Hello community, here is the log from the commit of package yast2-security for openSUSE:Factory checked in at 2015-01-10 23:07:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2-security (Old) and /work/SRC/openSUSE:Factory/.yast2-security.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-security" Changes: -------- --- /work/SRC/openSUSE:Factory/yast2-security/yast2-security.changes 2014-12-05 21:03:22.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.yast2-security.new/yast2-security.changes 2015-01-10 23:07:05.000000000 +0100 @@ -1,0 +2,13 @@ +Thu Jan 8 15:30:20 CET 2015 - [email protected] + +- fix paths for systemd target links (bnc#911523) +- 3.1.7 + +------------------------------------------------------------------- +Mon Dec 22 17:18:56 UTC 2014 - [email protected] + +- Fixed the interface to show and process correctly values from + sysctl.conf. +- Source code cleanup, including some minor fixes and new tests. + +------------------------------------------------------------------- Old: ---- yast2-security-3.1.6.tar.bz2 New: ---- yast2-security-3.1.7.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-security.spec ++++++ --- /var/tmp/diff_new_pack.XqPGp6/_old 2015-01-10 23:07:06.000000000 +0100 +++ /var/tmp/diff_new_pack.XqPGp6/_new 2015-01-10 23:07:06.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package yast2-security # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: yast2-security -Version: 3.1.6 +Version: 3.1.7 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ yast2-security-3.1.6.tar.bz2 -> yast2-security-3.1.7.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.6/package/yast2-security.changes new/yast2-security-3.1.7/package/yast2-security.changes --- old/yast2-security-3.1.6/package/yast2-security.changes 2014-12-04 13:31:11.000000000 +0100 +++ new/yast2-security-3.1.7/package/yast2-security.changes 2015-01-09 10:31:14.000000000 +0100 @@ -1,4 +1,17 @@ ------------------------------------------------------------------- +Thu Jan 8 15:30:20 CET 2015 - [email protected] + +- fix paths for systemd target links (bnc#911523) +- 3.1.7 + +------------------------------------------------------------------- +Mon Dec 22 17:18:56 UTC 2014 - [email protected] + +- Fixed the interface to show and process correctly values from + sysctl.conf. +- Source code cleanup, including some minor fixes and new tests. + +------------------------------------------------------------------- Thu Dec 4 09:51:32 UTC 2014 - [email protected] - remove X-KDE-Library from desktop file (bnc#899104) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.6/package/yast2-security.spec new/yast2-security-3.1.7/package/yast2-security.spec --- old/yast2-security-3.1.6/package/yast2-security.spec 2014-12-04 13:31:11.000000000 +0100 +++ new/yast2-security-3.1.7/package/yast2-security.spec 2015-01-09 10:31:14.000000000 +0100 @@ -17,7 +17,7 @@ Name: yast2-security -Version: 3.1.6 +Version: 3.1.7 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.6/src/include/security/dialogs.rb new/yast2-security-3.1.7/src/include/security/dialogs.rb --- old/yast2-security-3.1.6/src/include/security/dialogs.rb 2014-12-04 13:31:11.000000000 +0100 +++ new/yast2-security-3.1.7/src/include/security/dialogs.rb 2015-01-09 10:31:14.000000000 +0100 @@ -118,7 +118,12 @@ # mapping for "Enable" and "Disable" links # current value -> new value - @link_value_mapping = { "yes" => "no", "no" => "yes" } + @link_value_mapping = { + "yes" => "no", + "no" => "yes", + "1" => "0", + "0" => "1" + } # mapping for "Configure" links # config name -> dialog name @@ -154,9 +159,9 @@ # handle the special cases at first if Builtins.contains(@configurable_options, option) ret = _("Configure") - elsif value == "yes" + elsif ["1", "yes"].include?(value) ret = _("Enabled") - elsif value == "no" + elsif ["0", "no"].include?(value) ret = _("Disabled") else return @UNKNOWN_STATUS diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.6/src/modules/Security.rb new/yast2-security-3.1.7/src/modules/Security.rb --- old/yast2-security-3.1.6/src/modules/Security.rb 2014-12-04 13:31:11.000000000 +0100 +++ new/yast2-security-3.1.7/src/modules/Security.rb 2015-01-09 10:31:14.000000000 +0100 @@ -330,23 +330,20 @@ false end - # Function which returns if the settings were modified # @return [Boolean] settings were modified def GetModified @modified end + # Function sets internal variable, which indicates, that any # settings were modified, to "true" - - def SetModified @modified = true nil end - # Data was modified? # @return true if modified def Modified @@ -378,10 +375,10 @@ link = Convert.to_string( SCR.Read(path(".target.symlink"), @ctrl_alt_del_file) ) - if link == "/lib/systemd/system/poweroff.target" + if link == "/usr/lib/systemd/system/poweroff.target" ret = "halt" - elsif link == "/lib/systemd/system/reboot.target" || - link == "/lib/systemd/system/ctrl-alt-del.target" + elsif link == "/usr/lib/systemd/system/reboot.target" || + link == "/usr/lib/systemd/system/ctrl-alt-del.target" ret = "reboot" end end @@ -410,6 +407,36 @@ nil end + # Read the settings from the files included in @Locations + def read_from_locations + # NOTE: the call to #sort is only needed to satisfy the old testsuite + @Locations.sort.each do |file, vars| + vars.each do |var| + val = "" + filename = nil + if file.include?("sysconfig") + filename = "/etc" + file.tr(".", "/") + log.info "filename=#{filename}" + end + if filename.nil? || SCR.Read(path(".target.size"), filename) > 0 + val = SCR.Read(path("#{file}.#{var}")) + log.debug "Reading: #{file}.