Hello community, here is the log from the commit of package webyast-base.2401 for openSUSE:12.3:Update checked in at 2013-12-25 17:19:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/webyast-base.2401 (Old) and /work/SRC/openSUSE:12.3:Update/.webyast-base.2401.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "webyast-base.2401" Changes: -------- New Changes file: --- /dev/null 2013-11-25 01:44:08.036031256 +0100 +++ /work/SRC/openSUSE:12.3:Update/.webyast-base.2401.new/webyast-base.changes 2013-12-25 17:19:40.000000000 +0100 @@ -0,0 +1,1160 @@ +------------------------------------------------------------------- +Wed Nov 27 12:54:05 UTC 2013 - [email protected] + +- fixed CVE-2013-3709: make the secret token file (secret_token.rb) + readable only for the webyast user to avoid forging the session + cookie (bnc#851116) +- 0.3.43.1 + +------------------------------------------------------------------- +Sun Feb 10 17:21:11 UTC 2013 - [email protected] + +- use generic syslog dependency instead of syslog-ng (bnc#802748) +- 0.3.43 + +------------------------------------------------------------------- +Tue Jan 29 17:25:34 UTC 2013 - [email protected] + +- updated passenger dependencies for 12.2 + +------------------------------------------------------------------- +Fri Jan 25 10:42:45 CET 2013 - [email protected] + +- add polkit-default-privs to buildrequires for 12.3 and newer + +------------------------------------------------------------------- +Mon Jan 21 17:14:30 UTC 2013 - [email protected] + +- move the base system status file after update from Webyast 1.2 to + the new location to avoid running it again +- 0.3.42 + +------------------------------------------------------------------- +Mon Jan 21 12:15:35 UTC 2013 - [email protected] + +- branding-default - make sure /var/lib/webyast is present before + touching restart file there (needed in update from 1.2) +- 0.3.41 + +------------------------------------------------------------------- +Thu Jan 17 12:33:37 UTC 2013 - [email protected] + +- fixed conflict dependency for webyast-software-* packages +- 0.3.40 + +------------------------------------------------------------------- +Thu Jan 17 10:46:37 UTC 2013 - [email protected] + +- conflict with all old Webyast 1.2 plugins (to force upgrade) +- 0.3.39 + +------------------------------------------------------------------- +Wed Jan 16 19:30:24 UTC 2013 - [email protected] + +- webyast user needs write permissions to db/ +- 0.3.38 + +------------------------------------------------------------------- +Wed Jan 16 13:11:04 UTC 2013 - [email protected] + +- move Webyast SSL certificates to the new location when updating + from Webyast 1.2 +- removed sqlite3 dependency (included in rubygem-sqlite3) +- added needed sqlite3 gem version to Gemfile +- 0.3.37 + +------------------------------------------------------------------- +Tue Jan 15 14:36:30 UTC 2013 - [email protected] + +- updated dependencies to force package update +- fixed file permissions differences reported by "rpm -V" +- 0.3.36 + +------------------------------------------------------------------- +Thu Jan 10 13:27:28 UTC 2013 - [email protected] + +- security fixes: disable mass loading in Account, activate + forgery protection in ApplicationController +- 0.3.35 + +------------------------------------------------------------------- +Tue Jan 8 11:58:39 UTC 2013 - [email protected] + +- make sure /srv/www/webyast/public/assets/manifest.yml is readable + for webyast user (bnc#797206) +- 0.3.34 + +------------------------------------------------------------------- +Wed Jan 2 14:34:56 UTC 2013 - [email protected] + +- rcwebyast - update assets at Webyast start (needed when + installing/updating via plain rpm) +- 0.3.33 + +------------------------------------------------------------------- +Tue Dec 18 09:54:56 UTC 2012 - [email protected] + +- permission fix: make db/production.sqlite3 readable only for + webyast user (to prevent from accessing the authentication tokens + stored there) +- 0.3.32 + +------------------------------------------------------------------- +Wed Dec 12 15:21:32 UTC 2012 - [email protected] + +- 0.3.31 + +------------------------------------------------------------------- +Wed Dec 5 12:59:11 UTC 2012 - [email protected] + +- fixed initializing session secret (for signing cookies) at the + first start (bnc#792632) + +------------------------------------------------------------------- +Wed Nov 28 17:46:21 UTC 2012 - [email protected] + +- control panel - logout after 2 hours timeout (bnc#789742) +- 0.3.30 + +------------------------------------------------------------------- +Thu