Author: rra Date: 2008-03-12 08:45:30 +0100 (Wed, 12 Mar 2008) New Revision: 1259
Modified: trunk/checks/files trunk/checks/files.desc trunk/debian/changelog trunk/testset/filenames/debian/rules trunk/testset/tags.filenames trunk/unpack/unpack-binpkg-l1 Log: + [RA] Check for numeric owners or groups outside of the reserved static ranges. Patch from H?\195?\165kon Stordahl. (Closes: #469924) * unpack/unpack-binpkg-l1: + [RA] Extract a tar listing with numeric owners and groups into index-owner-id in the lab. Modified: trunk/checks/files =================================================================== --- trunk/checks/files 2008-03-12 07:13:25 UTC (rev 1258) +++ trunk/checks/files 2008-03-12 07:45:30 UTC (rev 1259) @@ -90,6 +90,8 @@ # Read package contents... open(IN, '<', "index") or fail("cannot open index file index: $!"); +open(NUMERIC, '<', "index-owner-id") + or fail("cannot open index file index-owner-id: $!"); while (<IN>) { chop; @@ -97,6 +99,13 @@ my $link; my $operm; + my $numeric = <NUMERIC>; + chop $numeric; + fail("cannot read index file index-owner-id") unless defined $numeric; + my ($owner_id, $file_chk) = (split(' ', $numeric, 6))[1, 5]; + fail("mismatching contents of index files: $file $file_chk") + if $file ne $file_chk; + $file =~ s,^\./,,; if ($file =~ s/ link to (.*)//) { @@ -128,6 +137,14 @@ tag "package-contains-ancient-file", "$file $date"; } + my ($owner_uid, $owner_gid) = split ('/', $owner_id); + if (!($owner_uid < 100 || $owner_uid == 65534 + || ($owner_uid >= 60000 && $owner_uid < 65000)) + || !($owner_gid < 100 || $owner_gid == 65534 + || ($owner_gid >= 60000 && $owner_gid < 65000))) { + tag "wrong-file-owner-uid-or-gid", $file, $owner_id; + } + # *.devhelp and *.devhelp2 files must be accessible from a directory in # the devhelp search path: /usr/share/devhelp/books and # /usr/share/gtk-doc/html. We therefore look for any links in one of @@ -860,6 +877,9 @@ } close(IN); +fail("mismatching contents of index files") if <NUMERIC>; +close(NUMERIC); + #check for sect: games but nothing in /usr/games. Check for any binary to #save ourselves from game-data false positives: if ($pkg_section =~ m,games$, Modified: trunk/checks/files.desc =================================================================== --- trunk/checks/files.desc 2008-03-12 07:13:25 UTC (rev 1258) +++ trunk/checks/files.desc 2008-03-12 07:45:30 UTC (rev 1259) @@ -732,3 +732,13 @@ <tt>/usr/share/linda/overrides</tt>. Linda is obsolete and has been removed from the archive as of 2008-03-04. Linda overrides should probably be dropped from packages. + +Tag: wrong-file-owner-uid-or-gid +Type: error +Info: The user or group ID of the owner of the file is invalid. The + owner user and group IDs must be in the set of globally allocated + IDs, because other IDs are dynamically allocated and might be used + for varying purposes on different systems, or are reserved. The set + of the allowed, globally allocated IDs consists of the ranges 0-99, + 64000-64999 and 65534. +Ref: policy 9.2 Modified: trunk/debian/changelog =================================================================== --- trunk/debian/changelog 2008-03-12 07:13:25 UTC (rev 1258) +++ trunk/debian/changelog 2008-03-12 07:45:30 UTC (rev 1259) @@ -19,6 +19,8 @@ + [RA] /etc/init.d/{skeleton,README} don't need to be executable. + [RA] Warn about linda overrides