#{var} (#{val})" + end + @Settings[var] = val unless val.nil? + end + end + end + + # Read the settings from sysctl.conf + def read_kernel_settings + # NOTE: the call to #sort is only needed to satisfy the old testsuite + @sysctl.sort.each do |key, default_value| + val = SCR.Read(path(".etc.sysctl_conf") + key) + val = default_value if val.nil? || val == "" + @Settings[key] = val + end + end + # Read all security settings # @return true on success def Read @@ -417,34 +444,8 @@ @modified = false # Read security settings - - Builtins.mapmap(@Locations) do |file, vars| - Builtins.maplist(vars) do |var| - val = "" - filename = nil - if Builtins.issubstring(file, "sysconfig") - filename = Ops.add( - "/etc", - Builtins.mergestring(Builtins.splitstring(file, "."), "/") - ) - Builtins.y2debug("filename=%1", filename) - end - if filename == nil || - Ops.greater_than(SCR.Read(path(".target.size"), filename), 0) - val = Convert.to_string( - SCR.Read(Builtins.topath(Ops.add(Ops.add(file, "."), var))) - ) - Builtins.y2debug( - "Reading: %1 (%2)", - Builtins.topath(Ops.add(Ops.add(file, "."), var)), - val - ) - end - Ops.set(@Settings, var, val) if val != nil - end - { 0 => 0 } - end - Builtins.y2debug("Settings=%1", @Settings) + read_from_locations + Builtins.y2milestone("Settings=%1", @Settings) Ops.set(@Settings, "CONSOLE_SHUTDOWN", ReadConsoleShutdown()) @@ -540,23 +541,16 @@ Ops.get(@Settings, "HIBERNATE_SYSTEM", "") ) - # read sysctl.conf - Builtins.foreach(@sysctl) do |key, default_value| - val = Convert.to_string( - SCR.Read(Builtins.add(path(".etc.sysctl_conf"), key)) - ) - val = default_value if val == nil || val == "" - Ops.set(@Settings, key, val) - end + read_kernel_settings Builtins.y2debug("Settings=%1", @Settings) - # remeber the read values + # remember the read values @Settings_bak = deep_copy(@Settings) true end # Write the value of ctrl-alt-delete behavior - def WriteConsoleShutdown(ca) + def write_console_shutdown(ca) if Package.Installed("systemd") if ca == "reboot" SCR.Execute(path(".target.remove"), @ctrl_alt_del_file) @@ -564,7 +558,7 @@ SCR.Execute( path(".target.bash"), Builtins.sformat( - "ln -s -f /lib/systemd/system/poweroff.target %1", + "ln -s -f /usr/lib/systemd/system/poweroff.target %1", @ctrl_alt_del_file ) ) @@ -597,12 +591,136 @@ true end + # Write the settings from @Locations to the corresponding files + def write_to_locations + commitlist = [] + # NOTE: the call to #sort is only needed to satisfy the old testsuite + @Locations.sort.each do |file, vars| + vars.each do |var| + val = @Settings[var] + if val && val != SCR.Read(path("#{file}.#{var}")) + SCR.Write(path("#{file}.#{var}"), val) + commitlist << file unless commitlist.include?(file) + end + end + end + commitlist.each do |file| + SCR.Write(path(file), nil) + end + end + + # Write settings related to PAM behavior + def write_pam_settings + # pam stuff + encr = @Settings.fetch("PASSWD_ENCRYPTION", "sha512") + if encr != @Settings_bak["PASSWD_ENCRYPTION"] + SCR.Write(path(".etc.login_defs.ENCRYPT_METHOD"), encr) + end + + # use cracklib? + if @Settings["PASSWD_USE_CRACKLIB"] == "yes" + Pam.Add("cracklib") + pth = @Settings["CRACKLIB_DICT_PATH"] + if pth && pth != "/usr/lib/cracklib_dict" + Pam.Add("--cracklib-dictpath=#{pth}") + end + else + Pam.Remove("cracklib") + end + + # save min pass length + min_len = @Settings["PASS_MIN_LEN"] + if min_len && min_len != "5" && @Settings["PASSWD_USE_CRACKLIB"] == "yes" + Pam.Add("cracklib") # minlen is part of cracklib + Pam.Add("cracklib-minlen=#{min_len}") + else + Pam.Remove("cracklib-minlen") + end + + # save "remember" value (number of old user passwords to not allow) + remember_history = @Settings["PASSWD_REMEMBER_HISTORY"] + if remember_history && remember_history != "0" + Pam.Add("pwhistory") + Pam.Add("pwhistory-remember=#{remember_history}") + else + Pam.Remove("pwhistory-remember") + end + end + + # Write settings related to sysctl.conf and sysrq + def write_kernel_settings + # write sysctl.conf + written = false + # NOTE: the call to #sort is only needed to satisfy the old testsuite + @sysctl.sort.each do |key, default_value| + val = @Settings.fetch(key, default_value) + int_val = Integer(val) rescue nil + if int_val.nil? + log.error "value #{val} for #{key} is not integer, not writing" + elsif val != SCR.Read(path(".etc.sysctl_conf") + key) + SCR.Write(path(".etc.sysctl_conf") + key, val) + written = true + end + end + SCR.Write(path(".etc.sysctl_conf"), nil) if written + + # enable sysrq? + sysrq = Integer(@Settings.fetch("kernel.sysrq", "0")) rescue nil + if sysrq != nil + SCR.Execute( + path(".target.bash"), + "echo #{sysrq} > /proc/sys/kernel/sysrq" + ) + end + end + + # Write local PolicyKit configuration + def write_polkit_settings + if @Settings.fetch("HIBERNATE_SYSTEM", "") != + @Settings_bak.fetch("HIBERNATE_SYSTEM", "") + # allow writing any value (different from predefined ones) + ycp_value = @Settings.fetch("HIBERNATE_SYSTEM", "active_console") + hibernate = @ycp2polkit.fetch(ycp_value, ycp_value) + action = "org.freedesktop.upower.hibernate" + SCR.Write( + path(".etc.polkit-default-privs_local") + action, + hibernate + ) + end + end + + # Ensures that file permissions and PolicyKit privileges are applied + def apply_new_settings + # apply all current permissions as they are now + # (what SuSEconfig --module permissions would have done) + SCR.Execute(path(".target.bash"), "/usr/bin/chkstat --system") + + # ensure polkit privileges are applied (bnc #541393) + if FileUtils.Exists("/sbin/set_polkit_default_privs") + SCR.Execute(path(".target.bash"), "/sbin/set_polkit_default_privs") + end + end + + # Executes the corresponding activation command for the settings that have + # an entry in @activation_mapping and have changed + def activate_changes + # NOTE: the call to #sort is only needed to satisfy the old testsuite + @activation_mapping.sort.each do |setting, action| + next if @Settings[setting] == @Settings_bak[setting] + log.info( + "Option #{setting} has been modified, "\ + "activating the change: #{action}" + ) + res = SCR.Execute(path(".target.bash"), action) + log.error "Activation failed" if res != 0 + end + end # Write all security settings # @return true on success def Write return true if !