Nov 15 14:53:42 UTC 2012 - [email protected] + +- fixed permission check in the permission service (bnc#787654) +- 0.3.29 + +------------------------------------------------------------------- +Fri Nov 2 16:58:52 UTC 2012 - [email protected] + +- support also controlpanel/index XML and JSON requests + (bnc#787283) + +------------------------------------------------------------------- +Thu Nov 1 06:35:07 UTC 2012 - [email protected] + +- 0.3.28 + +------------------------------------------------------------------- +Mon Oct 29 13:47:08 UTC 2012 - [email protected] + +- added datepicker translations (bnc#603641) + +------------------------------------------------------------------- +Mon Oct 29 09:13:12 UTC 2012 - [email protected] + +- added support for "main_hidden" option in shortcuts.yml files + to allow hiding control panel items by default (bnc#604628) + +------------------------------------------------------------------- +Fri Oct 26 13:45:30 UTC 2012 - [email protected] + +- page header - fixed layout problem when there is small space + (bnc#783892) + +------------------------------------------------------------------- +Wed Oct 24 10:56:00 UTC 2012 - [email protected] + +- display log file path when an error occurs (bnc#784017) + +------------------------------------------------------------------- +Wed Oct 17 12:39:16 UTC 2012 - [email protected] + +- display [Back] link in the network module (fixed base_setup_links + helper) (bnc#783556) +- use syslog for logging security critical actions (user login and + logout) (bnc#782808) + +------------------------------------------------------------------- +Wed Oct 17 08:55:41 UTC 2012 - [email protected] + +- do not log registration code to the webyast log (bnc#784486) + +------------------------------------------------------------------- +Fri Oct 12 15:36:01 UTC 2012 - [email protected] + +- 0.3.27 + +------------------------------------------------------------------- +Wed Oct 10 08:54:38 UTC 2012 - [email protected] + +- write all webyast logs to /var/log/webyast directory instead of + /srv/www/webyast/log (bnc#784012) + +------------------------------------------------------------------- +Thu Oct 4 07:45:44 UTC 2012 - [email protected] + +- removed DelayedJob dependency +- decrease default patch status reload timeout to 1 hour (login + session times out after 2 hours, longer time does not make sense) +- 0.3.26 + +------------------------------------------------------------------- +Wed Oct 3 14:43:03 UTC 2012 - [email protected] + +- added support for ActiveResource login needed by Studio + (bnc#783355) +- 0.3.25 + +------------------------------------------------------------------- ++++ 963 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.3:Update/.webyast-base.2401.new/webyast-base.changes New: ---- config.yml config.yml.new control_panel.yml grantwebyastrights nginx.conf org.opensuse.yast.permissions.policy rcwebyast update_webyast_service webyast webyast-base.changes webyast-base.spec webyast.lr.conf webyast.permissions.conf webyast.permissions.service.service webyastPermissionsService.rb www.tar.bz2 yast_user_roles ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ webyast-base.spec ++++++ ++++ 658 lines (skipped) ++++++ config.yml ++++++ # This is a general config file for WebYaST # # The file needs to be located under /etc/webyast/ --- # Using the new # default: false polkit1: false # Enable/disable XML REST API # default: false rest_api_enabled: false # Enable/disable Web UI # default: true web_ui_enabled: true ++++++ config.yml.new ++++++ # This is a general config file for WebYaST # # The file needs to be located under /etc/webyast/ --- # Enable/disable XML REST API # default: false rest_api_enabled: false # Enable/disable Web UI # default: true web_ui_enabled: true ++++++ control_panel.yml ++++++ # This is a config file for WebYaST control center # # The file needs to be located under /etc/webyast/ or /etc/webyast/vendor/ # (the 'vendor' directory has higher priority). --- # timeout before automatic reloading of patches status (in seconds) # value 0 disables automatic reload # default: 3600 seconds = 1 hour patch_status_timeout: 3600 # timeout before automatic reloading of patches status (in seconds) # value 0 disables automatic reload # default: 300 seconds = 5 minutes system_status_timeout: 300 # display patches status in the status header # default: true display_patch_status: true # display system status in the status header # default: true display_system_status: true # label shown at the top of each page appliance_label: _("My Appliance") ++++++ grantwebyastrights ++++++ #!