Hello community, here is the log from the commit of package rpmlint-mini for openSUSE:Factory checked in at 2020-08-17 12:00:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rpmlint-mini (Old) and /work/SRC/openSUSE:Factory/.rpmlint-mini.new.3399 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rpmlint-mini" Mon Aug 17 12:00:03 2020 rev:104 rq:826022 version:1.10 Changes: -------- --- /work/SRC/openSUSE:Factory/rpmlint-mini/rpmlint-mini.changes 2020-07-31 15:52:27.752031495 +0200 +++ /work/SRC/openSUSE:Factory/.rpmlint-mini.new.3399/rpmlint-mini.changes 2020-08-17 12:00:28.474530229 +0200 @@ -1,0 +2,6 @@ +Wed Aug 12 11:50:49 UTC 2020 - matthias.gerst...@suse.com + +- seucirty-whitelistings: update to version master: + * Introduce new metadata based whitelistings for device files and world-writable files + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.WV4Fsr/_old 2020-08-17 12:00:34.202533421 +0200 +++ /var/tmp/diff_new_pack.WV4Fsr/_new 2020-08-17 12:00:34.206533423 +0200 @@ -1,4 +1,4 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/openSUSE/rpmlint-security-whitelistings</param> - <param name="changesrevision">25ed71ab5b8ad0c5dfc8f1adeba8b783c47dcd9f</param></service></servicedata> \ No newline at end of file + <param name="changesrevision">a2926238c7a310a1635935ce1faa4a097076d7b9</param></service></servicedata> \ No newline at end of file ++++++ rpmlint-security-whitelistings-master.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-security-whitelistings-master/README.md new/rpmlint-security-whitelistings-master/README.md --- old/rpmlint-security-whitelistings-master/README.md 2020-07-28 07:41:04.000000000 +0200 +++ new/rpmlint-security-whitelistings-master/README.md 2020-07-31 10:46:36.000000000 +0200 @@ -36,6 +36,21 @@ Types of Whitelistings ---------------------- +### Digest Based Whitelistings + +This type of whitelist cares about the contents of files in certain file +system locations. It whitelists file system entries by name and an optional +content digest. + +### Metadata Based Whitelistings + +This type of whitelist cares about a file's metadata like file type and UNIX +permissions. It whitelists file system entries by comparing the file type, +mode bits and ownership. + +Instances of Whitelistings +-------------------------- + ### Cron Jobs The file `cron-whitelist.json` contains whitelisting entries for files @@ -45,6 +60,28 @@ restrictions on the introduction of new cron jobs or changes to existing cron jobs. +### Device Files + +The file `device-files-whitelist.json` contains whitelisting entries for +device file packaged in RPMs. Device files in RPMs should be an unusual +event. Since device files with bad permissions may allow unprivileged users to +access sensitive system devices it is important to restrict packaging of this +type of files. A metadata whitelisting is used for whitelist any occurences of +device files in packages. + +### World Writable Files + +There shouldn't be any files packaged that are world-writable. A few +exceptions are public sticky-bit directories or UNIX domain sockets that are +accessible to everybody. These occurrences are covered by this metadata +whitelisting. + +### Note About setuid/setgid Bits + +Setuid, setgid or capability bits are currently not kept track of here, +because they are managed by the [permissions +package](https://github.com/openSUSE/permissions). + Whitelisting Examples --------------------- @@ -53,6 +90,7 @@ does *not* support such comments, however. <pre> +# a digest based whitelist { # the package name "atop-daemon": { @@ -92,6 +130,40 @@ } } } + } +} +</pre> + +<pre> +# a metadata based whitelist +{ + "filesystem": { + "audits": { + "bsc#123456": { + "comment": "some typical special files", + # here we use a meta entry instead of a "digests" entry to + # whitelist file properties in contrast to file contents. + "meta": { + "/some/dev": { + # denotes the whitelisted type of file. supported + # characters are currently: + # '-': regular file + # 'd': directory + # 'c': character device + # 'b': block device + # 's': UNIX domain socket + "type": "b", + # the allowed UNIX octal file mode + "mode": "0666", + # for device files this denotes the allowed minor and + # major device number separated by comma + "dev": "1,2", + # the allowed user and group ownership for the file + "owner": "root:root" + } + } + } + } } } </pre> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-security-whitelistings-master/device-files-whitelist.json