@modified - Builtins.y2milestone("Writing configuration") + log.info "Writing configuration" # Security read dialog caption caption = _("Saving Security Configuration") @@ -637,158 +755,34 @@ "" ) + log.debug "Settings=#{@Settings}" + # Write security settings return false if Abort() Progress.NextStage - - Builtins.y2debug("Settings=%1", @Settings) - Ops.set( - @Settings, - "PERMISSION_SECURITY", - Ops.add(Ops.get(@Settings, "PERMISSION_SECURITY", ""), " local") - ) - - commitlist = [] - Builtins.mapmap(@Locations) do |file, vars| - Builtins.maplist(vars) do |var| - val = Ops.get(@Settings, var) - if val != nil && - val != SCR.Read(Builtins.topath(Ops.add(Ops.add(file, "."), var))) - SCR.Write(Builtins.topath(Ops.add(Ops.add(file, "."), var)), val) - commitlist = Convert.convert( - Builtins.union(commitlist, [file]), - :from => "list", - :to => "list <string>" - ) - end - end - { 0 => 0 } - end - - Builtins.maplist(commitlist) do |file| - SCR.Write(Builtins.topath(file), nil) - end + @Settings["PERMISSION_SECURITY"] << " local" + write_to_locations # Write inittab settings return false if Abort() Progress.NextStage + write_console_shutdown(@Settings.fetch("CONSOLE_SHUTDOWN", "ignore")) - WriteConsoleShutdown(Ops.get(@Settings, "CONSOLE_SHUTDOWN", "ignore")) - - # Write pam settings + # Write authentication and privileges settings return false if Abort() Progress.NextStage - - # pam stuff - encr = Ops.get(@Settings, "PASSWD_ENCRYPTION", "sha512") - if encr != Ops.get(@Settings_bak, "PASSWD_ENCRYPTION", "") - SCR.Write(path(".etc.login_defs.ENCRYPT_METHOD"), encr) - end - - # use cracklib? - if Ops.get(@Settings, "PASSWD_USE_CRACKLIB", "no") == "yes" - Pam.Add("cracklib") - pth = Ops.get(@Settings, "CRACKLIB_DICT_PATH", "/usr/lib/cracklib_dict") - if pth != "/usr/lib/cracklib_dict" - Pam.Add(Ops.add("--cracklib-dictpath=", pth)) - end - else - Pam.Remove("cracklib") - end - - # save min pass length - if Ops.get(@Settings, "PASS_MIN_LEN", "5") != "5" && - Ops.get(@Settings, "PASSWD_USE_CRACKLIB", "no") == "yes" - Pam.Add("cracklib") # minlen is part of cracklib - Pam.Add( - Builtins.sformat( - "cracklib-minlen=%1", - Ops.get(@Settings, "PASS_MIN_LEN", "5") - ) - ) - else - Pam.Remove("cracklib-minlen") - end - - # save "remember" value (number of old user passwords to not allow) - if Ops.get(@Settings, "PASSWD_REMEMBER_HISTORY", "0") != "0" - Pam.Add("pwhistory") - Pam.Add( - Builtins.sformat( - "pwhistory-remember=%1", - Ops.get(@Settings, "PASSWD_REMEMBER_HISTORY", "0") - ) - ) - else - Pam.Remove("pwhistory-remember") - end - - # write local polkit settings - if Ops.get(@Settings, "HIBERNATE_SYSTEM", "") != - Ops.get(@Settings_bak, "HIBERNATE_SYSTEM", "") - # allow writing any value (different from predefined ones) - ycp_value = Ops.get(@Settings, "HIBERNATE_SYSTEM", "active_console") - hibernate = Ops.get(@ycp2polkit, ycp_value, ycp_value) - action = "org.freedesktop.upower.hibernate" - SCR.Write( - Builtins.add(path(".etc.polkit-default-privs_local"), action), - hibernate - ) - end - - # write sysctl.conf - Builtins.foreach(@sysctl) do |key, default_value| - val = Ops.get(@Settings, key, default_value) - if Builtins.tointeger(val) == nil - Builtins.y2error( - "value %1 for %2 is not integer, not writing", - val, - key - ) - elsif val != SCR.Read(Builtins.add(path(".etc.sysctl_conf"), key)) - SCR.Write(Builtins.add(path(".etc.sysctl_conf"), key), val) - end - end - - # enable sysrq? - sysrq = Builtins.tointeger(Ops.get(@Settings, "kernel.sysrq", "0")) - if sysrq != nil - SCR.Execute( - path(".target.bash"), - Builtins.sformat("echo %1 > /proc/sys/kernel/sysrq", sysrq) - ) - end + write_pam_settings + write_polkit_settings + write_kernel_settings # Finish him return false if Abort() Progress.NextStage - - # apply all current permissions as they are now (what SuSEconfig --module permissions would have done) - SCR.Execute(path(".target.bash"), "/usr/bin/chkstat --system") - - # ensure polkit privileges are applied (bnc #541393) - if FileUtils.Exists("/sbin/set_polkit_default_privs") - SCR.Execute(path(".target.bash"), "/sbin/set_polkit_default_privs") - end + apply_new_settings return false if Abort() Progress.NextStage - - # activate the changes - Builtins.foreach(@activation_mapping) do |setting, action| - if Ops.get(@Settings, setting, "") != - Ops.get(@Settings_bak, setting, "") - Builtins.y2milestone( - "Option %1 has been modified, activating the change: %2", - setting, - action - ) - - res = Convert.to_integer(SCR.Execute(path(".target.bash"), action)) - Builtins.y2error("Activation failed") if res != 0 - end - end - + activate_changes return false if Abort() @modified = false diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.6/test/SCRStub.rb new/yast2-security-3.1.7/test/SCRStub.rb --- old/yast2-security-3.1.6/test/SCRStub.rb 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-security-3.1.7/test/SCRStub.rb 2015-01-09 10:31:14.000000000 +0100 @@ -0,0 +1,94 @@ +# Helpers for stubbing several agent operations. +# +# Must be included in the configure section of RSpec. +# +# @example usage +# RSpec.configure do |c| +# c.include SCRStub +# end +# +# describe "Keyboard" do +# it "uses loadkeys" do +# expect_to_execute(/loadkeys/) +# Keyboard.Set +# end +# end +# +module SCRStub + # Ensures that non-stubbed SCR calls still works as expected after including + # the module in the testsuite + # different methods of the module + def self.included(testsuite) + testsuite.before(:each) do + allow(Yast::SCR).to receive(:Read).and_call_original + allow(Yast::SCR).to receive(:Write).and_call_original + allow(Yast::SCR).to receive(:Execute).and_call_original + end + end + + # Shortcut for generating Yast::Path objects + # + # @param route [String] textual representation of the path + # @return [Yast::Path] the corresponding Path object + def