/usr/bin/env ruby # #-- # Webyast framework # # Copyright (C) 2009, 2010 Novell, Inc. # This library is free software; you can redistribute it and/or modify # it only under the terms of version 2.1 of the GNU Lesser General Public # License as published by the Free Software Foundation. # # This library is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA #++ # # grantwebyastrights # # show, grant and revoke policies for WebYaST # # run: grantwebyastrights # require 'fileutils' require 'getoptlong' require 'rubygems' require 'yaml' #checking which policykit is used WEBYAST_CONFIG_FILE = "/etc/webyast/config.yml" @polkit1 = true if File.exist?(WEBYAST_CONFIG_FILE) values = YAML::load(File.open(WEBYAST_CONFIG_FILE, 'r').read) @polkit1 = false if values["polkit1"] == false end STDOUT.puts "Using old PolicyKit" unless @polkit1 if @polkit1 require 'polkit1' end $debug = 0 POLKIT_SECTION = "55-webyast.d" def usage why STDERR.puts why STDERR.puts "" STDERR.puts "Usage: grantwebyastrights --user <user> --action (show|grant|revoke) [--policy <policy>]" STDERR.puts "NOTE: This program should be run by user root" STDERR.puts "" STDERR.puts "" unless @polkit1 STDERR.puts "This call grant/revoke ALL permissions for the YaST Webservice." STDERR.puts "In order to grant/revoke single rights use:" STDERR.puts "polkit-auth --user <user> (--grant|-revoke) <policyname>" STDERR.puts "" STDERR.puts "In order to show all possible permissions use:" STDERR.puts "polkit-action" else STDERR.puts "In order to show all possible permissions use:" STDERR.puts "pkaction" end exit 1 end options = GetoptLong.new( [ "--user", GetoptLong::REQUIRED_ARGUMENT ], [ "--debug", GetoptLong::OPTIONAL_ARGUMENT ], [ "--policy", GetoptLong::OPTIONAL_ARGUMENT ], [ "--action", GetoptLong::REQUIRED_ARGUMENT ] ) user = nil action = nil single_policy = nil begin options.each do |opt, arg| case opt when "--user"; user = arg when "--action"; action = arg when "--policy"; single_policy = arg when "--debug"; $debug += 1 end end rescue GetoptLong::InvalidOption => o usage "Invalid option #{o}" end $debug = nil if $debug == 0 usage "excessive arguments" unless ARGV.empty? usage "user parameter missing" unless user usage "action parameter (show|grant|revoke) missing" unless action SuseString = "org.opensuse.yast" def webyast_perm?(perm) return (perm.include? SuseString) && (not perm.include? ".scr") end def granted_perms(user) if @polkit1 perms = webyast_perms perms.reject! { |perm| PolKit1::polkit1_check(perm, user) == :no } else perms = `polkit-auth --user '#{user}' --explicit` #do NOT raise if an error happens here cause while the package installation this call returns always an error # raise "polkit-auth failed with ret code #{$?.exitstatus}. Output: #{perms}" unless $?.exitstatus.zero? perms = perms.split "\n" perms.reject! { |perm| not webyast_perm?(perm) } end return perms end def webyast_perms if @polkit1 perms = `pkaction` else perms = `polkit-action` raise "polkit-action failed with ret code #{$?.exitstatus}. Output: #{perms}" unless $?.exitstatus.zero? end perms = perms.split "\n" perms.reject! { |perm| not webyast_perm?(perm) } return perms end begin case action when "grant" then unless single_policy == nil STDOUT.puts "granting: #{single_policy}" if @polkit1 PolKit1::polkit1_write(POLKIT_SECTION, single_policy, true, user) else out = `polkit-auth --user '#{user}' --grant '#{single_policy}'` #do NOT raise if an error happens here cause while the package installation this call can return an error for already existing #permissions ( It is not possible to check this before) #raise "Granting permissions failed with ret code #{$?.exitstatus}. Output: #{out}" unless $?.exitstatus.zero? end else granted = granted_perms user non_granted = webyast_perms.reject{ |perm| granted.include? perm } non_granted.each do |policy| STDOUT.puts "granting: #{policy}" if @polkit1 PolKit1::polkit1_write(POLKIT_SECTION, policy, true, user) else out = `polkit-auth --user '#{user}' --grant '#{policy}'` #do NOT raise if an error happens here cause while the package installation this call can return an error for already existing #permissions ( It is not possible to check this before) #raise "Granting permissions failed with ret code #{$?.exitstatus}. Output: #{out}" unless $?.exitstatus.zero? end end end when "show" unless single_policy == nil STDOUT.puts single_policy if granted_perms(user).include?