lintian: r650 - in trunk: checks debian testset testset/scripts/debian
Author: rra
Date: 2006-05-01 04:13:35 +0200 (Mon, 01 May 2006)
New Revision: 650
Modified:
trunk/checks/files
trunk/checks/files.desc
trunk/debian/changelog
trunk/testset/scripts/debian/rules
trunk/testset/tags.scripts
Log:
* checks/files{.desc,}:
+ [RA] Add an explicit check for non-world-readable executables to
provide a more detailed explanation and tighten the accepted
permissions of setuid and setgid executables to just the permissions
mentioned in Policy 10.9. Add Policy 10.9 references to the
descriptions. Reported by Piotr Engelking. (Closes: #365452)
+ [RA] Add a request to the descriptions of setuid and setgid tags to
add a lintian override for documentation if the permissions are
intentional.
+ [RA] Report a more specific tag for binaries that are owned by group
games but are not setgid.
Modified: trunk/checks/files
===================================================================
--- trunk/checks/files 2006-04-30 20:01:33 UTC (rev 649)
+++ trunk/checks/files 2006-05-01 02:13:35 UTC (rev 650)
@@ -514,14 +514,11 @@
$setuid = $user if ($operm & 04000);
$setgid = $group if ($operm & 02000);
- $wanted_operm = 0755;
-
# 1st special case: program is using svgalib:
if (exists $linked_against_libvga{$file}) {
# setuid root is ok, so remove it
if ($setuid eq 'root') {
undef $setuid;
- $wanted_operm |= 04000;
}
}
@@ -530,40 +527,48 @@
# setgid games is ok, so remove it
if ($setgid eq 'games') {
undef $setgid;
- $wanted_operm |= 02000;
}
}
- #allow anything with suid in the name
+ # 3rd special case: allow anything with suid in the name
if ($pkg =~ m,-suid,) {
undef $setuid;
- $wanted_operm |= 04000;
}
+ # Check for setuid and setgid that isn't expected.
if ($setuid and $setgid) {
tag "setuid-gid-binary", $file, sprintf("%04o $owner",$operm);
} elsif ($setuid) {
tag "setuid-binary", $file, sprintf("%04o $owner",$operm);
} elsif ($setgid) {
tag "setgid-binary", $file, sprintf("%04o $owner",$operm);
- } elsif ($operm != $wanted_operm) {
- tag "non-standard-executable-perm",
- sprintf("$file %04o != %04o",$operm,$wanted_operm);
}
+
+ # Check for permission problems other than the setuid status.
+ if (($operm & 0444) != 0444) {
+ tag "executable-is-not-world-readable", $file,
+ sprintf("%04o",$operm);
+ } elsif ($operm != 04755 && $operm != 02755 && $operm != 06755 && $operm != 04754) {
+ tag "non-standard-setuid-executable-perm", $file,
+ sprintf("%04o",$operm);
+ }
}
# ---------------- general: executable files
elsif ($perm =~ m/[xt]/) {
# executable
if ($owner =~ m,root/games,) {
if ($operm != 2755) {
- tag "non-standard-executable-perm", $file,
+ tag "non-standard-game-executable-perm", $file,
sprintf("%04o != 2755",$operm);
}
} else {
- if ($operm != 0755) {
+ if (($operm & 0444) != 0444) {
+ tag "executable-is-not-world-readable", $file,
+ sprintf("%04o != 0755",$operm);
+ } elsif ($operm != 0755) {
tag "non-standard-executable-perm", $file,
sprintf("%04o != 0755",$operm);
- }
+ }
}
}
# ---------------- general: normal (non-executable) files
Modified: trunk/checks/files.desc
===================================================================
--- trunk/checks/files.desc 2006-04-30 20:01:33 UTC (rev 649)
+++ trunk/checks/files.desc 2006-05-01 02:13:35 UTC (rev 650)
@@ -166,36 +166,65 @@
Type: warning
Info: The directory has a mode different from 0755, and it's not one of the
known exceptions.
+Ref: policy 10.9
-Tag: non-standard-game-executable-perm
+Tag: executable-is-not-world-readable
Type: warning
-Info: The file has a mode different from 2755 or 0755. In some cases this
- is intentional, but in other cases this is a bug.
+Info: All executabless should be readable by any user. Since anyone can
+ download the Debian package and obtain a copy of the executable, no
+ security is gained by making the executable unreadable even for setuid
+ binaries. If only members of a certain group may execute this file,
+ remove execute permission for world, but leave read permission.
+Ref: policy 10.9
Tag: non-standard-executable-perm
Type: warning
-Info: The file has a mode different from 0755. In some cases this is
- intentional, but in other cases this is a bug.
+Info: Executables that are not setuid or setgid should always have a mode
+ of 0755. Since anyone can obtain the executable by downloading the
+ Debian package and extracting it, restricting access serves little
+ purpose.
+Ref: policy 10.9
+Tag: non-standard-game-executable-perm
+Type: warning
+Info: The file is owned by the games group but is not mode 2755. If a
+ game does not have to be setgid games, it should be owned by the root
+ group like any other executable. This executable is either owned by the
+ wrong group or is not setgid when it should be.
+
+Tag: non-standard-setuid-executable-perm
+Type: warning
+Info: The file is setuid or setgid and has a mode different from any of
+ 2755, 4755, 4754, or 6755. Any other permissions on setuid executables
+ is probably a bug. In particular, removing root write privileges serves
+ no purpose, group-writable setuid or setgid executables are probably bad
+ ideas, and setgid executables that are not world-executable serve little
+ purpose.