path(route) + Yast::Path.new(route) + end + + # Encapsulates subsequent SCR calls into a chroot. + # + # Raises an exception if something goes wrong. + # + # @param [#to_s] directory to use as '/' for SCR calls + def set_root_path(directory) + check_version = false + @scr_handle = Yast::WFM.SCROpen("chroot=#{directory}:scr", check_version) + raise "Error creating the chrooted scr instance" if @scr_handle < 0 + Yast::WFM.SCRSetDefault(@scr_handle) + end + + # Resets the SCR calls to default behaviour, closing the SCR instance open by + # #set_root_path. + # + # Raises an exception if #set_root_path has not been called before (or if the + # corresponding instance has already been closed) + # + # @see #set_root_path + def reset_root_path + default_handle = Yast::WFM.SCRGetDefault + if default_handle != @scr_handle + raise "Error closing the chrooted scr instance, it's not the current default one" + end + @scr_handle = nil + Yast::WFM.SCRClose(default_handle) + end + + # Matcher for executing commands using SCR.Execute and .target.bash + # + # @return [RSpec::Mocks::Matchers::Receive] + def exec_bash(command) + receive(:Execute).with(path(".target.bash"), command) + end + + # Stub all calls to SCR.Write storing the value for future comparison + def stub_scr_write + @written_values = {} + allow(Yast::SCR).to receive(:Write) do |*args| + key = args[0].to_s.gsub(/[\"']/, "") + @written_values[key] = args[1] + end + end + + # Value written by a stubbed call to SCR.Write + # + # @param key used in the call to SCR.Write + def written_value_for(key) + @written_values[key] + end + + # Checks if SCR.Write was called for a given path + # + # @param path used in the call to SCR.Write + def was_written?(path) + @written_values.has_key?(path) + end +end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.6/test/data/system/etc/login.defs new/yast2-security-3.1.7/test/data/system/etc/login.defs --- old/yast2-security-3.1.6/test/data/system/etc/login.defs 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-security-3.1.7/test/data/system/etc/login.defs 2015-01-09 10:31:14.000000000 +0100 @@ -0,0 +1,287 @@ +# +# /etc/login.defs - Configuration control definitions for the shadow package. +# + +# +# Delay in seconds before being allowed another attempt after a login failure +# Note: When PAM is used, some modules may enfore a minimal delay (e.g. +# pam_unix enforces a 2s delay) +# +FAIL_DELAY 3 + +# +# Enable display of unknown usernames when login failures are recorded. +# +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +CONSOLE /etc/securetty +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, ":" delimited list of "message of the day" files to +# be displayed upon login. +# +MOTD_FILE /etc/motd +#MOTD_FILE /etc/motd:/usr/lib/news/news-motd + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +#HUSHLOGIN_FILE .hushlogin +HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin + +# +# The default PATH settings for root (used by login): +# +ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +TTYGROUP tty +TTYPERM 0620 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 + +# Default initial "umask" value used by login on non-PAM enabled systems. +# Default "umask" value for pam_umask on PAM enabled systems. +# UMASK is also used by useradd and newusers to set the mode of new home +# directories. +# 022 is the default value, but 027, or even 077, could be considered +# better for privacy. There is no One True Answer here: each sysadmin +# must make up her mind. +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +# SYS_UID_MIN to SYS_UID_MAX inclusive is the range for +# UIDs for dynamically allocated administrative and system accounts. +# UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically +# allocated user accounts. +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +SYS_UID_MIN 100 +SYS_UID_MAX 499 + +# +# Min/max values for automatic gid selection in groupadd +# +# SYS_GID_MIN to SYS_GID_MAX inclusive is the range for +# GIDs for dynamically allocated administrative and system groups. +# GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically +# allocated groups. +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +SYS_GID_MIN 100 +SYS_GID_MAX 499 + +# +# Max number of login retries if password is bad +# +LOGIN_RETRIES 3 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: If you use PAM, it is recommended to use a value consistent with +# the PAM modules configuration. +# +ENCRYPT_METHOD SHA512 +ENCRYPT_METHOD_NIS DES + +# +# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +# See USERDEL_PRECMD/POSTCMD below. +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# Enable setting of the umask group bits to be the same as owner bits +# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is +# the same as gid, and username is the same as the primary group name. +# +# This also enables userdel to remove user groups if no members exist. +# +USERGROUPS_ENAB no + +# +# If set to a non-nul number, the shadow utilities will make sure that +# groups never have more than this number of users on one line. +# This permit to support split groups (groups split into multiple lines, +# with the same group ID, to avoid limitation of the line length in the +# group file). +# +# 0 is the default value and disables this feature. +# +#MAX_MEMBERS_PER_GROUP 0 + +# +# If useradd should create home directories for users by default (non +# system users only) +# This option is overridden with the -M or -m flags on the useradd command +# line. +# +CREATE_HOME no + +# +# User/group names must match the following regex expression. +# The default is [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?, +# but be aware that the result could depend on the locale settings. +# +#CHARACTER_CLASS [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\? +CHARACTER_CLASS [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]\? + +# +# If defined, this command is run when adding a group. +# It should rebuild any NIS database etc. to add the +# new created group. +# +GROUPADD_CMD /usr/sbin/groupadd.local + +# +# If defined, this command is run when adding a user. +# It should rebuild any NIS database etc. to add the +# new created account. +# +USERADD_CMD /usr/sbin/useradd.local + +# +# If defined, this command is run before removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed. +# +USERDEL_PRECMD /usr/sbin/userdel-pre.local + +# +# If defined, this command is run after removing a user. +# It should rebuild any NIS database etc. to remove the +# account from it. +# +USERDEL_POSTCMD /usr/sbin/userdel-post.local + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.6/test/data/system/etc/sysconfig/clock new/yast2-security-3.1.7/test/data/system/etc/sysconfig/clock --- old/yast2-security-3.1.6/test/data/system/etc/sysconfig/clock 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-security-3.1.7/test/data/system/etc/sysconfig/clock 2015-01-09 10:31:14.000000000 +0100 @@ -0,0 +1,77 @@ +## Path: System/Environment/Clock +## Description: Information about your timezone and time +# +# Be aware that the time reference of the CMOS/HW clock has been +# forwarded to /etc/adjtime, the file used by hwclock(8), +# systemd(1), and the kernel as reference for the CMOS/HW clock. + +## Type: list(yes,no,) +## Description: Write back system time to the hardware clock +# +# Is set to "yes" write back the system time to the hardware +# clock at reboot or shutdown. Usefull if hardware clock is +# much more inaccurate than system clock. Set to "no" if +# system time does it wrong due e.g. missed timer interrupts. +# If set to "no" the hardware clock adjust feature is also +# skipped because it is rather useless without writing back +# the system time to the hardware clock. +# +# Note that you need to enable boot.clock for this feature to take +# effect. +# +# defaults to 'yes' if unset +# +SYSTOHC="" +## Description: Write back system time if if already done by kernel +## Type: list(no,yes) +# +# Is set to "yes" write back the system time to the hardware +# clock at reboot or shutdown eveb if this is done by the kernel +# in the so called ``Eleven Minute Mode''. +# +FORCE_SYSTOHC="no" +## Description: HW clock is not able to use years outside 1994-1999. +## Type: string +## Type: list(yes,no) +# +# Indicates that the Hardware Clock is incapable of storing years +# outside the range 1994-1999. +# +BADYEAR="no" +## Description: Overrides the default device file name +## Type: string +# +# Overrides the default /dev file name, which is /dev/rtc on many +# platforms but may be /dev/rtc0, /dev/rtc1, and so on. +# +HCTOSYS_DEVICE="" +## Description: Do or do not not run hwclock(8) +## Type: list(yes,no,) +# +# Set this to yes if it is possible to access the hardware clock, +# or no if it is not. On some platforms (s390 or xen) this may +# overwritten by the service its self. +# +USE_HWCLOCK="yes" +## Description: Correct systematic drift of the HW clock +## Type: list(yes,no,) +# +# Add or subtract time from the Hardware Clock to account for +# systematic drift since the last time the clock was set or +# adjusted. By default off as this can cause trouble. For +# systems using localtime for HW clock this will ignored. +# +USE_ADJUST="no" + +## Type: string(Europe/Berlin,Europe/London,Europe/Paris) +## ServiceRestart: boot.clock +## Command: /sbin/refresh_initrd +# +# Timezone (e.g. CET or Asia/Tokyo). The value should correspond +# to the contents of the /etc/localtime file and is for internal +# YaST use; changing this setting will not make SuSEconfig update +# the /etc/localtime file, YaST does that or you will need to do +# this manually by calling zic -l. +# +TIMEZONE="Europe/Berlin" +DEFAULT_TIMEZONE="US/Eastern" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.6/test/data/system/etc/sysconfig/cron new/yast2-security-3.1.7/test/data/system/etc/sysconfig/cron --- old/yast2-security-3.1.6/test/data/system/etc/sysconfig/cron 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-security-3.1.7/test/data/system/etc/sysconfig/cron 2015-01-09 10:31:14.000000000 +0100 @@ -0,0 +1,74 @@ +## Path: System/Cron/Man +## Description: cron configuration for man utility +## Type: yesno +## Default: yes +## Path: System/Cron/Man +## Description: cron configuration for man utility +## Type: yesno +## Default: yes +# +# Should mandb and whatis be recreated by cron.daily ("yes" or "no") +# +REINIT_MANDB=yes + +## Type: yesno +## Default: yes +# +# Should old preformatted man pages (in /var/cache/man) be deleted? (yes/no) +# +DELETE_OLD_CATMAN=yes + +## Type: integer +## Default: 7 +# +# How long should old preformatted man pages be kept before deletion? (days) +# +CATMAN_ATIME=7 + +## Type: string +## Default: "" +# +# At which time cron.daily should start. Default is 15 minutes after booting +# the system. Example setting would be "14:00". +# Due to the fact that cron script runs only every 15 minutes, +# it will only run on xx:00, xx:15, xx:30, xx:45, not at the accurate time +# you set. +DAILY_TIME="" + +## Type: integer +## Default: 5 +# +# Maximum days not running when using a fixed time set in DAILY_TIME. +# 0 to skip this. This is for users who will power off their system. +# +# There is a fixed max. of 14 days set, if you want to override this +# change MAX_NOT_RUN_FORCE in /usr/lib/cron/run-crons +MAX_NOT_RUN="5" + +## Type: yesno +## Default: no +# +# send status email even if all scripts in +# cron.{hourly,daily,weekly,monthly} +# returned without error? (yes/no) +# +SEND_MAIL_ON_NO_ERROR="no" + +## Type: yesno +## Default: no +# +# send email containing output from all successful jobs in +# cron.