Hello community, here is the log from the commit of package rpmlint for openSUSE:Factory checked in at 2012-05-26 09:28:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rpmlint (Old) and /work/SRC/openSUSE:Factory/.rpmlint.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rpmlint", Maintainer is "dmuel...@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/rpmlint/rpmlint.changes 2012-05-16 21:09:36.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.rpmlint.new/rpmlint.changes 2012-05-26 09:28:27.000000000 +0200 @@ -1,0 +2,5 @@ +Wed May 23 12:43:40 UTC 2012 - lnus...@suse.de + +- add check for pam modules (fate#313077) + +------------------------------------------------------------------- New: ---- CheckPAMModules.py ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rpmlint.spec ++++++ --- /var/tmp/diff_new_pack.CtBoiZ/_old 2012-05-26 09:28:29.000000000 +0200 +++ /var/tmp/diff_new_pack.CtBoiZ/_new 2012-05-26 09:28:29.000000000 +0200 @@ -54,6 +54,7 @@ Source24: pie.config Source25: licenses.config Source26: CheckLogrotate.py +Source27: CheckPAMModules.py Source100: syntax-validator.py Url: http://rpmlint.zarb.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -236,6 +237,7 @@ cp -p %{SOURCE22} . cp -p %{SOURCE23} . cp -p %{SOURCE26} . +cp -p %{SOURCE27} . %build make %{?_smp_mflags} ++++++ CheckPAMModules.py ++++++ # vim:sw=4:et ############################################################################# # File : CheckPAMModules.py # Package : rpmlint # Author : Ludwig Nussel # Purpose : Check for pam modules that are not authorized by the security team ############################################################################# from Filter import * import AbstractCheck import re import os import string PAM_WHITELIST = Config.getOption('PAMModules.WhiteList', ()) # set of file names pam_module_re = re.compile('^(?:/usr)?/lib(?:64)?/security/([^/]+\.so)$') class PAMModulesCheck(AbstractCheck.AbstractCheck): def __init__(self): AbstractCheck.AbstractCheck.__init__(self, "CheckPAMModules") def check(self, pkg): global PAM_WHITELIST if pkg.isSource(): return files = pkg.files() for f in files: if f in pkg.ghostFiles(): continue m = pam_module_re.match(f) if m: bn = m.groups()[0] if not bn in PAM_WHITELIST: printError(pkg, "suse-pam-unauthorized-module", bn) check=PAMModulesCheck() if Config.info: addDetails( 'suse-pam-unauthorized-module', """The package installs a PAM module. If the package is intended for inclusion in any SUSE product please open a bug report to request review of the service by the security team.""", ) ++++++ config ++++++ --- /var/tmp/diff_new_pack.CtBoiZ/_old 2012-05-26 09:28:30.000000000 +0200 +++ /var/tmp/diff_new_pack.CtBoiZ/_new 2012-05-26 09:28:30.000000000 +0200 @@ -38,6 +38,7 @@ addCheck("BashismsCheck") addCheck("CheckBuildDate") addCheck("CheckLogrotate") +addCheck("CheckPAMModules") # stuff autobuild takes care about addFilter(".*invalid-version.*") @@ -497,6 +498,120 @@ "de.berlios.smb4k.mounthelper.service", )) +setOption("PAMModules.WhiteList", ( + # pam_p11 + "pam_p11_opensc.so", + "pam_p11_openssh.so", + # pam_krb5 + "pam_krb5.so", + "pam_krb5afs.so", + # ecryptfs-utils + "pam_ecryptfs.so", + # gnome-keyring-pam + "pam_gnome_keyring.so", + # pwdutils-rpasswd + "pam_rpasswd.so", + # samba-winbind + "pam_winbind.so", + # pam-modules + "pam_homecheck.so", + "pam_pwcheck.so", + "pam_unix2.so", + # pam_smb + "pam_smb_auth.so", + # ConsoleKit + "pam_ck_connector.so", + # pam_ssh + "pam_ssh.so", + # libcgroup1 + "pam_cgroup.so", + # pam_fprint + "pam_fprint.so", + # pam_mount + "pam_mount.so", + # pam_ccreds + "pam_ccreds.so", + # pam_radius + "pam_radius_auth.so", + # pam_pkcs11 + "pam_pkcs11.so", + # nss-pam-ldapd + "pam_ldap.so", + # pam_passwdqc + "pam_passwdqc.so", + # pam_userpass + "pam_userpass.so", + # pam_apparmor + "pam_apparmor.so", + # pam_ldap + "pam_ldap.so", + # cryptconfig + "pam_cryptpass.so", + # opie + "pam_opie.so", + # pam + "pam_access.so", + "pam_cracklib.so", + "pam_debug.so", + "pam_deny.so", + "pam_echo.so", + "pam_env.so", + "pam_exec.so", + "pam_faildelay.so", + "pam_filter.so", + "pam_ftp.so", + "pam_group.so", + "pam_issue.so", + "pam_keyinit.so", + "pam_lastlog.so", + "pam_limits.so", + "pam_listfile.so", + "pam_localuser.so", + "pam_loginuid.so", + "pam_mail.so", + "pam_mkhomedir.so", + "pam_motd.so", + "pam_namespace.so", + "pam_nologin.so", + "pam_permit.so", + "pam_pwhistory.so", + "pam_rhosts.so", + "pam_rootok.so", + "pam_securetty.so", + "pam_selinux.so", + "pam_sepermit.so", + "pam_shells.so", + "pam_stress.so", + "pam_succeed_if.so", + "pam_tally.so", + "pam_tally2.so", + "pam_time.so", + "pam_timestamp.so", + "pam_tty_audit.so", + "pam_umask.so", + "pam_unix.so", + "pam_unix_acct.so", + "pam_unix_auth.so", + "pam_unix_passwd.so", + "pam_unix_session.so", + "pam_userdb.so", + "pam_warn.so", + "pam_wheel.so", + "pam_xauth.so", + # systemd + "pam_systemd.so", + # sssd + "pam_sss.so", + # pam_mktemp + "pam_mktemp.so", + # pam_csync + "pam_csync.so", + # samba + "pam_smbpass.so", + # pam_chroot + "pam_chroot.so", +)) + # Output filters addFilter(".*spurious-bracket-in-.*") addFilter(".*one-line-command-in-.*") -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
