--- /dev/null
+#!/usr/bin/env python3
+# rpmconf-matt [--sync-only]
+
+# Known blockers to submission to Fedora: Basically removing assumptions specific to my setup.
+# - Decide how to name it vs. existing "rpmconf" in Fedora
+# - Make it configurable what part of the filesystem to scan. Is there a
+# default that's sufficiently safe for people to use on systems with untrusted
+# users?
+# - Should save its own files in another tree rather than blacklisting
+# directories known to cause problems if it adds its files there.
+# - Make diff program configurable / smarter default
+
+# TODO: Move the "sync" part into a dnf plugin that runs after every transaction
+# to make it more robust. Perhaps there can be an option to run the merge
+# interactively. With tighter integration, we might be able to skip scanning the
+# whole filesystem, but that would add one more kind of state that can get wrong.
+
+# Python 3 conversion, 2017-11-12
+# One could argue we should treat filenames and RPM names as bytes, but it's too
+# much of a pain to fix all the resulting fallout now, and we don't expect
+# adversarial names anyway. ~ Matt 2017-11-12
+#
+# Fedora 30 -> 32 upgrade: remove some .decode() calls (guess rpm-python changed
+# some things from bytes to str) ~ Matt 2020-06-01
+
+import collections
+import hashlib
+import os
+import pwd, grp
+import re
+import shutil
+import stat
+import subprocess
+import sys
+import tempfile
+import time
+
+import rpm
+
+def getFileDigest(path, algoHint):
+ # TODO: Get the digest algorithm from RPM??
+ # File a bug to have rpmfiDigestAlgo exposed to Python?
+ if len(algoHint) == 32: # adobe packages
+ algo = hashlib.md5
+ elif len(algoHint) == 64:
+ algo = hashlib.sha256
+ else:
+ raise ValueError('Failed to guess digest algorithm')
+ with open(path, 'rb') as f:
+ return algo(f.read()).hexdigest()
+
+def setAttributes(fe, path):
+ # C.f. https://github.com/rpm-software-management/rpm/blob/rpm-4.13.0-rc1/lib/fsm.c#L713
+ # If user or group is not found, we'll get a KeyError.
+ os.chown(path, pwd.getpwnam(fe.user).pw_uid, grp.getgrnam(fe.group).gr_gid)
+ os.chmod(path, fe.mode & 0o7777)
+ os.utime(path, (fe.mtime, fe.mtime))
+
+def makeConfFindCommand(expr):
+ # Make a find command intended to catch any files ever managed by RPM,
+ # without getting confused by trees such as /proc
+ # or even malicious user-created files. Unfortunately, we can't just ask RPM
+ # which files it previously managed. The following heuristic should work for
+ # ml*: root filesystem (and avoid an error on /mnt/root, which -xdev doesn't
+ # catch), and exclude world-writable dirs such as /var/tmp.
+ # TODO: Make the search criteria more general.
+ return r"find / -xdev \( -path /mnt -or -path /var/www/html -or -perm /002 \) -prune -or " + expr
+
+def doMerge(a, b, c, output):
+ # TODO: Make diff program customizable.
+ # FIXME: Stop leaving ".orig" files around. At least name them distinctively.
+ # kdiff3 wrapper to work around issue with Qt apps running as root under Qubes ~ 2015-08-20
+ args = ['rpmconf-matt-merge', output, a if os.path.lexists(a) else '', b, c]
+ subprocess.check_call(args)
+
+class NeededPackage(object):
+ def __init__(self, header):
+ self.nvra = header.nvra
+ self.paths = dict() # live path -> (digest, path to download to)
+
+def rpmconf(syncOnly=False):
+ if os.geteuid() != 0:
+ print('This tool needs to run as root.', file=sys.stderr)
+ sys.exit(1)
+
+ # First, rename any rpmsave files and corresponding rpmbase files before we
+ # would overwrite the rpmbase files. We'll do this to any file type, even
+ # though there will only ever be base files for regular files.
+ print('Scanning for rpmsave files that need to be stamped.')
+ saveStamp = str(int(time.time()))
+ for savePath in subprocess.check_output(makeConfFindCommand("-name '*.rpmsave' -print"), shell=True).decode().splitlines():
+ livePath = savePath[:-len('.rpmsave')]
+ liveBasePath = livePath + '.rpmbase'
+ stampedSavePath = livePath + '.rpmsave-' + saveStamp
+ stampedSaveBasePath = stampedSavePath + '-base'
+ print('-- Timestamping rpmsave file for %s.' % livePath)
+ # XXX: Make sure we are not clobbering existing files?
+ os.rename(savePath, stampedSavePath)
+ if os.path.lexists(liveBasePath):
+ os.rename(liveBasePath, stampedSaveBasePath)
+
+ filesToMerge = collections.defaultdict(lambda: [[], False]) # live path -> (list of rpmsave stamps, bool if rpmnew)
+
+ print('Scanning for config files that need base files created.')