since linda has been removed from the archive. Thanks, Y Giridhar Appaji Nag. (Closes: #469603) + + [RA] Check for numeric owners or groups outside of the reserved + static ranges. Patch from HÃ¥kon Stordahl. (Closes: #469924) * checks/scripts: + [RA] Attempt to quash some Perl warnings. + [RA] *.py files in /usr/{lib,share}, /etc/init.d/skeleton, and *.ex @@ -39,6 +41,9 @@ * unpack/list-srcpkg: + [RA] Fix syntax error introduced by Uploaders support. + * unpack/unpack-binpkg-l1: + + [RA] Extract a tar listing with numeric owners and groups into + index-owner-id in the lab. -- Russ Allbery <[EMAIL PROTECTED]> Tue, 04 Mar 2008 13:07:18 -0800 Modified: trunk/testset/filenames/debian/rules =================================================================== --- trunk/testset/filenames/debian/rules 2008-03-12 07:13:25 UTC (rev 1258) +++ trunk/testset/filenames/debian/rules 2008-03-12 07:45:30 UTC (rev 1259) @@ -125,6 +125,13 @@ touch debian/tmp/usr/bin/bin/bad chmod 755 debian/tmp/usr/bin/bin/bad + # Create some files with invalid ownership. + set -e; for owner in 100:0 0:2001 30001:65535 65535:65001; do \ + touch debian/tmp/usr/lib/filenames/wrong-owner-$$owner ; \ + chmod 644 debian/tmp/usr/lib/filenames/wrong-owner-$$owner ; \ + chown "$$owner" debian/tmp/usr/lib/filenames/wrong-owner-$$owner ; \ + done + install -m 644 debian/changelog debian/tmp/usr/share/doc/filenames/Changes gzip -9 debian/tmp/usr/share/doc/filenames/Changes ln -s Changes.gz debian/tmp/usr/share/doc/filenames/changelog.gz Modified: trunk/testset/tags.filenames =================================================================== --- trunk/testset/tags.filenames 2008-03-12 07:13:25 UTC (rev 1258) +++ trunk/testset/tags.filenames 2008-03-12 07:45:30 UTC (rev 1259) @@ -29,6 +29,10 @@ E: filenames: symlink-should-be-absolute usr/lib/filenames/symlink1wrong ../../../etc/symlink E: filenames: use-of-compat-symlink usr/bin/X11/ E: filenames: use-of-compat-symlink usr/bin/X11/testxbin +E: filenames: wrong-file-owner-uid-or-gid usr/lib/filenames/wrong-owner-0:2001 0/2001 +E: filenames: wrong-file-owner-uid-or-gid usr/lib/filenames/wrong-owner-100:0 100/0 +E: filenames: wrong-file-owner-uid-or-gid usr/lib/filenames/wrong-owner-30001:65535 30001/65535 +E: filenames: wrong-file-owner-uid-or-gid usr/lib/filenames/wrong-owner-65535:65001 65535/65001 E: more-filename-games: no-copyright-file I: filename-games: no-md5sums-control-file I: filenames: file-in-usr-something-x11-without-pre-depends usr/include/X11/ Modified: trunk/unpack/unpack-binpkg-l1 =================================================================== --- trunk/unpack/unpack-binpkg-l1 2008-03-12 07:13:25 UTC (rev 1258) +++ trunk/unpack/unpack-binpkg-l1 2008-03-12 07:45:30 UTC (rev 1259) @@ -80,6 +80,15 @@ "$base_dir/index") == 0 or fail(); +# (replaces dpkg-deb -c) +# create index file for package with owner IDs instead of names +pipeline((sub { exec "dpkg-deb", "--fsys-tarfile", $file }), + (sub { exec "tar", "--numeric-owner", "-tvf", "-" }), + (sub { exec "sed", "-e", "s/^h/-/" }), + (sub { exec "sort", "-k", "6" }), + "$base_dir/index-owner-id") == 0 + or fail(); + # get package control information my $data = (read_dpkg_control("$base_dir/control/control"))[0]; $data->{'source'} or ($data->{'source'} = $data->{'package'}); -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]