Bug 891768

Summary: Review Request: openshift-origin-util - Utility scripts for the OpenShift Origin
Product: [Fedora] Fedora Reporter: Troy Dawson <tdawson>
Component: Package ReviewAssignee: Michael Scherer <misc>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: misc, notting
Target Milestone: ---Flags: misc: fedora‑review+
limburgher: fedora‑cvs+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-19 22:02:37 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Troy Dawson 2013-01-03 17:56:42 EST
Spec URL: http://tdawson.fedorapeople.org/openshift-origin/openshift-origin-util.spec
SRPM URL: http://tdawson.fedorapeople.org/openshift-origin/openshift-origin-util-1.0.3-2.fc18.src.rpm
Description: This package contains a set of utility scripts for the OpenShift broker and node. 
Fedora Account System Username: tdawson maxamillion
Comment 1 Troy Dawson 2013-01-04 11:37:55 EST
Notes:
- License
Upstream has been notified of an absence of a License file.  Since the only script with any code in it has it's license in comments at the top, I figured that would do for now.
- Source1
Upstream had a glitch in their tagging, so the two main scripts are in their git repo, but not tagged into the 1.0.3 release.  This should be fixed in their next release.
Comment 2 Michael Scherer 2013-01-04 15:54:09 EST
I have some concerns :

* There is 3 scripts, and 1 is just a exec "$@" without anything, and the 2nd one is just ruby "$@".

I guess that's a system to integrate scl into origin without using some configuration ? 

Wouldn't it be better to directly link those to bash and ruby instead of starting a process and a fork ?
At least, a comment in the script would help. ( but that's not blocking ).


* Also, there is some missing deps for the 3rd script ( oo-diagnotics ).
I see it use :
- bind-utils ( command host )
- rubygems ( command gem, but maybe that's now part of ruby, not sure about this )

Technically, i think there is also missing requires for 
ruby module for json ( ie rubygems-json ) and rest_client ( rubygems-rest-client ). However, as the script first check if this is a broker, then I guess no error can happen in practice, so I think this can be safely skipped.

That's blocking.


* the changelog is empty for :

  * Wed Nov 21 2012 Dan McPherson <dmcphers@redhat.com> 1.0.3-1
  -

while I guess that not a issue, it would be nice to just fill it :)


* test_broker_httpd_error_log and test_node_mco_log are insecure, as they use file in /tmp/. While this is not a easy predictable name ( as upstream used $$ ), that's still predictable during a very short period of time ( ie, between the moment the script is run and after the script start to use sed and grep redirected to the file ). 

And there is no check to see if the file already exist or anything like that. 

So it could be quite easily created in advance with a simple for loop, or if the script was run in some automatic fashion ( like nagios ), someone could create a file /tmp/oodiag-mco-1234  by getting the process id at the right moment. Usually, attackers tend to brute force by running the script often enough to catch it at the right moment, I do not see how this would be done in practice in this case.

Then, once you have the file name, you can do multiple fun things ( for some value of fun ) :
- 1) create a link to another file ( the script run as root, so it can overwrite almost anything, I am sure the system would not work as well with sorted error log in pam config file )
- 2) create a file with cooked error message to trigger a error for the script without them being real ( and using chattr +i on the file so the file redirection would silently fail ). I guess in a very specific totally invented scenario, this could be used to inject error message ( and that could be bad if that's show in a web page or anything ).

Definitely nothing serious or dangerous that would happen on a properly managed system ( due to kernel protection, etc ) but IMHO, something that could and should be corrected one day. I didn't fill a more formal bug as the package is not yet in Fedora, so no need for a CVE.
Comment 3 Troy Dawson 2013-01-09 15:04:11 EST
Spec URL: http://tdawson.fedorapeople.org/openshift-origin/openshift-origin-util.spec
SRPM URL: http://tdawson.fedorapeople.org/openshift-origin/openshift-origin-util-1.0.3-3.fc18.src.rpm

- Requires added: ruby, rubygems, bind-utils
- Changelog fixed
- Added comment to oo-exec-ruby explaining what it's for.  The same comment is in line to make it into the upstream oo-ruby.  so it will be there in the next release.
- Changed oo-diagnostics to use the ruby Tempfile for it's tempfiles.
Comment 4 Michael Scherer 2013-01-10 08:57:51 EST
Package Review
==============

Key:
[x] = Pass
[!] = Fail
[-] = Not applicable
[?] = Not evaluated
[ ] = Manual review needed


Issues:
=======
- License field in the package spec file matches the actual license.
  Note: Checking patched sources after %prep for licenses. No licenses found.
I guess you can convince upstream to ship a license for next release ?

- Packages should try to preserve timestamps of original installed files.
just add -p at the right place

- SourceX tarball generation or download is documented.
I assume this is just temporary, and will be correct for the next release

So, since everything is temporary and should be easy to fix, package is approved.