{hourly,daily,weekly,monthly}. Output from failed +# jobs is always sent. If SEND_MAIL_ON_NO_ERROR is yes, this +# setting is ignored. (yes/no) +# +SEND_OUTPUT_ON_NO_ERROR="no" + +## Type: yesno +## Default: no +# +# generate syslog message for all scripts in +# cron.{hourly,daily,weekly,monthly} +# even if they haven't returned an error? (yes/no) +# +SYSLOG_ON_NO_ERROR="no" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.6/test/data/system/etc/sysconfig/displaymanager new/yast2-security-3.1.7/test/data/system/etc/sysconfig/displaymanager --- old/yast2-security-3.1.6/test/data/system/etc/sysconfig/displaymanager 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-security-3.1.7/test/data/system/etc/sysconfig/displaymanager 2015-01-09 10:31:14.000000000 +0100 @@ -0,0 +1,125 @@ +## Path: Desktop/Display manager +## Description: settings to generate a proper displaymanager config +## Config: kdm3 +## Type: string +## Default: +# +# space separated list of users for which icons should be shown in KDM +# if empty, then take system defaults +# +KDM_USERS="" + +## Type: string +## Default: +# +# Special greeting words in kdm +# +KDM_GREETSTRING="" +## Path: Desktop/Display manager +## Description: settings to generate a proper displaymanager config +## Type: string +## Default: +## Config: kdm +# +# Defines extra Server Arguments given to the kdm display manager when +# starting a local display. Useful to override e.g. the -dpi setting. +# +DISPLAYMANAGER_KDM_LOCALARGS="" + +## Type: string +## Default: openSUSE +# +# Define the theme to be used by kdm. If empty, the traditional login +# window is used (which lacks some features) +# +DISPLAYMANAGER_KDM_THEME="openSUSE" + +## Type: yesno +## Default: yes +# +# Allow local access of the user root to your display manager. Note +# that root can never login if DISPLAYMANAGER_SHUTDOWN is "auto" and +# System/Security/Permissions/PERMISSION_SECURITY is "paranoid". +# This settings currently works only with KDM. +# +DISPLAYMANAGER_ROOT_LOGIN_LOCAL="yes" +## Path: Desktop/Display manager +## Type: string(Xorg) +## Default: "Xorg" +# +DISPLAYMANAGER_XSERVER="Xorg" +## Path: Desktop/Display manager +## Description: settings to generate a proper displaymanager config +## Type: string(kdm,kdm3,kdm4,xdm,gdm,wdm,entrance,console) +## Default: "" +# +# Here you can set the default Display manager (kdm/xdm/gdm/wdm/entrance/console). +# all changes in this file require a restart of the displaymanager +# +DISPLAYMANAGER="kdm" + +## Type: yesno +## Default: no +# +# Allow remote access (XDMCP) to your display manager (xdm/kdm/gdm). Please note +# that a modified kdm or xdm configuration, e.g. by KDE control center +# will not be changed. For gdm, values will be updated after change. +# XDMCP service should run only on trusted networks and you have to disable +# firewall for interfaces, where you want to provide this service. +# +DISPLAYMANAGER_REMOTE_ACCESS="yes" + +## Type: yesno +## Default: no +# +# Allow remote access of the user root to your display manager. Note +# that root can never login if DISPLAYMANAGER_SHUTDOWN is "auto" and +# System/Security/Permissions/PERMISSION_SECURITY is "paranoid" +# +DISPLAYMANAGER_ROOT_LOGIN_REMOTE="yes" + +## Type: yesno +## Default: yes +# +# Let the displaymanager start a local Xserver. +# Set to "no" for remote-access only. +# Set to "no" on architectures without any Xserver (e.g. s390/s390x). +# +DISPLAYMANAGER_STARTS_XSERVER="yes" + +## Type: yesno +## Default: no +# +# TCP port 6000 of Xserver. When set to "no" (default) Xserver is +# started with "-nolisten tcp". Only set this to "yes" if you really +# need to. Remote X service should run only on trusted networks and +# you have to disable firewall for interfaces, where you want to +# provide this service. Use ssh X11 port forwarding whenever possible. +# +DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN="no" + +## Type: string +## Default: +# +# Define the user whom should get logged in without request. If string +# is empty, display standard login dialog. +# +DISPLAYMANAGER_AUTOLOGIN="" + +## Type: yesno +## Default: no +# +# Allow all users to login without password, but ask for the user, if +# DISPLAYMANAGER_AUTOLOGIN is empty. +# +DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no" + +## Type: yesno +## Default: no +# +# Display a combobox for Active Directory domains. +# +DISPLAYMANAGER_AD_INTEGRATION="no" + +# The DISPLAYMANAGER_SHUTDOWN setting is intentionally ommited for testing +# purposes. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.6/test/data/system/etc/sysconfig/locate new/yast2-security-3.1.7/test/data/system/etc/sysconfig/locate --- old/yast2-security-3.1.6/test/data/system/etc/sysconfig/locate 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-security-3.1.7/test/data/system/etc/sysconfig/locate 2015-01-09 10:31:14.000000000 +0100 @@ -0,0 +1 @@ +RUN_UPDATEDB_AS="" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.6/test/data/system/etc/sysconfig/mail new/yast2-security-3.1.7/test/data/system/etc/sysconfig/mail --- old/yast2-security-3.1.6/test/data/system/etc/sysconfig/mail 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-security-3.1.7/test/data/system/etc/sysconfig/mail 2015-01-09 10:31:14.000000000 +0100 @@ -0,0 +1,48 @@ + +## Path: Network/Mail/General +## Description: Basic general MTA configuration +## Type: yesno +## Default: yes +## Config: postfix,sendmail +# +# If you don't want to let SuSEconfig generate your +# configuration file, set this to no +# +MAIL_CREATE_CONFIG="yes" +## Path: Network/Mail/General +## Description: +## Type: string +## Default: "" +## Config: postfix +## ServiceReload: sendmail,postfix +# +# From:-Line in email and News postings +# (otherwise the FQDN is used) +FROM_HEADER="" + +## Type: yesno +## Default: no +## Config: postfix +# +# Set this to "yes" if mail from remote should be accepted +# this is necessary for any mail server. +# If set to "no" or empty then only