+Ref: policy 10.9
+
Tag: setuid-binary
Type: warning
-Info: The file is tagged SETUID. In some cases this is
- intentional, but in other cases this is a bug.
+Info: The file is tagged SETUID. In some cases this is intentional, but in
+ other cases this is a bug. If this is intentional, please add a lintian
+ override to document this fact.
Tag: setgid-binary
Type: warning
-Info: The file is tagged SETGID. In some cases this is
- intentional, but in other cases this is a bug.
+Info: The file is tagged SETGID. In some cases this is intentional, but in
+ other cases this is a bug. If this is intentional, please add a lintian
+ override to document this fact.
Tag: setuid-gid-binary
Type: warning
Info: The file is tagged SETUID and SETGID. In some cases this is
- intentional, but in other cases this is a bug.
+ intentional, but in other cases this is a bug. If this is intentional,
+ please add a lintian override to document this fact.
Tag: non-standard-file-perm
Type: warning
Info: The file has a mode different from 0644. In some cases this is
intentional, but in other cases this is a bug.
+Ref: policy 10.9
Tag: special-file
Type: error
Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog 2006-04-30 20:01:33 UTC (rev 649)
+++ trunk/debian/changelog 2006-05-01 02:13:35 UTC (rev 650)
@@ -3,8 +3,19 @@
* checks/fields:
+ [RA] xfonts-encodings is also not an xfont package. Thanks, Drew
Parsons. (Closes: #365503)
+ * checks/files{.desc,}:
+ + [RA] Add an explicit check for non-world-readable executables to
+ provide a more detailed explanation and tighten the accepted
+ permissions of setuid and setgid executables to just the permissions
+ mentioned in Policy 10.9. Add Policy 10.9 references to the
+ descriptions. Reported by Piotr Engelking. (Closes: #365452)
+ + [RA] Add a request to the descriptions of setuid and setgid tags to
+ add a lintian override for documentation if the permissions are
+ intentional.
+ + [RA] Report a more specific tag for binaries that are owned by group
+ games but are not setgid.
- -- Russ Allbery <rra@debian.org> Sun, 30 Apr 2006 13:00:00 -0700
+ -- Russ Allbery <rra@debian.org> Sun, 30 Apr 2006 19:10:52 -0700
lintian (1.23.19) unstable; urgency=low
Modified: trunk/testset/scripts/debian/rules
===================================================================
--- trunk/testset/scripts/debian/rules 2006-04-30 20:01:33 UTC (rev 649)
+++ trunk/testset/scripts/debian/rules 2006-05-01 02:13:35 UTC (rev 650)
@@ -22,13 +22,16 @@
install -m 755 rubyfoo $(tmp)/usr/bin/
install -m 755 make-foo $(tmp)/usr/bin/
install -m 755 lefty-foo $(tmp)/usr/bin/
- install -m 4755 perlfoo $(tmp)/usr/bin/suidperlfoo2
- install -m 4755 suidperlfoo $(tmp)/usr/bin/
+ install -m 4751 perlfoo $(tmp)/usr/bin/suidperlfoo2
+ install -m 4555 suidperlfoo $(tmp)/usr/bin/
install -m 755 tkfoo $(tmp)/usr/bin/
install -m 644 xsession-test $(tmp)/etc/X11/Xsession.d/
+
+# Permissions here aren't part of what's being tested, but let us exercise
+# some other errors.
install -m 755 perl-bizarre-1 $(tmp)/usr/bin/
- install -m 755 perl-bizarre-2 $(tmp)/usr/bin/
- install -m 755 perl-bizarre-3 $(tmp)/usr/bin/
+ install -m 750 perl-bizarre-2 $(tmp)/usr/bin/
+ install -m 754 perl-bizarre-3 $(tmp)/usr/bin/
# First one should produce a warning; second one shouldn't.
install -m 755 gccbug.dpatch $(tmp)/usr/share/scripts/
Modified: trunk/testset/tags.scripts
===================================================================
--- trunk/testset/tags.scripts 2006-04-30 20:01:33 UTC (rev 649)
+++ trunk/testset/tags.scripts 2006-05-01 02:13:35 UTC (rev 650)
@@ -25,9 +25,13 @@
W: scripts: binary-without-manpage suidperlfoo2
W: scripts: binary-without-manpage test.sh
W: scripts: binary-without-manpage tkfoo
+W: scripts: executable-is-not-world-readable usr/bin/perl-bizarre-2 0750 != 0755
+W: scripts: executable-is-not-world-readable usr/bin/suidperlfoo2 4751
W: scripts: executable-not-elf-or-script ./usr/bin/perl-bizarre-3
W: scripts: file-in-usr-lib-cgi-bin usr/lib/cgi-bin/cgi-script
+W: scripts: non-standard-executable-perm usr/bin/perl-bizarre-3 0754 != 0755
+W: scripts: non-standard-setuid-executable-perm usr/bin/suidperlfoo 4555
W: scripts: package-installs-python-pyc usr/lib/python2.3/site-packages/test.pyc
W: scripts: script-with-language-extension usr/bin/test.sh
-W: scripts: setuid-binary usr/bin/suidperlfoo 4755 root/root
-W: scripts: setuid-binary usr/bin/suidperlfoo2 4755 root/root
+W: scripts: setuid-binary usr/bin/suidperlfoo 4555 root/root
+W: scripts: setuid-binary usr/bin/suidperlfoo2 4751 root/root
Reply to: