Hello community, here is the log from the commit of package yast2-security for openSUSE:Factory checked in at 2016-03-07 13:25:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2-security (Old) and /work/SRC/openSUSE:Factory/.yast2-security.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-security" Changes: -------- --- /work/SRC/openSUSE:Factory/yast2-security/yast2-security.changes 2015-10-03 20:29:36.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.yast2-security.new/yast2-security.changes 2016-03-07 13:25:50.000000000 +0100 @@ -1,0 +2,7 @@ +Fri Feb 26 12:40:29 UTC 2016 - [email protected] + +- Removed "Boot permissions - Interpretation of Ctrl + Alt + Del" + combo box "Reboot" entry for s390 architecture. (fate#319711) +- 3.2.1 + +------------------------------------------------------------------- Old: ---- yast2-security-3.2.0.tar.bz2 New: ---- yast2-security-3.2.1.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-security.spec ++++++ --- /var/tmp/diff_new_pack.6sAKcQ/_old 2016-03-07 13:26:08.000000000 +0100 +++ /var/tmp/diff_new_pack.6sAKcQ/_new 2016-03-07 13:26:08.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package yast2-security # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: yast2-security -Version: 3.2.0 +Version: 3.2.1 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -86,6 +86,7 @@ %{yast_scrconfdir}/*.scr %{yast_schemadir}/autoyast/rnc/security.rnc %{yast_ydatadir}/security +%{yast_libdir}/security %doc %{yast_docdir} %changelog ++++++ yast2-security-3.2.0.tar.bz2 -> yast2-security-3.2.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.2.0/package/yast2-security.changes new/yast2-security-3.2.1/package/yast2-security.changes --- old/yast2-security-3.2.0/package/yast2-security.changes 2015-09-24 17:06:12.000000000 +0200 +++ new/yast2-security-3.2.1/package/yast2-security.changes 2016-03-02 13:26:10.000000000 +0100 @@ -1,4 +1,11 @@ ------------------------------------------------------------------- +Fri Feb 26 12:40:29 UTC 2016 - [email protected] + +- Removed "Boot permissions - Interpretation of Ctrl + Alt + Del" + combo box "Reboot" entry for s390 architecture. (fate#319711) +- 3.2.1 + +------------------------------------------------------------------- Thu Sep 24 14:50:20 UTC 2015 - [email protected] - Bumped version number in order to branch the SLE version due to diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.2.0/package/yast2-security.spec new/yast2-security-3.2.1/package/yast2-security.spec --- old/yast2-security-3.2.0/package/yast2-security.spec 2015-09-24 17:06:12.000000000 +0200 +++ new/yast2-security-3.2.1/package/yast2-security.spec 2016-03-02 13:26:10.000000000 +0100 @@ -17,7 +17,7 @@ Name: yast2-security -Version: 3.2.0 +Version: 3.2.1 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -78,4 +78,5 @@ %{yast_scrconfdir}/*.scr %{yast_schemadir}/autoyast/rnc/security.rnc %{yast_ydatadir}/security +%{yast_libdir}/security %doc %{yast_docdir} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.2.0/src/Makefile.am new/yast2-security-3.2.1/src/Makefile.am --- old/yast2-security-3.2.0/src/Makefile.am 2015-09-24 17:06:12.000000000 +0200 +++ new/yast2-security-3.2.1/src/Makefile.am 2016-03-02 13:26:10.000000000 +0100 @@ -19,6 +19,11 @@ include/security/routines.rb \ include/security/helps.rb + +ylibdir = @ylibdir@/security +ylib_DATA = \ + lib/security/ctrl_alt_del_config.rb + schemafilesdir = $(schemadir)/autoyast/rnc schemafiles_DATA = \ autoyast-rnc/security.rnc @@ -38,6 +43,6 @@ desktop_DATA = \ desktop/security.desktop -EXTRA_DIST = $(module_DATA) $(client_DATA) $(ynclude_DATA) $(schemafiles_DATA) $(scrconf_DATA) $(ydata_DATA) $(desktop_DATA) +EXTRA_DIST = $(module_DATA) $(client_DATA) $(ynclude_DATA) $(schemafiles_DATA) $(scrconf_DATA) $(ydata_DATA) $(desktop_DATA) $(ylib_DATA) include $(top_srcdir)/Makefile.am.common diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.2.0/src/include/security/helps.rb new/yast2-security-3.2.1/src/include/security/helps.rb --- old/yast2-security-3.2.0/src/include/security/helps.rb 2015-09-24 17:06:12.000000000 +0200 +++ new/yast2-security-3.2.1/src/include/security/helps.rb 2016-03-02 13:26:10.000000000 +0100 @@ -52,34 +52,13 @@ "<p><b><big>Aborting Saving</big></b><br>\nAbort the save procedure by pressing <b>Abort</b>.</p>" ), # Boot dialog help 1/4 - "boot" => _( - "<p><b><big>Boot Security</big></b></p>\n<p>In this dialog, change various boot settings related to security.</p>" - ) + - # Boot dialog help 2/4 - _( - "<p><b>Interpretation of Ctrl + Alt + Del</b>:\n" + - "Configure what the system should do in response to\n" + - "someone at the console pressing the CTRL + ALT + DEL key\n" + - "combination. Usually the system reboots. Sometimes it is desirable\n" + - "to ignore this event, for example, when the system serves as both\n" + - "workstation and server.