mail from localhost +# will be accepted. +# +SMTPD_LISTEN_REMOTE="no" + +## Type: yesno +## Default: no +# +# Set this to "yes" if the yast2 mail module must not +# start with the wizard for asking the +# configuration type of the mail server. +# +SKIP_ASK="no" + +## Type: string(standard,advanced,undef) +## Default: undef +# +# This variable contains the type of the mail server configuration. +# +CONFIG_TYPE="undef" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.6/test/data/system/etc/sysconfig/security new/yast2-security-3.1.7/test/data/system/etc/sysconfig/security --- old/yast2-security-3.1.6/test/data/system/etc/sysconfig/security 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-security-3.1.7/test/data/system/etc/sysconfig/security 2015-01-09 10:31:14.000000000 +0100 @@ -0,0 +1,58 @@ +## Path: System/Security/Permissions +## Description: Configuration of permissions on the system +## Type: string +## Default: "easy local" +# +# Permission settings to use. By default 'easy', 'secure' and +# 'paranoid' exist. You may define your own though. +# +PERMISSION_SECURITY="easy local" +## Path: System/Security/PolicyKit +## Description: Configuration of default PolicyKit privileges +## Type: list(set,warn,no) +## Default: set +## Config: set_polkit_default_privs +# +# SuSEconfig can check PolicyKit default privileges. +# Setting this variable to "set" will change privileges that don't match the +# default. Setting to "warn" only prints a warning and "no" will +# disable this feature. +# +# Defaults to "set" if not specified +# +CHECK_POLKIT_PRIVS="" + +## Type: string +## Default: "standard" +## Config: set_polkit_default_privs +# +# SUSE ships with two sets of default privilege settings. These are +# "standard" and "restrictive". +# +# Examples: "standard", "restrictive foo bar" +# +# If not set the value depends on the setting of +# PERMISSION_SECURITY. If PERMISSION_SECURITY contains 'secure' or +# 'paranoid' the value will be 'restrictive', otherwise 'standard'. +# +# The 'local' file is always evaluated and takes precedence over all +# other files. +# +POLKIT_DEFAULT_PRIVS="" +## Type: list(yes,yast,no) +## Default: yes +# +# When working with packages and installation sources, check keys +# and signatures: yes = in YaST and ZENWorks, yast = in YaST, no = +# no checking. +# +CHECK_SIGNATURES="yes" + +## Description: Use filesystem capabilities for more finegrained permission handling +## Type: yesno +## Default: "yes" +# +# Flag whether to use filesystem capabilities for finegrained +# access control (compared to setuid) or not. +# +PERMISSION_FSCAPS="" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.6/test/data/system/etc/sysconfig/services new/yast2-security-3.1.7/test/data/system/etc/sysconfig/services --- old/yast2-security-3.1.6/test/data/system/etc/sysconfig/services 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-security-3.1.7/test/data/system/etc/sysconfig/services 2015-01-09 10:31:14.000000000 +0100 @@ -0,0 +1,16 @@ +## Path: System/Services +## Type: yesno +## Default: no +# +# Do you want to disable the automatic restart of services when +# a new version gets installed? +# +DISABLE_RESTART_ON_UPDATE="no" + +## Type: yesno +## Default: no +# +# Do you want to disable the automatic shutdown of services when +# the corresponding package gets erased? +# +DISABLE_STOP_ON_REMOVAL="no" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.6/test/data/system/etc/sysctl.conf new/yast2-security-3.1.7/test/data/system/etc/sysctl.conf --- old/yast2-security-3.1.6/test/data/system/etc/sysctl.conf 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-security-3.1.7/test/data/system/etc/sysctl.conf 2015-01-09 10:31:14.000000000 +0100 @@ -0,0 +1,26 @@ +#### +# +# /etc/sysctl.conf is meant for local sysctl settings +# +# sysctl reads settings from the following locations: +# /boot/sysctl.conf-<kernelversion> +# /lib/sysctl.d/*.conf +# /usr/lib/sysctl.conf.d/*.conf +# /usr/local/lib/sysctl.d/*.conf +# /etc/sysctl.d/*.conf +# /run/sysctl.d/*.conf +# /etc/sysctl.conf +# +# To disable or override a distribution provided file just place a +# file with the same name in /etc/sysctl.d/ +# +# See sysctl.conf(5) and sysctl(8) for more information +# +#### + +# net.ipv6.conf.all.disable_ipv6 = 1 +# net.ipv6.conf.all.disable_ipv6 = 1 +kernel.sysrq = 0 +net.ipv4.ip_forward = 0 +net.ipv4.tcp_syncookies = 1 +net.ipv6.conf.all.forwarding = 0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.6/test/security_test.rb new/yast2-security-3.1.7/test/security_test.rb --- old/yast2-security-3.1.6/test/security_test.rb 2014-12-04 13:31:11.000000000 +0100 +++ new/yast2-security-3.1.7/test/security_test.rb 2015-01-09 10:31:14.000000000 +0100 @@ -1,8 +1,11 @@ #!/usr/bin/env rspec -require 'rspec' ENV["Y2DIR"] = File.expand_path("../../src", __FILE__) +DATA_PATH = File.join(File.expand_path(File.dirname(__FILE__)), "data") + +require 'rspec' require "yast" +require_relative 'SCRStub' def services_for(names) names.map {|n| Yast::DummySystemdUnit.new(n) } @@ -22,6 +25,10 @@ import "Security" + RSpec.configure do |c| + c.include SCRStub + end + describe Security do describe "#ReadServiceSettings" do @@ -74,5 +81,124 @@ end end end + + describe "#Write" do + it "writes and applies all the settings" do + expect(Security).to receive(:write_to_locations) + expect(Security).to receive(:write_console_shutdown) + expect(Security).to receive(:write_pam_settings) + expect(Security).to receive(:write_polkit_settings) + expect(Security).to receive(:write_kernel_settings) + expect(Security).to receive(:apply_new_settings) + expect(Security).to receive(:activate_changes) + Security.modified = true + Security.Write + end + end + + describe "#write_to_locations" do + before do + set_root_path(File.join(DATA_PATH, "system")) + Security.read_from_locations + stub_scr_write + end + + after do + reset_root_path + end + + it "does not write nil values" do + expect(SCR).to_not receive(:Write). + with(path(".sysconfig.mail.SMTPD_LISTEN_REMOTE"), anything) + + Security.Settings["SMTPD_LISTEN_REMOTE"] = nil + Security.write_to_locations + end + + it "does not write unchanged values" do + expect(SCR).to_not receive(:Write). + with(path(".sysconfig.mail.SMTPD_LISTEN_REMOTE"), anything) + + Security.Settings["SMTPD_LISTEN_REMOTE"] = "no" + Security.write_to_locations + end + + it "adds missing values" do + Security.Settings["DISPLAYMANAGER_SHUTDOWN"] = "yes" + Security.write_to_locations + + expect(written_value_for(".sysconfig.displaymanager.DISPLAYMANAGER_SHUTDOWN")). + to eq("yes") + expect(was_written?