tests: be less verbose
Signed-off-by: Davide Madrisan <davide.madrisan@gmail.com>
This commit is contained in:
parent
ff13cc3031
commit
701cb887d6
@ -24,6 +24,10 @@ Changes in version 1.8.3
|
||||
templates/standard, templates/standard-daemon - Davide Madrisan:
|
||||
Add the %debug_package macro when required.
|
||||
|
||||
* tests/test01_pkgquality
|
||||
tests/test02_pkgsecurity - Davide Madrisan:
|
||||
Be less verbose.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
Changes in version 1.8.2
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
# test01_pkgquality -- @package@ test (rpm quality checks)
|
||||
# Copyright (C) 2008 Davide Madrisan <davide.madrisan@gmail.com>
|
||||
# Copyright (C) 2008,2012 Davide Madrisan <davide.madrisan@gmail.com>
|
||||
|
||||
[ -z "$BASH" ] || [ ${BASH_VERSION:0:1} -lt 2 ] &&
|
||||
echo $"this script requires bash version 2 or better" >&2 && exit 1
|
||||
@ -19,7 +19,7 @@ TEXTDOMAIN="test01_pkgquality"; export TEXTDOMAIN
|
||||
|
||||
function alltests() {
|
||||
# FIXME: add to 'po' file
|
||||
notify.note "** ${NOTE}"$"performing quality checks""${NORM}""..."
|
||||
notify.note " * ${NOTE}"$"performing quality checks""${NORM}""..."
|
||||
|
||||
TEMP=`LC_ALL=C getopt \
|
||||
-o i:t: --long infofile:,tmpdir: \
|
||||
@ -61,7 +61,7 @@ function alltests() {
|
||||
# (usable for a symlink attacks)
|
||||
# - symlinks not pointing to existing files
|
||||
notify.note \
|
||||
" * ${NOTE}"$"checking for wrong symbolic links""${NORM}..."
|
||||
" * ${NOTE}"$"checking for wrong symbolic links""${NORM}..."
|
||||
|
||||
# local rpmbuildroot=`sed -n "/%description/q;{
|
||||
# /^BuildRoot[ ]*:/{s/[^ ]*[ ]*//;p}}" \
|
||||
@ -80,7 +80,6 @@ function alltests() {
|
||||
|
||||
let "i = 0"
|
||||
for pck in ${rpmpkg_name[@]}; do
|
||||
notify.note " - "$"checking"": \`${pck##*/}'"
|
||||
pushd $tmpextractdir/$i >/dev/null
|
||||
for f in $(find -mindepth 1 -type l); do
|
||||
notify.debug "$f --> `readlink $f`"
|
||||
@ -89,72 +88,73 @@ function alltests() {
|
||||
# note: the first condition check for wrong links, like
|
||||
# /usr/share/man/man1/zcmp.1.gz -> .gz
|
||||
# made by the broken `brp-compress' script in rpm 4.0.4
|
||||
[[ "$(readlink $f)" = ".gz" || \
|
||||
"$(readlink $f)" =~ $tmppath_dir ]] && notify.warning $"\
|
||||
if [[ "$(readlink $f)" = ".gz" || \
|
||||
"$(readlink $f)" =~ $tmppath_dir ]]; then
|
||||
notify.warning "${NOTE}${pck##*/}${NORM}"
|
||||
notify.note $"\
|
||||
wrong symlink"": \`${NOTE}${f/./}${NORM}' --> \`${NOTE}$(readlink $f)${NORM}'"
|
||||
fi
|
||||
done
|
||||
popd >/dev/null
|
||||
let "i += 1"
|
||||
done
|
||||
###
|
||||
|
||||
# check for `%buildroot' strings
|
||||
if [ "$rpm_ignores_buildroot" = 1 ]; then
|
||||
notify.note \
|
||||
" * ${NOTE}"$"checking for \`$SPEC_BUILDROOT' (%buildroot) strings"\
|
||||
[ "$SPEC_BUILDROOT" ] && notify.note \
|
||||
" * ${NOTE}"$"checking for \`$SPEC_BUILDROOT' (%buildroot) strings"\
|
||||
"${NORM}... "$"skipped"
|
||||
else
|
||||
notify.note \
|
||||
" * "$"checking for \`$SPEC_BUILDROOT' (%buildroot) strings"
|
||||
" * "$"checking for \`$SPEC_BUILDROOT' (%buildroot) strings"
|
||||
|
||||
[ "$SPEC_BUILDROOT" ] ||