</p>" - ) + - # Boot dialog help 3/4 - _( - "<p><b>Shutdown Behaviour of Login Manager</b>:\nSet who is allowed to shut down the machine from KDM.</p>\n" - ) + - # Boot dialog help 4/4 - _( - "<p><b>Hibernate System</b>:\n" + - "Set the conditions for allowing users to hibernate the system. By default, user on active console has such right.\n" + - "Other options are allowing the action to any user or requiring authentication in all cases.</p>\n" - ), + "boot" => boot_dialog_help, # Main dialog help 1/8 "main" => _( - "<P><BIG><B>Configuring Local Security</B></BIG></P>\n" + - "<p>Using predefined defaults, change the local security settings, which include\n" + - " booting, login, password, user creation, and file permissions. The default\n" + - " settings can be modified as needed.\n" + + "<P><BIG><B>Configuring Local Security</B></BIG></P>\n" \ + "<p>Using predefined defaults, change the local security settings, which include\n" \ + " booting, login, password, user creation, and file permissions. The default\n" \ + " settings can be modified as needed.\n" \ "</p>" ) + # Main dialog help 5/8 @@ -98,28 +77,28 @@ _("<p><b>Custom Settings</b>: Create your own configuration.</p>"), # Login dialog help 1/4 "login" => _( - "<p><big><b>Login Security</b></big></p>\n" + - "<p>These login settings\n" + + "<p><big><b>Login Security</b></big></p>\n" \ + "<p>These login settings\n" \ "are mainly stored in the /etc/login.defs file.</p>" ) + # Login dialog help 2/4 _( - "<p><b>Delay after Incorrect Login Attempt:</b>\n" + - "It is advisable to wait some time after an incorrect login attempt to prevent\n" + - "password guessing. Make the time small enough that users do not need to wait to\n" + + "<p><b>Delay after Incorrect Login Attempt:</b>\n" \ + "It is advisable to wait some time after an incorrect login attempt to prevent\n" \ + "password guessing. Make the time small enough that users do not need to wait to\n" \ "retry if a password is mistyped. A sensible value is three seconds (<tt>3</tt>).</p>" ) + # Login dialog help 3/4 _( - "<p><b>Record Successful Login Attempts:</b> Logging successful login\n" + - "attempts is useful. It can warn you of unauthorized access to the\n" + - "system (for example, a user logging in from a different location than usual).\n" + + "<p><b>Record Successful Login Attempts:</b> Logging successful login\n" \ + "attempts is useful. It can warn you of unauthorized access to the\n" \ + "system (for example, a user logging in from a different location than usual).\n" \ "</p>\n" ) + # Login dialog help 4/4 _( - "<p><b>Allow Remote Graphical Login:</b> Checking this allows access\n" + - "to a graphical login screen for this machine over the network. Remote access\n" + + "<p><b>Allow Remote Graphical Login:</b> Checking this allows access\n" \ + "to a graphical login screen for this machine over the network. Remote access\n" \ "to your machine using a display manager might be a security risk.</p>" ), # Password dialog help 1/8 @@ -128,30 +107,30 @@ ) + # Password dialog help 2/8 _( - "<p><b>Check New Passwords</b>: It is wise to choose a password that\n" + - "cannot be found in a dictionary and is not a name or other simple, common word.\n" + + "<p><b>Check New Passwords</b>: It is wise to choose a password that\n" \ + "cannot be found in a dictionary and is not a name or other simple, common word.\n" \ "By checking the box, enforce password checking in regard to these rules.</p>" ) + # Password dialog help _( - "<p><b>Minimum Acceptable Password Length:</b>\n" + - "The minimum acceptable size for the new password reduced by the number\n" + - "of different character classes (other, upper, lower and digit) used in the new\n" + - "password. See man pam_cracklib for a more detailed explanation.\n" + + "<p><b>Minimum Acceptable Password Length:</b>\n" \ + "The minimum acceptable size for the new password reduced by the number\n" \ + "of different character classes (other, upper, lower and digit) used in the new\n" \ + "password. See man pam_cracklib for a more detailed explanation.\n" \ "This option can only be modified when <b>Check New Passwords</b> is set.</p>" ) + # Password dialog help 4/8 _( - "<p><b>Passwords to Remember</b>:\n" + - "Enter the number of user passwords to store and prevent the user from reusing.\n" + + "<p><b>Passwords to Remember</b>:\n" \ + "Enter the number of user passwords to store and prevent the user from reusing.\n" \ "Enter 0 if passwords should not be stored.