+ "filesystem": {
+ "audits": {
+ "bsc#1174642": {
+ "comment": "Public standard sticky-bit
directories",
+ "meta": {
+ "/tmp": {
+ "type": "d",
+ "mode": "1777",
+ "owner": "root:root"
+ },
+ "/var/tmp": {
+ "type": "d",
+ "mode": "1777",
+ "owner": "root:root"
+ },
+ "/var/spool/mail": {
+ "type": "d",
+ "mode": "1777",
+ "owner": "root:root"
+ },
+ "/tmp/.X11-unix": {
+ "type": "d",
+ "mode": "1777",
+ "owner": "root:root"
+ },
+ "/tmp/.ICE-unix": {
+ "type": "d",
+ "mode": "1777",
+ "owner": "root:root"
+ }
+ }
+ }
+ }
+ },
+ "nscd": {
+ "audits": {
+ "bsc#1174642": {
+ "comment": "nss caching daemon socket. is
packaged as %ghost, therefore 'appears' to be a regular file.",
+ "meta": {
+ "/run/nscd/socket": {
+ "type": "-",
+ "mode": "0666",
+ "owner": "root:root"
+ }
+ }
+ }
+ }
+ }
+}