|
||||
notify.error \
|
||||
[ "$SPEC_BUILDROOT" ] || notify.error \
|
||||
$"(bug)"" -- $FUNCNAME: ""empty string"" (SPEC_BUILDROOT)"
|
||||
|
||||
let "i = 0"
|
||||
for pck in ${rpmpkg_name[@]}; do
|
||||
notify.note " - "$"checking"": \`${pck##*/}'"
|
||||
find $tmpextractdir/$i -type f \
|
||||
-exec grep -ls "$SPEC_BUILDROOT" {} \; | \
|
||||
while read filename; do
|
||||
notify.note " ${NOTE}$(\
|
||||
notify.warning "${NOTE}${pck##*/}${NORM}"
|
||||
notify.note "\
|
||||
${NOTE}$(\
|
||||
echo $filename | sed "s,$tmpextractdir/$i,," )${NORM}"
|
||||
notify.note "$(\
|
||||
strings -a $filename | grep "^$SPEC_BUILDROOT" | sort -bu | \
|
||||
sed "s,$SPEC_BUILDROOT\(.*\), - [%buildroot]\1,")"
|
||||
sed "s,$SPEC_BUILDROOT\(.*\), - [%buildroot]\1,")"
|
||||
done
|
||||
let "i += 1"
|
||||
done
|
||||
fi
|
||||
###
|
||||
|
||||
# check for `%_builddir' strings
|
||||
BUILDDIR="$(rpm --eval=%_builddir 2>/dev/null)"
|
||||
notify.note \
|
||||
" * ${NOTE}"$"checking for \`$BUILDDIR' (%_builddir) strings""${NORM}... "
|
||||
" * ${NOTE}"$"checking for \`$BUILDDIR' (%_builddir) strings""${NORM}... "
|
||||
|
||||
[ "$BUILDDIR" ] ||
|
||||
notify.error $"(bug)"" -- $FUNCNAME: ""empty string"" (BUILDDIR)"
|
||||
|
||||
let "i = 0"
|
||||
for pck in ${rpmpkg_name[@]}; do
|
||||
notify.note " - "$"checking"": \`${pck##*/}'"
|
||||
find $tmpextractdir/$i -type f \
|
||||
-exec grep -ls "$BUILDDIR" {} \; | \
|
||||
while read filename; do
|
||||
notify.note " ${NOTE}$(\
|
||||
notify.warning "${NOTE}${pck##*/}${NORM}"
|
||||
notify.note "\
|
||||
${NOTE}$(\
|
||||
echo $filename | sed "s,$tmpextractdir/$i,," )${NORM}"
|
||||
notify.note "$(\
|
||||
strings -a $filename | grep "$BUILDDIR" | sort -bu | \
|
||||
sed "s,$BUILDDIR,[%_builddir],g;s,.*, - &,")"
|
||||
sed "s,$BUILDDIR,[%_builddir],g;s,.*, - &,")"
|
||||
done
|
||||
let "i += 1"
|
||||
done
|
||||
###
|
||||
|
||||
# check for suspected plugins (.la, .so) in devel packages
|
||||
# note: pure plugins must be in the main package, not in devel
|
||||
notify.note " * ${NOTE}"$"\
|
||||
notify.note " * ${NOTE}"$"\
|
||||
checking for suspicious plugins in devel packages""${NORM}..."
|
||||
|
||||
let "i = 0"
|
||||
@ -162,28 +162,25 @@ checking for suspicious plugins in devel packages""${NORM}..."
|
||||
# skip non devel packages
|
||||
[[ "${pck##*/}" =~ -devel- ]] || { let "i += 1"; continue; }
|
||||
|
||||
notify.note " - "$"checking"": \`${pck##*/}'"
|
||||
|
||||
pushd $tmpextractdir/$i >/dev/null
|
||||
# find *.so files that are not symlinks to dynamic libraries
|
||||
for f in `\
|
||||
find -mindepth 1 -type f -name \*.so -exec file {} \; | \
|
||||
grep ' shared object,' | sed -n 's/.\(.*\):.*/\1/p'`; do
|
||||
notify.warning $"found suspect plugin \`${NOTE}$f${NORM}'"
|
||||
notify.warning "${NOTE}${pck##*/}${NORM}"
|
||||
notify.note $"found suspect plugin \`${NOTE}$f${NORM}'"
|
||||
done
|
||||
popd >/dev/null
|
||||
let "i += 1"
|
||||
done
|
||||
###
|
||||
|
||||
# check for wrong file attributes in lib and bin dirs
|
||||
notify.note " * ${NOTE}"$"\
|
||||
notify.note " * ${NOTE}"$"\
|
||||
checking for wrong file attributes in bin and lib directories""${NORM}..."