+ filesDone = {} # live path -> (nevra, digest)
+ needPackages = {} # nevra -> NeededPackage; no more defaultdict because NeededPackage needs header
+ ts = rpm.ts()
+ mi = ts.dbMatch()
+ for header in mi:
+ nevra = header.nevra
+ for fe in rpm.files(header):
+ # Only installed config files.
+ if fe.state != rpm.RPMFILE_STATE_NORMAL: continue
+ if not (fe.fflags & rpm.RPMFILE_CONFIG): continue
+ # For a ghost, we have no base content to write. Probably best to let this be a two-way merge if the file becomes non-ghost later.
+ if fe.fflags & rpm.RPMFILE_GHOST: continue
+ # For now, we only handle regular files. Conflicts on config symlinks seem to be rare.
+ if not stat.S_ISREG(fe.mode): continue
+ if fe.caps != '': raise NotImplementedError('File capabilities are not implemented: %s' % fe.name)
+
+ # Extension point directories whose readers can't handle additional *.rpm* files.
+ # /etc/skel/ is not actually causing a problem but leads to ugly persistent state.
+ # TODO: Find a better workaround.
+ if re.search('^(/etc/skel/|/etc/rpm/macros|/etc/logrotate.d/|/etc/grub.d/)', fe.name):
+ continue
+
+ # We need this check to avoid thrashing a conflicted base file.
+ if fe.name in filesDone:
+ (oldNevra, oldDigest) = filesDone[fe.name]
+ if fe.digest != oldDigest:
+ print('Conflict at %s: have %s from %s, ignoring %s from %s' %
+ (fe.name, oldDigest, oldNevra, fe.digest, nevra),
+ file=sys.stderr)
+ continue
+ filesDone[fe.name] = (nevra, fe.digest)
+
+ path_new = fe.name + '.rpmnew'
+ download_path = None
+ if os.path.lexists(path_new):
+ filesToMerge[fe.name][1] = True
+ # The live config file is not based on the current DB entry.
+ # Hopefully we already have a base for the live config file; if not, there's nothing we can do about it now.
+ # We do want to make sure the rpmnew file is correct.
+ if getFileDigest(path_new, fe.digest) != fe.digest:
+ download_path = path_new
+ else:
+ path_base = fe.name + '.rpmbase'
+ if not (os.path.lexists(path_base) and getFileDigest(path_base, fe.digest) == fe.digest):
+ if (os.path.lexists(fe.name) and getFileDigest(fe.name, fe.digest) == fe.digest):
+ # The live file has the original content.
+ # Copy the content and set the original attributes manually.
+ path_tmp = fe.name + '.rpmbase-tmp'
+ shutil.copyfile(fe.name, path_tmp)
+ setAttributes(fe, path_tmp)
+ os.rename(path_tmp, path_base)
+ print('- %s: Copied %s from %s.' % (nevra, path_base, fe.name))
+ else:
+ download_path = path_base
+ if download_path:
+ if nevra not in needPackages:
+ needPackages[nevra] = NeededPackage(header)
+ needPackages[nevra].paths[fe.name] = (fe.digest, download_path)
+ print('- %s: Need to download %s.' % (nevra, download_path))
+
+ if needPackages:
+ print('Downloading %d packages.' % len(needPackages))
+ packages_tmpdir = tempfile.mkdtemp(prefix='rpmconf-packages')
+ # Make sure the cpio archive is covered by a valid signature
+ # before we use it. Since dnf-download-signed currently doesn't
+ # check that the package is the one we asked for, this only
+ # ensures that the cpio archive is safe to extract. Then we
+ # check the digest on each needed file before using it. We're
+ # still correct if an attacker substitutes a different signed
+ # package in which the files we need have the same content.
+ # ~ Matt 2019-05-18
+ #
+ # Ideally, we'd only require a signature if the package came
+ # from a repository with gpgcheck=1. Right now, I use no
+ # unsigned packages. If I build my own packages again, I can
+ # either sign them or just fix them manually if they reach this
+ # code.
+ # ~ Matt 2017-11-11
+ subprocess.check_call(['dnf-download-signed'] + list(needPackages), cwd=packages_tmpdir)
+ for nevra, neededPkg in needPackages.items():
+ packagePath = '%s/%s.rpm' % (packages_tmpdir, neededPkg.nvra)
+ extract_tmpdir = tempfile.mkdtemp(prefix='rpmconf-extract-%s' % nevra)
+ cpioNeedPaths = ['.' + p for p in neededPkg.paths] # go figure
+ subprocess.check_call(['/bin/bash', '-c', 'p="$1"; shift; rpm2cpio "$p" | cpio --extract --quiet --preserve-modification-time --make-directories "$@"', '--', packagePath] + cpioNeedPaths, cwd=extract_tmpdir)
+ print('- Extracted %s.' % nevra)
+ for livePath, (needDigest, downloadPath) in neededPkg.paths.items():
+ tmpPath = extract_tmpdir + livePath
+ tmpDigest = getFileDigest(tmpPath, needDigest)
+ if tmpDigest != needDigest:
+ print('%s: got digest %s, wanted %s' % (livePath, tmpDigest, needDigest), file=sys.stderr)
+ continue
+ # This is easiest in case it is cross-filesystem, etc. mv should preserve all attributes.