(single_policy) else STDOUT.puts granted_perms(user).join("\n") end when "revoke" unless single_policy == nil STDOUT.puts "revoking: #{single_policy}" if @polkit1 PolKit1::polkit1_write(POLKIT_SECTION, single_policy, false, user) else out = `polkit-auth --user '#{user}' --revoke '#{single_policy}'` raise "Revoking permissions failed with ret code #{$?.exitstatus}. Output: #{out}" unless $?.exitstatus.zero? end else granted = granted_perms user granted.each do |policy| STDOUT.puts "revoking: #{policy}" if @polkit1 PolKit1::polkit1_write(POLKIT_SECTION, policy, false, user) else out = `polkit-auth --user '#{user}' --revoke '#{policy}'` raise "Revoking permissions failed with ret code #{$?.exitstatus}. Output: #{out}" unless $?.exitstatus.zero? end end end end rescue Exception => e STDERR.puts e.message Process.exit! 1 end ++++++ nginx.conf ++++++ # Nginx configuration file for WebYaST user webyast webyast; worker_processes 1; error_log /var/log/webyast/error.log info; pid /var/run/webyast.pid; # keep $PATH variable env PATH; events { worker_connections 1024; } http { # read passenger_root option from external file (in rubygem-passenger-nginx package) include /etc/nginx/conf.d/passenger_root.include; passenger_ruby /usr/bin/ruby; passenger_pool_idle_time 300; passenger_min_instances 0; passenger_default_user webyast; passenger_user webyast; passenger_max_pool_size 1; passenger_max_instances_per_app 1; passenger_spawn_method conservative; client_body_temp_path /srv/www/webyast/tmp/tmp_webyast 1 2; fastcgi_temp_path /srv/www/webyast/tmp/fastcgi_webyast 1 2; proxy_temp_path /srv/www/webyast/tmp/proxy_webyast 1 2; include mime.types; default_type application/octet-stream; access_log /var/log/webyast/access.log; passenger_log_level 0; passenger_debug_log_file /var/log/webyast/passenger.log; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; gzip on; gzip_static on; gzip_buffers 16 8k; gzip_comp_level 9; gzip_http_version 1.0; gzip_proxied any; gzip_min_length 0; gzip_types text/plain text/css image/x-icon image/png image/gif image/jpeg application/x-javascript text/javascript; gzip_vary on; server { listen 4984; underscores_in_headers on; server_name localhost; root /srv/www/webyast/public; passenger_enabled on; rails_framework_spawner_idle_time 300; rails_app_spawner_idle_time 300; ssl on; ssl_certificate /etc/nginx/certs/webyast.pem; ssl_certificate_key /etc/nginx/certs/webyast.key; ssl_session_timeout 5m; ssl_protocols TLSv1; ssl_ciphers ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH; ssl_prefer_server_ciphers on; # redirect HTTP requests to HTTPS # Error 497 is internal code for Error 400 "The plain HTTP request was sent to HTTPS port" error_page 497 https://$host:4984$request_uri; location ~* \.(png|gif|jpg|jpeg|css|js|swf|ico)(\?[0-9]+)?$ { passenger_enabled on; access_log off; expires max; add_header Cache-Control public; } } } ++++++ rcwebyast ++++++ #!/bin/sh # # Copyright (C) 1995--2007 Marcus Rückert, SUSE / Novell Inc. # # This library is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or (at # your option) any later version. # # This library is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, # USA. # # /etc/init.d/webyast # and its symbolic link # /(usr/)sbin/rcwebyast # # # LSB compatible service control script; see http://www.linuxbase.org/spec/ # # Note: This template uses functions rc_XXX defined in /etc/rc.status on # UnitedLinux/SUSE/Novell based Linux distributions. If you want to base your # script on this template and ensure that it works on non UL based LSB # compliant Linux distributions, you either have to provide the rc.status # functions from UL or change the script to work without them. # See skeleton.compat for a template that works with other distros as well. # ### BEGIN INIT INFO # Provides: webyast # Required-Start: $syslog $remote_fs $network # Should-Start: $time ypbind sendmail # Required-Stop: $syslog $remote_fs $network # Should-Stop: $time ypbind sendmail # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: webyast # Description: Start webyast ### END INIT INFO # # Any extensions to the keywords given above should be preceeded by # X-VendorTag- (X-UnitedLinux- X-SuSE- for us) according to LSB. # # Notes on Required-Start/Should-Start: # * There are two different issues that are solved by Required-Start # and Should-Start # (a) Hard dependencies: This is used by the runlevel editor to determine # which services absolutely need to be started to make the start of # this service make sense. Example: nfsserver should have # Required-Start: $portmap # Also, required services are started before the dependent ones. # The runlevel editor will warn about such missing hard dependencies # and suggest enabling. During system startup, you may