|
||||
|
||||
warning=0
|
||||
let "i = 0"
|
||||
for pck in ${rpmpkg_name[@]}; do
|
||||
notify.note " - "$"checking"": \`${pck##*/}'"
|
||||
pushd $tmpextractdir/$i >/dev/null
|
||||
for f in $( find . -type f \
|
||||
\( -name '*.so*' -not -perm 755 \) -or \
|
||||
@ -193,7 +190,8 @@ checking for wrong file attributes in bin and lib directories""${NORM}..."
|
||||
-path './usr/sbin/*' \) \
|
||||
-not -perm -111 \) 2>/dev/null ); do
|
||||
let "warning = 1" &&
|
||||
notify.warning $"found suspect file"": \
|
||||
notify.warning "${NOTE}${pck##*/}${NORM}"
|
||||
notify.note $"found suspect file"": \
|
||||
\`${NOTE}${f/./}${NORM}' [$(ls -l "$f" | sed 's, .*,,')]"
|
||||
done
|
||||
let "i += 1"
|
||||
@ -210,22 +208,21 @@ ${NOTE}"$"Hint"":${NORM}
|
||||
...
|
||||
%attr(0755,root,root) %{_bindir}/<program>
|
||||
-----------------------------"
|
||||
###
|
||||
|
||||
# check for binary files in etc (see FHS-2.2)
|
||||
notify.note " * ${NOTE}"$"\
|
||||
notify.note " * ${NOTE}"$"\
|
||||
checking for binary files installed in /etc (see FHS)""${NORM}..."
|
||||
|
||||
warning=0
|
||||
let "i = 0"
|
||||
for pck in ${rpmpkg_name[@]}; do
|
||||
notify.note " - "$"checking"": \`${pck##*/}'"
|
||||
pushd $tmpextractdir/$i >/dev/null
|
||||
for f in $( find ./etc -type f -perm +111 2>/dev/null ); do
|
||||
case $f in
|
||||
./etc/rc.d/init.d/*) ;;
|
||||
*) let "warning = 1" &&
|
||||
notify.warning $"found suspect file"": \
|
||||
notify.warning "${NOTE}${pck##*/}${NORM}"
|
||||
notify.note $"found suspect file"": \
|
||||
\`${NOTE}${f/./}${NORM}' [$(ls -l "$f" | sed 's, .*,,')]" ;;
|
||||
esac
|
||||
done
|
||||
@ -240,16 +237,15 @@ ${NOTE}"$"Hint"":${NORM}
|
||||
...
|
||||
%attr(0644,root,root) %{_sysconfdir}/<...file>
|
||||
-----------------------------" #|| exit 1
|
||||
###
|
||||
|
||||
# check for installation code needed by info pages
|
||||
notify.note \
|
||||
" * ${NOTE}"$"checking if the info catalog is updated when necessary""${NORM}..."
|
||||
" * ${NOTE}"$"\
|
||||
checking if the info catalog is updated when necessary""${NORM}..."
|
||||
|
||||
error=0
|
||||
let "i = 0"
|
||||
for pck in ${rpmpkg_name[@]}; do
|
||||
notify.note " - "$"checking"": \`${pck##*/}'"
|
||||
[[ -e $pck ]] || notify.error $"package not found"": \`${pck##*/}'"
|
||||
|
||||
[[ "$(rpm -p -ql $pck |
|
||||
@ -265,8 +261,9 @@ ${NOTE}"$"Hint"":${NORM}
|
||||
/preuninstall /,${/\/sbin\/install-info.*--[delete\|remove].*/p}')" ]] || \
|
||||
let "error+=1"
|
||||
|
||||
[[ "$error" = "0" ]] || notify.warning "\
|
||||
"$"info pages should be installed/uninstalled""${NORM}
|
||||
[ "$error" = "0" ] ||
|
||||
{ notify.warning "${NOTE}${pck##*/}${NORM}"
|
||||
notify.note $"info pages should be installed/uninstalled""${NORM}
|
||||
---------------------------------------
|
||||
${NOTE}"$"Hint"":${NORM}
|
||||
$([[ "$rpm_macro_installinfo_binary" ]] &&
|
||||
@ -283,19 +280,17 @@ $([[ "$rpm_macro_uninstallinfo" ]] &&
|
||||
echo "$rpm_macro_uninstallinfo %{name}.info" ||
|
||||
echo "${path_installinfo:-/sbin/install-info} --delete %{name}.info")
|
||||
exit 0
|
||||
---------------------------------------"
|
||||
---------------------------------------"; }
|
||||
done
|
||||
###
|
||||
|
||||
# check packages for wrong user and/or group ownerships
|
||||
notify.note " * ${NOTE}"$"\
|
||||
notify.note " * ${NOTE}"$"\
|
||||
checking packages for wrong user and/or group ownerships""${NORM}..."