===== MUST items =====

Generic:
[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[x]: Package contains no bundled libraries without FPC exception.
[x]: Changelog in prescribed format.
[x]: Sources contain only permissible code or content.
[-]: Package contains desktop file if it is a GUI application.
[-]: Development files must be in a -devel package
[x]: Package requires other packages for directories it uses.
[x]: Package uses nothing in %doc for runtime.
[x]: Package is not known to require ExcludeArch.
[x]: Package complies to the Packaging Guidelines
[!]: If (and only if) the source package includes the text of the license(s)
     in its own file, then that file, containing the text of the license(s)
     for the package is included in %doc.
[x]: Package consistently uses macro is (instead of hard-coded directory
     names).
[x]: Package is named according to the Package Naming Guidelines.
[x]: Package does not generate any conflict.
[x]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[x]: Package must own all directories that it creates.
[x]: Package does not own files or directories owned by other packages.
[x]: Requires correct, justified where necessary.
[x]: Spec file is legible and written in American English.
[-]: Package contains systemd file(s) if in need.
[x]: All build dependencies are listed in BuildRequires, except for any that
     are listed in the exceptions section of Packaging Guidelines.
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
[x]: Each %files section contains %defattr if rpm < 4.4
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: Fully versioned dependency in subpackages, if present.
[x]: Spec file lacks Packager, Vendor, PreReq tags.
[x]: Package is named using only allowed ASCII characters.
[x]: Package do not use a name that already exist
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as provided
     in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: File names are valid UTF-8.
[x]: Large documentation must go in a -doc subpackage.
     Note: Documentation size is 0 bytes in 0 files.
[x]: Packages must not store files under /srv, /opt or /usr/local
[x]: Package successfully compiles and builds into binary rpms on at least one
     supported primary architecture.
[x]: Package installs properly.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).

===== SHOULD items =====

Generic:
[!]: If the source package does not include license text(s) as a separate file
     from upstream, the packager SHOULD query upstream to include it.
[x]: Final provides and requires are sane (see attachments).
[-]: Package functions as described.
[x]: Latest version is packaged.
[x]: Package does not include license text files separate from upstream.
[!]: SourceX tarball generation or download is documented.
     Note: Package contains tarball without URL, check comments
[x]: Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[x]: Package should compile and build into binary rpms on all supported
     architectures.
[x]: %check is present and all tests pass.
[!]: Packages should try to preserve timestamps of original installed files.
[x]: Reviewer should test that the package builds in mock.
[x]: Buildroot is not present
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
[x]: Dist tag is present.
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: SourceX is a working URL.
[x]: Spec use %global instead of %define.

===== EXTRA items =====

Generic:
[x]: Large data in /usr/share should live in a noarch subpackage if package is
     arched.
[x]: Rpmlint is run on all installed packages.
     Note: There are rpmlint messages (see attachment).
[x]: Spec file according to URL is the same as in SRPM.


Rpmlint
-------
Checking: openshift-origin-util-1.0.3-3.fc18.noarch.rpm
openshift-origin-util.noarch: W: no-documentation
openshift-origin-util.noarch: W: no-manual-page-for-binary oo-exec-ruby
openshift-origin-util.noarch: W: no-manual-page-for-binary oo-ruby
openshift-origin-util.noarch: W: no-manual-page-for-binary oo-diagnostics
1 packages and 0 specfiles checked; 0 errors, 4 warnings.




Rpmlint (installed packages)
----------------------------
# rpmlint openshift-origin-util
openshift-origin-util.noarch: W: no-documentation
openshift-origin-util.noarch: W: no-manual-page-for-binary oo-exec-ruby
openshift-origin-util.noarch: W: no-manual-page-for-binary oo-ruby
openshift-origin-util.noarch: W: no-manual-page-for-binary oo-diagnostics
1 packages and 0 specfiles checked; 0 errors, 4 warnings.
# echo 'rpmlint-done:'



Requires
--------
openshift-origin-util (rpmlib, GLIBC filtered):
    /bin/bash
    /usr/bin/env
    bind-utils
    ruby
    rubygems



Provides
--------
openshift-origin-util:
    openshift-origin-util



MD5-sum check
-------------
http://mirror.openshift.com/pub/openshift-origin/source/openshift-origin-util/openshift-origin-util-1.0.3.tar.gz :
  CHECKSUM(SHA256) this package     : 93d149da3ba1e2bb58af2675ad7991ecfe9711a0229d4d2bfad1fae2a632a6e3
  CHECKSUM(SHA256) upstream package : 93d149da3ba1e2bb58af2675ad7991ecfe9711a0229d4d2bfad1fae2a632a6e3


Generated by fedora-review 0.2.0 (Unknown) last change: Unknown
Buildroot used: fedora-18-x86_64
Command line :./try-fedora-review -b 891768
Comment 5 Troy Dawson 2013-01-10 09:29:42 EST
New Package SCM Request
=======================
Package Name: openshift-origin-util
Short Description: Utility scripts for the OpenShift Origin
Owners: tdawson maxamillion
Branches: f18 f17
InitialCC:
Comment 6 Jon Ciesla 2013-01-10 09:37:24 EST
Git done (by process-git-requests).
Comment 7 Fedora Update System 2013-01-10 10:26:38 EST
openshift-origin-util-1.0.3-3.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/openshift-origin-util-1.0.3-3.fc18
Comment 8 Fedora Update System 2013-01-10 16:30:59 EST
openshift-origin-util-1.0.3-3.fc18 has been pushed to the Fedora 18 testing repository.
Comment 9 Fedora Update System 2013-01-19 22:02:39 EST
openshift-origin-util-1.0.3-3.fc18 has been pushed to the Fedora 18 stable repository.