Bug 1086489 - rpmlint check for /usr/lib/systemd/system-preset/ files
rpmlint check for /usr/lib/systemd/system-preset/ files
Status: NEW
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Dirk Mueller
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-03-22 14:23 UTC by Marcus Rückert
Modified: 2018-03-22 23:41 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Rückert 2018-03-22 14:23:13 UTC
while fixing a package I found that it installed files in

/usr/lib/systemd/system-preset/ and we had no rpmlint check or post-build check to make the package fail or even warn about it.
Comment 1 Matthias Gerstner 2018-03-22 14:50:20 UTC
Installing a preset file in there bypasses our whitelisting for enabling
systemd services by default. Currently in factory only this package seems to
"exploit" this:

ceph-base-13.0.1.3023+g71b0480e48-1.1.x86_64.rpm /usr/lib/systemd/system-preset/50-ceph.preset

and indeed it enables a bunch of ceph services:

  enable ceph.target
  enable ceph-mds.target
  enable ceph-mgr.target
  enable ceph-mon.target
  enable ceph-osd.target
  enable ceph-radosgw.target

I don't know if these ceph services have ever been reviewed. Probably as part
of SES.
Comment 2 Dominique Leuenberger 2018-03-22 14:59:36 UTC
And as it so happens, I just spot a submission with a new file:

https://build.opensuse.org/request/show/589668
Comment 3 Thorsten Kukuk 2018-03-22 15:35:36 UTC
(In reply to Matthias Gerstner from comment #1)
> Installing a preset file in there bypasses our whitelisting for enabling
> systemd services by default. 

Your policy and checks have a design bug: we do not need to enable and disable services per product, but per system role. Different system roles have different needs and need different helper packages for this.
Comment 4 Thorsten Kukuk 2018-03-22 15:54:16 UTC
And there is another mistake you made: system services are not only for starting or stopping daemons listening on some ports like with SySV init scripts, a lot of systemd units are required to make sure your system is setup correctly and will never start a daemon. So like mounting directories or running jobs like formerly done by cron. And this is independent of products and system roles, but depending on required functionality.
Comment 5 Marcus Rückert 2018-03-22 19:14:38 UTC
My point was more that we normally require default enabled services to be reviewed by the sec team. If now any package can just install preset files like that, and we have no rpmlint check to actually notify packagers that they need a review. the whole point would become mood.

Nobody is talking splitting up our branding package. but we should at least track allowed preset files.
Comment 6 Thorsten Kukuk 2018-03-22 21:51:05 UTC
(In reply to Marcus Rückert from comment #5)
> My point was more that we normally require default enabled services to be
> reviewed by the sec team. If now any package can just install preset files
> like that, and we have no rpmlint check to actually notify packagers that
> they need a review. the whole point would become mood.

At first, the security team is not even stuffed enough to check all systemd service files. This is not compareable with our old init scripts.

Second, the preset files are no problem, they are installed and easy trackable.
What you should worry about are all the packages who enable services in %pre/%post sections without preset file, because, as Matthias analysis shows, you are not able to find them.
We have quite some packages doing this without preset file, and they created already quite some hassle.
Comment 7 Marcus Rückert 2018-03-22 23:41:01 UTC
I just learned about those preset files when I fixed that package and then instantly reported the lack of rpmlint checks to make them more visible.