expect an error, # if the dependency is not fulfilled. # (b) Specifying the init script ordering, not real (hard) dependencies. # This is needed by insserv to determine which service should be # started first (and at a later stage what services can be started # in parallel). The tag Should-Start: is used for this. # It tells, that if a service is available, it should be started # before. If not, never mind. # * When specifying hard dependencies or ordering requirements, you can # use names of services (contents of their Provides: section) # or pseudo names starting with a $. The following ones are available # according to LSB (1.1): # $local_fs all local file systems are mounted # (most services should need this!) # $remote_fs all remote file systems are mounted # (note that /usr may be remote, so # many services should Require this!) # $syslog system logging facility up # $network low level networking (eth card, ...) # $named hostname resolution available # $netdaemons all network daemons are running # The $netdaemons pseudo service has been removed in LSB 1.2. # For now, we still offer it for backward compatibility. # These are new (LSB 1.2): # $time the system time has been set correctly # $portmap SunRPC portmapping service available # UnitedLinux extensions: # $ALL indicates that a script should be inserted # at the end # * The services specified in the stop tags # (Required-Stop/Should-Stop) # specify which services need to be still running when this service # is shut down. Often the entries there are just copies or a subset # from the respective start tag. # * Should-Start/Stop are now part of LSB as of 2.0, # formerly SUSE/Unitedlinux used X-UnitedLinux-Should-Start/-Stop. # insserv does support both variants. # * X-UnitedLinux-Default-Enabled: yes/no is used at installation time # (%fillup_and_insserv macro in %post of many RPMs) to specify whether # a startup script should default to be enabled after installation. # It's not used by insserv. # # Note on runlevels: # 0 - halt/poweroff 6 - reboot # 1 - single user 2 - multiuser without network exported # 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm) # # Note on script names: # http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html # A registry has been set up to manage the init script namespace. # http://www.lanana.org/ # Please use the names already registered or register one or use a # vendor prefix. # Check for missing binaries (stale symlinks should not happen) # Note: Special treatment of stop for LSB conformance NGINX_BIN=/usr/sbin/nginx test -x $NGINX_BIN || { echo "$NGINX_BIN not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } # Check for existence of needed config file and read it NGINX_CONFIG=/etc/webyast/nginx.conf test -r $NGINX_CONFIG || { echo "$NGINX_CONFIG not existing"; if [ "$1" = "stop" ]; then exit 0; else exit 6; fi; } PID_FILE=/var/run/webyast.pid RESTART_FILE="/var/lib/webyast/restart" CERTIFICATEFILE=/etc/nginx/certs/webyast.pem CERTKEYFILE=/etc/nginx/certs/webyast.key COMBINEDCERTFILE=/etc/nginx/certs/webyast-combined.pem GEMFILE_LOCK=/srv/www/webyast/Gemfile.lock # Source LSB init functions # providing start_daemon, killproc, pidofproc, # log_success_msg, log_failure_msg and log_warning_msg. # This is currently not used by UnitedLinux based distributions and # not needed for init scripts for UnitedLinux only. If it is used, # the functions from rc.status should not be sourced or used. #. /lib/lsb/init-functions # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v be verbose in local rc status and clear it afterwards # rc_status -v -r ditto and clear both the local and overall rc status # rc_status -s display "skipped" and exit with status 3 # rc_status -u display "unused" and exit with status 3 # rc_failed set local and overall rc status to failed # rc_failed <num> set local and overall rc status to <num> # rc_reset clear both the local and overall rc status # rc_exit exit appropriate to overall rc status # rc_active checks whether a service is activated by symlinks . /etc/rc.status # Reset status of this service rc_reset # Return values acc. to LSB for all commands but status: # 0 - success # 1 - generic or unspecified error # 2 - invalid or excess argument(s) # 3 - unimplemented feature (e.g. "reload") # 4 - user had insufficient privileges # 5 - program is not installed # 6 - program is not configured # 7 - program is not running # 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl) # # Note that starting an already running service, stopping # or restarting a not-running service as well as the restart # with