|
||||
|
||||
error=0
|
||||
idun="$(id -un)" idgn="$(id -gn)"
|
||||
let "i = 0"
|
||||
for pck in ${rpmpkg_name[@]}; do
|
||||
notify.note " - "$"checking"": \`${pck##*/}'"
|
||||
[[ -e $pck ]] || notify.error $"\
|
||||
package not found"": \`${pck##*/}'"
|
||||
( LC_ALL=C rpm -p -qlv $pck | \
|
||||
@ -303,28 +298,29 @@ package not found"": \`${pck##*/}'"
|
||||
set -- $line
|
||||
# FIXME : find a better check, perhaps using a range
|
||||
# of uid reserved for users
|
||||
[[ "$idun" = "$3" || "$idgn" = "$4" ]] &&
|
||||
notify.warning $"found suspect file"": \
|
||||
if [[ "$idun" = "$3" || "$idgn" = "$4" ]]; then
|
||||
notify.warning "${NOTE}${pck##*/}${NORM}"
|
||||
notify.note $"found suspect file"": \
|
||||
\`${NOTE}$9${NORM}' [uid:\`${NOTE}$3${NORM}', gid:\`${NOTE}$4${NORM}']"
|
||||
fi
|
||||
done )
|
||||
done
|
||||
###
|
||||
|
||||
# check for desktop files installed in non standard applnk dir
|
||||
notify.note " * ${NOTE}"$"\
|
||||
notify.note " * ${NOTE}"$"\
|
||||
checking packages for desktop files installed in the applnk dir""${NORM}..."
|
||||
|
||||
warning=0
|
||||
rpmdatadir=$(rpm --eval %_datadir 2>/dev/null)
|
||||
let "i = 0"
|
||||
for pck in ${rpmpkg_name[@]}; do
|
||||
notify.note " - "$"checking"": \`${pck##*/}'"
|
||||
pushd $tmpextractdir/$i >/dev/null
|
||||
for f in $( find .${rpmdatadir} -type f 2>/dev/null ); do
|
||||
case $f in
|
||||
.${rpmdatadir}/applnk/*.desktop)
|
||||
let "warning = 1" &&
|
||||
notify.warning $"found suspect file"": \
|
||||
notify.warning "${NOTE}${pck##*/}${NORM}"
|
||||
notify.note $"found suspect file"": \
|
||||
\`${NOTE}${f/./}${NORM}' [$(ls -l "$f" | sed 's, .*,,')]" ;;
|
||||
*) ;;
|
||||
esac
|
||||
@ -337,16 +333,14 @@ ${NOTE}"$"Hint"":${NORM}
|
||||
"$"create desktop files for:"" ${rpmdatadir}/applications
|
||||
"$"see:"" <http://www.freedesktop.org/>
|
||||
-----------------------------"
|
||||
###
|
||||
|
||||
# check if a package that do not contains binaries is tagged noarch
|
||||
notify.note \
|
||||
" * ${NOTE}"$"checking for packages with bad BuildArch tag""${NORM}..."
|
||||
" * ${NOTE}"$"checking for packages with bad BuildArch tag""${NORM}..."
|
||||
|
||||
warning=0
|
||||
let "i = 0"
|
||||
for pck in ${rpmpkg_name[@]}; do
|
||||
notify.note " - "$"checking"": \`${pck##*/}'"
|
||||
pushd $tmpextractdir/$i >/dev/null
|
||||
for f in $(find -mindepth 2 -perm +111 -type f \
|
||||
-exec file {} \; | grep -E "( ELF | library )"); do
|
||||
@ -357,11 +351,12 @@ ${NOTE}"$"Hint"":${NORM}
|
||||
popd >/dev/null
|
||||
done
|
||||
if [ "$warning" = 0 ]; then
|
||||
[ "$SPEC_BUILDARCH" = "noarch" ] || notify.warning "\
|
||||
"$"this package should be tagged \`noarch'""
|
||||
[ "$SPEC_BUILDARCH" = "noarch" ] ||
|
||||
{ notify.warning "${NOTE}${pck##*/}${NORM}"
|
||||
notify.note $"this package should be tagged \`noarch'""
|
||||
-----------------------------
|
||||
${NOTE}"$"Hint"":${NORM}
|
||||
BuildArch: noarch
|
||||
-----------------------------"
|
||||
-----------------------------"; }
|
||||
fi
|
||||
}
|
||||
|
@ -19,7 +19,7 @@ TEXTDOMAIN="test02_pkgsecurity"; export TEXTDOMAIN
|
||||
|
||||
function alltests() {
|
||||
# FIXME: add to 'po' file
|
||||
notify.note "** ${NOTE}"$"performing security checks""${NORM}""..."
