The following commit has been merged in the master branch:
commit 3dc58767f21fec9df9f0f40cf1ea66175483e257
Author: Russ Allbery r...@debian.org
Date: Mon Dec 29 16:25:38 2008 -0800
Check for scripts in /etc calling init scripts directly
* checks/scripts{,.desc}:
+ [RA] Check for scripts in /etc that call init scripts directly
without using invoke-rc.d. Based on a patch by Raphael Geissert.
(Closes: #381485)
diff --git a/checks/scripts b/checks/scripts
index 2085b06..919f92d 100644
--- a/checks/scripts
+++ b/checks/scripts
@@ -185,6 +185,11 @@ our @depends_needed = (
[ 'xml-core'= '\bupdate-xmlcatalog\s' ],
);
+# When detecting commands inside shell scripts, use this regex to match the
+# beginning of the command rather than checking whether the command is at the
+# beginning of a line.
+our $LEADIN = qr'(?:(?:^|[`;(|{])\s*|(?:if|then|do|while)\s+)';
+
sub run {
my %executable = ();
@@ -327,6 +332,41 @@ for my $filename (sort keys %{$info-scripts}) {
tag(unusual-interpreter, $filename, #!$interpreter);
}
+# Do some additional checks on shell scripts in /etc. This should
+# probably be extended eventually to any script in a public directory.
+# This also needs smarter processing of multiline quoted strings,
+# heredocs, and so forth. Hopefully it will do for right now.
+if ($filename =~ m,^./etc/, and $base =~ /^$known_shells_regex$/) {
+ my ($saw_init, $saw_invoke);
+ local $.;
+ open(FH, '', 'unpacked/' . $filename);
+ while (FH) {
+ next if m,^\s*$,; # skip empty lines
+ next if m,^\s*\#,; # skip comment lines
+ s/\#.*$//; # eat comments
+ chomp;
+
+ # Check for running init scripts directly instead of via
+ # invoke-rc.d. Scripts are allowed to reinvoke themselves with a
+ # different argument; some init scripts implement actions that
+ # way. Scripts are also allowed to do this for actions other than
+ # those defined for invoke-rc.d.
+ if (m,$LEADIN/etc/init.d/(\S+)\s+[\\']?(\S+)[\\']?,) {
+ my ($script, $action) = ($1, $2);
+ next if ./etc/init.d/$script eq $filename;
+ next unless $action =~
/^(force-)?(start|stop|restart|reload|status)$/;
+ $saw_init = $.;
+ }
+ if (m%^\s*invoke-rc\.d\s+%) {
+ $saw_invoke = 1;
+ }
+ }
+ close(FH);
+ if ($saw_init and not $saw_invoke) {
+ tag 'script-calls-init-script-directly', $filename:$saw_init;
+ }
+}
+
# If we found the interpreter and the script is executable, check
# dependencies. This should be the last thing we do in the loop so that
# we can use next for an early exit and reduce the nesting.
@@ -491,7 +531,6 @@ while (SCRIPTS) {
my %warned;
my ($saw_init, $saw_invoke, $saw_debconf, $saw_sete, $has_code);
my $cat_string = ;
-my $LEADIN = qr'(?:(?:^|[`;(|{])\s*|(?:if|then|do|while)\s+)';
my $previous_line = ;
while (C) {
@@ -547,7 +586,7 @@ while (SCRIPTS) {
}
# Collect information about init script invocations to catch running
- # init scripts directory rather than through invoke-rc.d. Since the
+ # init scripts directly rather than through invoke-rc.d. Since the
# script is allowed to run the init script directly if invoke-rc.d
# doesn't exist, only tag direct invocations where invoke-rc.d is
# never used in the same script. Lots of false negatives, but
diff --git a/checks/scripts.desc b/checks/scripts.desc
index 5889046..c215f5d 100644
--- a/checks/scripts.desc
+++ b/checks/scripts.desc
@@ -425,6 +425,15 @@ Info: This script apparently runs an init script directly
rather than
available.
Ref: policy 9.3.3.2
+Tag: script-calls-init-script-directly
+Severity: normal
+Certainty: possible
+Info: This script apparently runs an init script directly rather than
+ using ttinvoke-rc.d/tt. While use of ttinvoke-rc.d/tt is only
+ required for maintainer scripts, supporting the policy layer that it
+ implements is a good idea in any script.
+Ref: policy 9.3.3.2
+
Tag: gconftool-used-in-maintainer-script
Severity: normal
Certainty: possible
diff --git a/debian/changelog b/debian/changelog
index d485642..2a11e8a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,7 @@ lintian (2.1.4) UNRELEASED; urgency=low
- desktop-mimetype-without-update-call
- forbidden-postrm-interpreter
- preinst-interpreter-without-predepends
+ - script-calls-init-script-directly
- unknown-control-interpreter (split from unusual-interpreter)
+ Removed
- desktop-file-but-no-dh_desktop-call
@@ -31,6 +32,9 @@ lintian (2.1.4) UNRELEASED; urgency=low
interpreter-in-usr-local since the severity is higher.
- unusual-control-interpreter is certain, not