force-reload (in case signaling is not supported) are # considered a success. # set default file permissions to -rw------ # (log files should not be readable by all) umask 0066 case "$1" in start) echo -n "Starting WebYaST " if [ ! -e $COMBINEDCERTFILE ] then echo -e "\nNo WebYaST certificate found, creating one now..." LOG_FILE="/var/log/webyast/check-create-certificate.log" if ! /usr/sbin/check-create-certificate -c -C $CERTIFICATEFILE -K $CERTKEYFILE -B $COMBINEDCERTFILE -D webyast -O WebYaST -U WebYaST > $LOG_FILE 2>&1 then echo -n "Can not create certificate. Please see $LOG_FILE for details." rc_failed rc_status -v rc_exit fi chown nginx:nginx $CERTIFICATEFILE $CERTKEYFILE $COMBINEDCERTFILE echo -n "WebYaST certificate: " openssl x509 -in $CERTIFICATEFILE -fingerprint -noout fi # refresh the Gemfile.lock content before starting the server # (outdated file can cause problems after upgrading needed rubygems) rm -f $GEMFILE_LOCK # check the current secret key permissions TOKEN_FILE=/srv/www/webyast/config/initializers/secret_token.rb # get user, group and octal permission mode PERMISSIONS=`stat -c '%U:%G:%a' $TOKEN_FILE` DEFAULT_SECRET='a25bdf1cfcaea649ced4549e9d2b2b6ad4cf077badc774ca034a7ba57ae17f6e1185ed07bcc4ac20fb2d062d2afa975024fca03ede7b4c5002ca68386caa27a0' # fix the file permissions if needed if [ "$PERMISSIONS" != "webyast:root:400" ]; then chown webyast:root $TOKEN_FILE chmod 0400 $TOKEN_FILE # drop the secret key which could have been compromised (replace it by the default which is later rewritten) sed -i "s/\\(Webyast::Application.config.secret_token[ \\t]*=[ \\t]*\\)'.*'/\\1'$DEFAULT_SECRET'/" $TOKEN_FILE fi # generate deployment specific secret key (bnc#591345) if grep -q $DEFAULT_SECRET $TOKEN_FILE; then echo "Creating unique session secret..." SECRET=`dd if=/dev/urandom bs=256 count=1 2>/dev/null | sha512sum | cut -d\ -f 1` if [ -z "$SECRET" ]; then echo -n "Cannot generate unique session secret." rc_failed rc_status -v rc_exit fi sed -i "s/$DEFAULT_SECRET/$SECRET/" $TOKEN_FILE fi # clear cache (drop possibly obsoleted values) (cd /srv/www/webyast/ && rake -s tmp:cache:clear) # make the lock file readable for all chmod a+r $GEMFILE_LOCK # restart file present - do some additional update actions # (Webyast was probably installed/updated by plain RPM) if [ -f $RESTART_FILE ]; then # TODO: use /usr/sbin/update_webyast_service (but fix possible endless loop) (umask 0033 && cd /srv/www/webyast/ && rake -s -f lib/tasks/assets.rake assets:join_manifests) rm $RESTART_FILE fi ## Start daemon with startproc(8). If this fails ## the return value is set appropriately by startproc. /sbin/startproc -p $PID_FILE $NGINX_BIN -c $NGINX_CONFIG # Remember status and be verbose rc_status -v # print the URL of the server if test "$?" -eq 0; then IFC=`LC_ALL=C route | grep "^default" | tr -s " " | cut -d " " -f 8` IP=`LC_ALL=C ifconfig $IFC | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1` PORT=`LC_ALL=C grep "listen" $NGINX_CONFIG|cut -d ";" -f 1|tr -s " "|cut -d " " -f 3` HNAME=`hostname -f 2> /dev/null` if [ -n "$HNAME" ]; then HNAME=" (https://$HNAME:$PORT/)" fi if [ -n "$IP" ]; then echo -e "\t${done}WebYaST is running at https://$IP:$PORT/${HNAME}${norm}\n"; else echo -e "\t${warn}WebYaST could not determine the IP address for $IFC${norm}\n" fi fi ;; stop) echo -n "Shutting down webyast " ## Stop daemon with killproc(8) and if this fails ## killproc sets the return value according to LSB. /sbin/killproc -TERM -p $PID_FILE $NGINX_BIN # Remember status and be verbose rc_status -v ;; try-restart|condrestart) ## Do a restart only if the service was active before. ## Note: try-restart is now part of LSB (as of 1.9). ## RH has a similar command named condrestart. if test "$1" = "condrestart"; then echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" fi $0 status if test $? = 0; then $0 restart else rc_reset # Not running is not a failure. fi # Remember status and be quiet rc_status ;; restart) ## Stop the service and regardless of whether it was ## running or not, start it again. $0 stop $0 start # Remember status and be quiet rc_status ;; force-reload) ## Signal the daemon to reload its config. Most daemons ## do this on signal 1 (SIGHUP). ## If it does not support it, restart the service if it ## is running. echo -n "Reload service webyast " ## if it supports it: /sbin/killproc -p $PID_FILE -HUP $NGINX_BIN rc_status -v ## Otherwise: #$0 try-restart #rc_status ;; reload) ## Like force-reload, but if daemon does not support ## signaling, do nothing (!) # If it supports signaling: echo -n "Reload service webyast " /sbin/killproc -HUP -p $PID_FILE $NGINX_BIN #touch /var/run/webyast.pid rc_status -v ## Otherwise if it does not support reload: #rc_failed 3 #rc_status -v ;; status) echo -n "Checking for service webyast " ## Check status with checkproc(8), if process is running ## checkproc will return with exit status 0. # Return value is slightly different for the status command: # 0 - service up and running # 1 - service dead, but /var/run/ pid file exists # 2 - service dead, but /var/lock/ lock file exists # 3 - service not running (unused) # 4 - service status unknown :-( # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) # NOTE: checkproc returns LSB compliant status values. /sbin/checkproc -p $PID_FILE $NGINX_BIN # NOTE: rc_status knows that we called this init script with # "status" option and adapts its messages accordingly. rc_status -v ;; probe) ## Optional: Probe for the necessity of a reload, print out the ## argument to this init script which is required for a reload. ## Note: probe is not (yet) part of LSB (as of 1.9) test $NGINX_CONFIG /var/run/webyast.pid && echo reload ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit ++++++ update_webyast_service ++++++ #!/bin/sh # This is a shared script for updating and restarting webyast after package update. # The restart is done via an update script which symlinks to this file. RESTART_FILE="/var/lib/webyast/restart" WEBYAST_DIR="/srv/www/webyast" # restart file and Webyast initscript present if [ -f $RESTART_FILE ]; then cd $WEBYAST_DIR # update assets - use assets.rake file directly for faster loading rake -f lib/tasks/assets.rake assets:join_manifests # update Gemfile if test -f "Gemfile" ; then bundle update fi cd - # restart Webyast if it is running /etc/init.d/webyast try-restart # remove the restart file so this script is called just once rm -f $RESTART_FILE fi ++++++ webyast ++++++ # SuSEfirewall2 service definition ## Name: WebYaST ## Description: The backend and frontend of WebYaST, http://en.opensuse.org/WebYaST # space separated list of allowed TCP ports TCP="4984" ++++++ webyast.lr.conf ++++++ /var/log/webyast/production.log /var/log/webyast/development.log /var/log/webyast/access.log /var/log/webyast/error.log /var/log/webyast/permission_service.log /var/log/webyast/passenger.log { compress dateext maxage 365 rotate 99 size=+4096k notifempty missingok create 600 webyast webyast postrotate /etc/init.d/webyast reload endscript } ++++++ webyast.permissions.conf ++++++ <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd";> <busconfig> <policy user="root"> <allow own="webyast.permissions.service" /> <allow send_destination="webyast.permissions.service" /> </policy> <!-- anyone can call service as it is protected by policyKit --> <policy context="default"> <allow send_destination="webyast.permissions.service" /> </policy> </busconfig> ++++++ webyast.permissions.service.service ++++++ # DBus service activation config [D-BUS Service] Name=webyast.permissions.service Exec=/usr/sbin/webyastPermissionsService.rb User=root ++++++ webyastPermissionsService.rb ++++++ #!/usr/bin/env ruby #-- # Webyast framework # # Copyright (C) 2009, 2010 Novell, Inc. # This library is free software; you can redistribute it and/or modify # it only under the terms of version 2.1 of the GNU Lesser General Public # License as published by the Free Software Foundation. # # This library is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA #++ require 'rubygems' require 'dbus' require 'etc' require 'yaml' #checking which policykit is used WEBYAST_CONFIG_FILE = "/etc/webyast/config.yml" polkit1_enabled = true if File.exist?(WEBYAST_CONFIG_FILE) values = YAML::load(File.open(WEBYAST_CONFIG_FILE, 'r').read) polkit1_enabled = false if values["polkit1"] == false end if polkit1_enabled require 'polkit1' else require 'polkit' end # Choose the bus (could also be DBus::session_bus, which is not suitable for a system service) bus = DBus::system_bus # Define the service name service = bus.request_service("webyast.permissions.service") class WebyastPermissionsService < DBus::Object attr_accessor :polkit1 def initialize(polkit1_enabled, options={}) @polkit1 = polkit1_enabled super options end # overriding DBus::Object#dispatch # It is needed because dispatch sent just parameters and without sender it is # imposible to check permissions of sender. So to avoid it add as last # parameter sender id. def dispatch(msg) msg.params << msg.sender super(msg) end def log(msg) f = File.new("/var/log/webyast/permission_service.log", "a", 0600) f.write msg f.write "\n" f.close end # Create an interface. dbus_interface "webyast.permissions.Interface" do dbus_method :grant, "out result:as, in permissions:as, in user:s" do |permissions,user,sender| result = execute(:grant, permissions, user,sender) log "Grant permissions #{permissions.inspect} for user #{user} with result #{result.inspect} " + (@polkit1 ? "(Polkit1)" : "(PolicyKit)") [result] end dbus_method :revoke, "out result:as, in permissions:as, in user:s" do |permissions,user,sender| result = execute(:revoke, permissions, user,sender) log "Revoke permissions #{permissions.inspect} for user #{user} with result #{result.inspect} " + (@polkit1 ? "(Polkit1)" : "(PolicyKit)") [result] end dbus_method :check, "out result:as, in permissions:as, in user:s" do |permissions,user,sender| result = execute(:check, permissions, user,sender) log "check permissions #{permissions.inspect} for user #{user} with result #{result.inspect} " + (@polkit1 ? "(Polkit1)" : "(PolicyKit)") [result] end end USER_REGEX=/\A[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]?\Z/ USER_WITH_DOMAIN_REGEX=/\A[a-zA-Z0-9][a-zA-Z0-9\-.]*\\[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]?\Z/ POLKIT_SECTION = "55-webyast.d" def execute (command, permissions, user, sender) #TODO polkit check, user escaping, perm whitespacing return ["NOPERM"] unless check_polkit sender, command return ["USER_INVALID"] if invalid_user_name? user result = [] permissions.each do |p| #whitespace check for valid permission string to avoid attack unless p.match(/^[a-zA-Z][a-zA-Z0-9.-]*$/) result << "permissions have a wrong format" else case command when :grant then begin if @polkit1 PolKit1::polkit1_write(POLKIT_SECTION, p, true, user) result << "true" else #whitespace check for valid permission string to avoid attack if p.match(/^[a-zA-Z][a-zA-Z0-9.-]*$/) result << `polkit-auth --user '#{user}' --grant '#{p}' 2>&1` # RORSCAN_ITL else result << "perm #{p} is INVALID" # XXX tom: better don't include invalif perms here, we do not know what the calling function is doing with it, like displaying it via the browser, passing it to the shell etc. end end rescue Exception => e result << e.message end when :revoke then begin if @polkit1 PolKit1::polkit1_write(POLKIT_SECTION, p, false, user) result << "true" else #whitespace check for valid permission string to avoid attack if p.match(/^[a-zA-Z][a-zA-Z0-9.-]*$/) result << `polkit-auth --user '#{user}' --revoke '#{p}' 2>&1` # RORSCAN_ITL else result << "perm #{p} is INVALID" # XXX tom: better don't include invalif perms here, we do not know what the calling function is doing with it, like displaying it via the browser, passing it to the shell etc. end end rescue Exception => e result << e.message end when :check then if @polkit1 if PolKit1::polkit1_check(p, user) == :yes result << "yes" else result << "no" end else if PolKit.polkit_check(p, user) == :yes result << "yes" else result << "no" end end else end end end return result end PERMISSION_WRITE="org.opensuse.yast.permissions.write" PERMISSION_READ="org.opensuse.yast.permissions.read" def check_polkit(sender, command) uid = DBus::SystemBus.instance.proxy.GetConnectionUnixUser(sender)[0] user = Etc.getpwuid(uid).name begin case command when :grant then if @polkit1 return PolKit1.polkit1_check(PERMISSION_WRITE, user) == :yes else return PolKit.polkit_check(PERMISSION_WRITE, user) == :yes end when :revoke then if @polkit1 return PolKit1.polkit1_check(PERMISSION_WRITE, user) == :yes else return PolKit.polkit_check(PERMISSION_WRITE, user) == :yes end when :check then if @polkit1 return PolKit1.polkit1_check(PERMISSION_READ, user) == :yes else return PolKit.polkit_check(PERMISSION_READ, user) == :yes end else return false end rescue Exception => e log "PolKit returns an error: #{e.inspect}" return false end end def invalid_user_name? user active_directory_enabled = `/usr/sbin/pam-config -q --winbind 2>/dev/null | wc -w`.to_i > 0 # RORSCAN_ITL return false if user.match(USER_REGEX) return false if active_directory_enabled && user.match(USER_WITH_DOMAIN_REGEX) return true end end # Set the object path obj = WebyastPermissionsService.new(polkit1_enabled, "/webyast/permissions/Interface") # Export it! service.export(obj) # Now listen to incoming requests main = DBus::Main.new main << bus main.run ++++++ yast_user_roles ++++++ # # file : /etc/yast_user_roles # # This file describes roles of a user accounts for the WebYaST # "user accounts": System account which is accessable e.g. via PAM. # "roles" : Describes user accounts for which policies have # been generated # # Format: <user> <role 1>,<role 2>,...<role n> #-- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