|
||||
notify.note " * ${NOTE}"$"performing security checks""${NORM}""..."
|
||||
|
||||
TEMP=`LC_ALL=C getopt \
|
||||
-o i:t: --long infofile:,tmpdir: \
|
||||
@ -69,11 +69,10 @@ function alltests() {
|
||||
}
|
||||
|
||||
notify.note \
|
||||
" * ${NOTE}"$"checking for RPATH vulnerabilities""${NORM}..."
|
||||
" * ${NOTE}"$"checking for RPATH vulnerabilities""${NORM}..."
|
||||
|
||||
let "i = 0"
|
||||
for pck in ${rpmpkg_name[@]}; do
|
||||
notify.note " - "$"checking"": \`${pck##*/}'"
|
||||
pushd $tmpextractdir/$i >/dev/null
|
||||
|
||||
# find ELF binaries (ELF 32-bit LSB executable)
|
||||
@ -81,40 +80,41 @@ function alltests() {
|
||||
for f in $(find -mindepth 2 -perm +111 -type f); do
|
||||
if [[ "$(file $f | grep " ELF ")" ]]; then
|
||||
rpath="$(security.filecheckrpath $f)"
|
||||
[[ "$rpath" ]] && notify.warning "${f/./}\nRPATH: $rpath"
|
||||
if [ "$rpath" ]; then
|
||||
notify.warning "${NOTE}${pck##*/}${NORM}"
|
||||
notify.note "${f/./}\nRPATH: $rpath"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
popd >/dev/null
|
||||
let "i += 1"
|
||||
done
|
||||
###
|
||||
|
||||
notify.note \
|
||||
" * ${NOTE}"$"checking for setuid binaries""${NORM}..."
|
||||
" * ${NOTE}"$"checking for setuid binaries""${NORM}..."
|
||||
|
||||
let "i = 0"
|
||||
for pck in ${rpmpkg_name[@]}; do
|
||||
notify.note " - "$"checking"": \`${pck##*/}'"
|
||||
pushd $tmpextractdir/$i >/dev/null
|
||||
# find setuid binaries
|
||||
# NOTE: find output is different for normal and root users
|
||||
for f in $(find -mindepth 2 -perm +111 -type f); do
|
||||
[[ "$(file $f | grep " setuid ")" ]] &&
|
||||
notify.warning "${NOTE}${f/./}${NORM}"
|
||||
if [[ "$(file $f | grep " setuid ")" ]]; then
|
||||
notify.warning "${NOTE}${pck##*/}${NORM}"
|
||||
notify.note "${NOTE}${f/./}${NORM}"
|
||||
fi
|
||||
done
|
||||
popd >/dev/null
|
||||
let "i += 1"
|
||||
done
|
||||
###
|
||||
|
||||
# checking for unsecure use of $$ as random source in shell scripts
|
||||
notify.note " * ${NOTE}"$"\
|
||||
notify.note " * ${NOTE}"$"\
|
||||
checking for unsecure use of \`\$\$' in shell and perl scripts""${NORM}..."
|
||||
|
||||
vulnerable=0
|
||||
let "i = 0"
|
||||
for pck in ${rpmpkg_name[@]}; do
|
||||
notify.note " - "$"checking"": \`${pck##*/}'"
|
||||
pushd $tmpextractdir/$i >/dev/null
|
||||
for f in $(find -mindepth 1 -perm +111 -type f); do
|
||||
# we are interesting only in shell scripts
|
||||
@ -127,8 +127,9 @@ checking for unsecure use of \`\$\$' in shell and perl scripts""${NORM}..."
|
||||
-n "$(grep $f -m1 -s -rl -e"[^[:space:]]*=.*\$\$")" ||
|
||||
-n "$(grep $f -m1 -s -rl -e">[[:space:]]*.*[[:space:]]*[^[:space:]]*\$\$")" ]] &&
|
||||
let "vulnerable = 1" &&
|
||||
notify.warning $"\
|
||||
seems to be affected"": \`${NOTE}${f/./}${NORM}'"
|
||||
{ notify.warning "${NOTE}${pck##*/}${NORM}"
|
||||
notify.note $"\
|
||||
seems to be affected"": \`${NOTE}${f/./}${NORM}'"; }
|
||||
done
|
||||
popd >/dev/null
|
||||
let "i += 1"
|
||||
|
Loading…
Reference in New Issue
Block a user