(".sysconfig.displaymanager")).to eq(true) + end + + it "updates changed values" do + Security.Settings["USERADD_CMD"] = "cmd" + Security.Settings["USERDEL_PRECMD"] = "" + Security.write_to_locations + + expect(written_value_for(".etc.login_defs.USERADD_CMD")).to eq("cmd") + expect(written_value_for(".etc.login_defs.USERDEL_PRECMD")).to eq("") + expect(was_written?(".etc.login_defs")).to eq(true) + end + end + + describe "#write_kernel_settings" do + before do + set_root_path(File.join(DATA_PATH, "system")) + Security.read_kernel_settings + stub_scr_write + end + + after do + reset_root_path + end + + context "writing to sysctl.conf" do + before do + allow(SCR).to exec_bash(/echo .* \/kernel\/sysrq/) + end + + it "does not write invalid values" do + expect(SCR).to_not receive(:Write) + + Security.Settings["kernel.sysrq"] = "yes" + Security.Settings["net.ipv4.ip_forward"] = "" + Security.write_kernel_settings + end + + it "does not write unchanged values" do + expect(SCR).to_not receive(:Write) + + Security.Settings["net.ipv4.ip_forward"] = "0" + Security.write_kernel_settings + end + + it "writes changed values" do + Security.Settings["net.ipv4.ip_forward"] = "1" + Security.write_kernel_settings + + expect(written_value_for(".etc.sysctl_conf.net.ipv4.ip_forward")). + to eq("1") + expect(was_written?(".etc.sysctl_conf")).to eq(true) + end + end + + context "setting sysrq" do + it "does not write invalid values" do + expect(SCR).to_not exec_bash(/echo .* \/kernel\/sysrq/) + + Security.Settings["kernel.sysrq"] = "yes" + Security.write_kernel_settings + end + + it "writes valid values" do + expect(SCR).to exec_bash("echo 1 > /proc/sys/kernel/sysrq") + + Security.Settings["kernel.sysrq"] = "1" + Security.write_kernel_settings + end + end + end end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.6/testsuite/tests/Level1.out new/yast2-security-3.1.7/testsuite/tests/Level1.out --- old/yast2-security-3.1.6/testsuite/tests/Level1.out 2014-12-04 13:31:11.000000000 +0100 +++ new/yast2-security-3.1.7/testsuite/tests/Level1.out 2015-01-09 10:31:14.000000000 +0100 @@ -70,6 +70,7 @@ Write .etc.sysctl_conf."net.ipv4.tcp_syncookies" "1" true Read .etc.sysctl_conf."net.ipv6.conf.all.forwarding" nil Write .etc.sysctl_conf."net.ipv6.conf.all.forwarding" "0" true +Write .etc.sysctl_conf nil true Execute .target.bash "echo 1 > /proc/sys/kernel/sysrq" 0 Execute .target.bash "/usr/bin/chkstat --system" 0 Execute .target.bash "/sbin/set_polkit_default_privs" 0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.6/testsuite/tests/Level2.out new/yast2-security-3.1.7/testsuite/tests/Level2.out --- old/yast2-security-3.1.6/testsuite/tests/Level2.out 2014-12-04 13:31:11.000000000 +0100 +++ new/yast2-security-3.1.7/testsuite/tests/Level2.out 2015-01-09 10:31:14.000000000 +0100 @@ -70,6 +70,7 @@ Write .etc.sysctl_conf."net.ipv4.tcp_syncookies" "1" true Read .etc.sysctl_conf."net.ipv6.conf.all.forwarding" nil Write .etc.sysctl_conf."net.ipv6.conf.all.forwarding" "0" true +Write .etc.sysctl_conf nil true Execute .target.bash "echo 0 > /proc/sys/kernel/sysrq" 0 Execute .target.bash "/usr/bin/chkstat --system" 0 Return true diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.6/testsuite/tests/Level3.out new/yast2-security-3.1.7/testsuite/tests/Level3.out --- old/yast2-security-3.1.6/testsuite/tests/Level3.out 2014-12-04 13:31:11.000000000 +0100 +++ new/yast2-security-3.1.7/testsuite/tests/Level3.out 2015-01-09 10:31:14.000000000 +0100 @@ -71,6 +71,7 @@ Write .etc.sysctl_conf."net.ipv4.tcp_syncookies" "1" true Read .etc.sysctl_conf."net.ipv6.conf.all.forwarding" nil Write .etc.sysctl_conf."net.ipv6.conf.all.forwarding" "0" true +Write .etc.sysctl_conf nil true Execute .target.bash "echo 0 > /proc/sys/kernel/sysrq" 0 Execute .target.bash "/usr/bin/chkstat --system" 0 Execute .target.bash "/sbin/set_polkit_default_privs" 0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.1.6/testsuite/tests/Write.out new/yast2-security-3.1.7/testsuite/tests/Write.out --- old/yast2-security-3.1.6/testsuite/tests/Write.out 2014-12-04 13:31:11.000000000 +0100 +++ new/yast2-security-3.1.7/testsuite/tests/Write.out 2015-01-09 10:31:14.000000000 +0100 @@ -58,7 +58,7 @@ Write .sysconfig.mail nil true Write .sysconfig.security nil true Write .sysconfig.services nil true -Execute .target.bash "ln -s -f /lib/systemd/system/poweroff.target /etc/systemd/system/ctrl-alt-del.target" 0 +Execute .target.bash "ln -s -f /usr/lib/systemd/system/poweroff.target /etc/systemd/system/ctrl-alt-del.target" 0 Execute .target.bash_output "/usr/sbin/pam-config -d --cracklib" $[] Execute .target.bash_output "/usr/sbin/pam-config -d --cracklib-minlen" $[] Execute .target.bash_output "/usr/sbin/pam-config -d --pwhistory-remember" $[] @@ -71,6 +71,7 @@ Write .etc.sysctl_conf."net.ipv4.tcp_syncookies" "9" true Read .etc.sysctl_conf."net.ipv6.conf.all.forwarding" nil Write .etc.sysctl_conf."net.ipv6.conf.all.forwarding" "11" true +Write .etc.sysctl_conf nil true Execute .target.bash "echo 1 > /proc/sys/kernel/sysrq" 0 Execute .target.bash "/usr/bin/chkstat --system" 0 Execute .target.bash "/sbin/set_polkit_default_privs" 0 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