+ subprocess.check_call(['mv', '-f', tmpPath, downloadPath])
+ print('-- Installed %s.' % downloadPath)
+ shutil.rmtree(extract_tmpdir)
+ shutil.rmtree(packages_tmpdir)
+
+ print('Scanning for obsolete rpmnew files.')
+ for newPath in subprocess.check_output(makeConfFindCommand("-type f -name '*.rpmnew' -print"), shell=True).decode().splitlines():
+ livePath = newPath[:-len('.rpmnew')]
+ if livePath not in filesToMerge: # only rpmnew files will be recorded in filesToMerge yet
+ print('-- Deleting %s. UNTESTED' % newPath)
+ #os.unlink(newPath)
+
+ # Remove rpmbase files for config files that are no longer managed, to not leave cruft.
+ # This intentionally does not remove rpmsave-base files. ~ 2014-07-03
+ # Note: If the config file had been modified, RPM would move it to
+ # rpmsave on package removal (whether or not it was noreplace), so we'd
+ # stamp the base file before we get here. ~ 2017-11-12
+ print('Scanning for obsolete rpmbase files.')
+ for basePath in subprocess.check_output(makeConfFindCommand("-type f -name '*.rpmbase' -print"), shell=True).decode().splitlines():
+ livePath = basePath[:-len('.rpmbase')]
+ if livePath not in filesDone:
+ print('-- Deleting %s.' % basePath)
+ os.unlink(basePath)
+
+ # "sync vs. merge" terminology is inspired by Perforce. We'll want a
+ # better term for "sync" before releasing this to the public.
+ if syncOnly:
+ print('rpmconf sync complete.')
+ return
+ else:
+ print('rpmconf sync complete. You can interrupt if you don\'t wish to merge now.')
+
+ print('Scanning for rpmsave files.')
+ for savePath in subprocess.check_output(makeConfFindCommand("-type f -name '*.rpmsave-*' -print"), shell=True).decode().splitlines():
+ m = re.search('^(.*)\.rpmsave-(\d+)$', savePath)
+ if not m: continue
+ (livePath, stamp) = (m.group(1), int(m.group(2)))
+ filesToMerge[livePath][0].append(stamp)
+
+ # Nested function for the ability to return from a nested loop...
+ def mergeFile(livePath):
+ print('- Merging %s.' % livePath)
+ (saveStamps, haveRpmnew) = filesToMerge[livePath]
+ saveStamps.sort() # mutates the original, that's OK
+ # TODO: If a package was uninstalled, we could have an rpmsave and rpmsave-base with no live.
+ # We want to alert the user that the configuration change is no longer having an effect. How?
+ # Currently kdiff3 comes up with a bunch of error dialogs and I have to manually intervene.
+ for i in range(len(saveStamps)):
+ c_output = '%s.rpmsave-%d' % (livePath, saveStamps[i+1]) if i+1 < len(saveStamps) else livePath
+ b = '%s.rpmsave-%d' % (livePath, saveStamps[i])
+ a = b + '-base'
+ try:
+ doMerge(a, b, c_output, c_output)
+ except subprocess.CalledProcessError:
+ print('- Leaving %s merge unfinished.' % livePath)
+ return 1
+ os.unlink(b)
+ if os.path.lexists(a): os.unlink(a)
+ if haveRpmnew:
+ try:
+ doMerge(livePath + '.rpmbase', livePath, livePath + '.rpmnew', livePath)
+ except subprocess.CalledProcessError:
+ print('- Leaving %s merge unfinished.' % livePath)
+ return 1
+ os.rename(livePath + '.rpmnew', livePath + '.rpmbase')
+ print('- Merged %s.' % livePath)
+ return 0
+
+ unfinishedFiles = 0
+ for livePath in filesToMerge:
+ unfinishedFiles += mergeFile(livePath)
+
+ if unfinishedFiles == 0:
+ print('rpmconf merge complete!')
+ else:
+ print('No more files to consider. %d files left unfinished.' % unfinishedFiles)
+
+if __name__ == '__main__':
+ # TODO: Adopt a real option-parsing library.
+ args = sys.argv[1:]
+ if args == []:
+ rpmconf()
+ elif args == ['--sync-only']:
+ rpmconf(syncOnly=True)
+ else:
+ print('Unrecognized arguments.', file=sys.stderr)
+ sys.exit(1)