new/rpmlint-security-whitelistings-master/device-files-whitelist.json --- old/rpmlint-security-whitelistings-master/device-files-whitelist.json 1970-01-01 01:00:00.000000000 +0100 +++ new/rpmlint-security-whitelistings-master/device-files-whitelist.json 2020-07-31 10:46:36.000000000 +0200 @@ -0,0 +1,29 @@ +{ + "bind-chrootenv": { + "audits": { + "bsc#1174642": { + "comment": "Chroot duplicates of some uncritical character devices. urandom was historically packaged non-world-writable, probably to avoid the rpmlint error triggering.", + "meta": { + "/var/lib/named/dev/null": { + "type": "c", + "mode": "0666", + "dev": "1,3", + "owner": "root:root" + }, + "/var/lib/named/dev/random": { + "type": "c", + "mode": "0666", + "dev": "1,8", + "owner": "root:root" + }, + "/var/lib/named/dev/urandom": { + "type": "c", + "mode": "0660", + "dev": "1,9", + "owner": "root:root" + } + } + } + } + } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-security-whitelistings-master/verify.py new/rpmlint-security-whitelistings-master/verify.py --- old/rpmlint-security-whitelistings-master/verify.py 2020-07-28 07:41:04.000000000 +0200 +++ new/rpmlint-security-whitelistings-master/verify.py 2020-07-31 10:46:36.000000000 +0200 @@ -78,30 +78,47 @@ whitelisting = None -def fetchWhitelistingModule(): - whitelisting_module_url = "https://raw.githubusercontent.com/openSUSE/rpmlint-checks/master/Whitelisting.py" - +def loadLocalModule(path, name): # only available from python3.5 and newer import importlib.util + spec = importlib.util.spec_from_file_location(name, path) + module = importlib.util.module_from_spec(spec) + spec.loader.exec_module(module) + return module + + +def fetchWhitelistingModule(): + whitelisting_module_url = "https://raw.githubusercontent.com/openSUSE/rpmlint-checks/master/Whitelisting.py" with tempfile.NamedTemporaryFile(suffix = ".py") as temp: req = urllib.request.urlopen(whitelisting_module_url) temp.write(req.read()) temp.flush() - spec = importlib.util.spec_from_file_location("Whitelisting", temp.name) - whitelisting = importlib.util.module_from_spec(spec) - spec.loader.exec_module(whitelisting) - return whitelisting + return loadLocalModule(temp.name, "Whitelisting") + + +def getWhitelistingModule(): + wm = os.environ.get("WHITELISTING_MODULE") + + if wm: + return loadLocalModule(wm, "Whitelisting") + else: + return fetchWhitelistingModule() def checkParsing(path): global whitelisting if not whitelisting: - whitelisting = fetchWhitelistingModule() + whitelisting = getWhitelistingModule() + + meta_whitelists = ("device-files-whitelist.json", "world-writable-whitelist.json") - parser = whitelisting.WhitelistParser(path) + if os.path.basename(path) in meta_whitelists: + parser = whitelisting.MetaWhitelistParser(path) + else: + parser = whitelisting.DigestWhitelistParser(path) try: entries = parser.parse() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-security-whitelistings-master/world-writable-whitelist.json new/rpmlint-security-whitelistings-master/world-writable-whitelist.json --- old/rpmlint-security-whitelistings-master/world-writable-whitelist.json 1970-01-01 01:00:00.000000000 +0100 +++ new/rpmlint-security-whitelistings-master/world-writable-whitelist.json 2020-07-31 10:46:36.000000000 +0200 @@ -0,0 +1,64 @@ +{ + "bind-chrootenv": { + "audits": { + "bsc#1174642": { + "comment": "Chroot duplicate of the log socket. Packaged as %ghost, therefore 'appears' as a regular file.", + "meta": { + "/var/lib/named/dev/log": { + "type": "-", + "mode": "0666", + "owner": "root:root" + } + } + } + } + }, + "filesystem": { + "audits": { + "bsc#1174642": { + "comment": "Public standard sticky-bit directories", + "meta": { + "/tmp": { + "type": "d", + "mode": "1777", + "owner": "root:root" + }, + "/var/tmp": { + "type": "d", + "mode": "1777", + "owner": "root:root" + }, + "/var/spool/mail": { + "type": "d", + "mode": "1777", + "owner": "root:root" + }, + "/tmp/.X11-unix": { + "type": "d", + "mode": "1777", + "owner": "root:root" + }, + "/tmp/.ICE-unix": { + "type": "d", + "mode": "1777", + "owner": "root:root" + } + } + } + } + }, + "nscd": { + "audits": { + "bsc#1174642": { + "comment": "nss caching daemon socket. is packaged as %ghost, therefore 'appears' to be a regular file.", + "meta": { + "/run/nscd/socket": { + "type": "-", + "mode": "0666", + "owner": "root:root" + } + } + } + } + } +}