</p>" ) + # Password dialog help 5a/8 _("<p><b>Password Encryption Method:</b></p>") + # Password dialog help 5b/8 _( - "<p><b>DES</b>, the Linux default method, works in all network environments,\n" + - "but it restricts you to passwords no longer than eight characters. If you need\n" + + "<p><b>DES</b>, the Linux default method, works in all network environments,\n" \ + "but it restricts you to passwords no longer than eight characters. If you need\n" \ "compatibility with other systems, use this method.</p>" ) + # Password dialog help 5c/8 @@ -168,8 +147,8 @@ ) + # Password dialog help 8/8 _( - "<p><b>Days before Password Expires Warning</b>: This entry sets the\n" + - "number of days users are warned before their passwords expire. The longer the\n" + + "<p><b>Days before Password Expires Warning</b>: This entry sets the\n" \ + "number of days users are warned before their passwords expire. The longer the\n" \ "time, the less likely it is that someone can guess passwords.</p>" ), # Adduser dialog help 1/2 @@ -190,49 +169,49 @@ ) + # Misc dialog help 2/14 _( - "<p><b>File Permissions</b>: Settings for the permissions\n" + - "of certain system files are set according to the data in /etc/permissions.secure\n" + - "or /etc/permissions.easy. Which file is used depends on this selection.\n" + - "Launching SuSEconfig sets these permissions according to /etc/permissions.*.\n" + - "This fixes files with incorrect permissions, whether this occurred accidentally\n" + - "or by intruders.</p><p>\n" + - "With <b>Easy</b>, most of the system files that are only readable by root\n" + - "in Secure are modified so other users can also read these files.\n" + - "Using <b>Secure</b>, certain system files, such as /var/log/messages, can only\n" + - "be viewed by the user root. Some programs can only be launched by root or by\n" + - "daemons, not by ordinary users.\n" + - "The most secure setting is <b>Paranoid</B>. With it, you must\n" + + "<p><b>File Permissions</b>: Settings for the permissions\n" \ + "of certain system files are set according to the data in /etc/permissions.secure\n" \ + "or /etc/permissions.easy. Which file is used depends on this selection.\n" \ + "Launching SuSEconfig sets these permissions according to /etc/permissions.*.\n" \ + "This fixes files with incorrect permissions, whether this occurred accidentally\n" \ + "or by intruders.</p><p>\n" \ + "With <b>Easy</b>, most of the system files that are only readable by root\n" \ + "in Secure are modified so other users can also read these files.\n" \ + "Using <b>Secure</b>, certain system files, such as /var/log/messages, can only\n" \ + "be viewed by the user root. Some programs can only be launched by root or by\n" \ + "daemons, not by ordinary users.\n" \ + "The most secure setting is <b>Paranoid</B>. With it, you must\n" \ "decide which users are able to run X applications and setuid programs.</p>\n" ) + # Misc dialog help 6/14 _( - "<p><b>User Launching updatedb</b>: The program updatedb runs \n" + - "once a day. It scans your entire file system and creates a database (locatedb)\n" + - "that stores the location of every file. The database can be searched by the\n" + - "program \"locate\". Here, set the user that runs this command: <b>nobody</b>\n" + + "<p><b>User Launching updatedb</b>: The program updatedb runs \n" \ + "once a day. It scans your entire file system and creates a database (locatedb)\n" \ + "that stores the location of every file. The database can be searched by the\n" \ + "program \"locate\". Here, set the user that runs this command: <b>nobody</b>\n" \ " (few files) or <b>root</b> (all files).</p>" ) + # Misc dialog help 10/14 _( - "<p><b>Current Directory in root's Path</b> On a DOS system,\n" + - "the system first searches for executable files (programs) in the current\n" + - "directory then in the current path variable. In contrast, a UNIX-like system\n" + + "<p><b>Current Directory in root's Path</b> On a DOS system,\n" \ + "the system first searches for executable files (programs) in the current\n" \ + "directory then in the current path variable. In contrast, a UNIX-like system\n" \ "searches for them exclusively via the search path (variable PATH).</p>" ) + # Misc dialog help 11/14 _( - "<p><b>Current Directory in the Path of Regular Users</b><br> A DOS\n" + - "system first searches for executable files (programs) in the current directory\n" + - "then in the current path variable. In contrast, a UNIX-like system searches\n" + + "<p><b>Current Directory in the Path of Regular Users</b><br> A DOS\n" \ + "system first searches for executable files (programs) in the current directory\n" \ + "then in the current path variable. In contrast, a UNIX-like system searches\n" \ "for them exclusively via the search path (variable PATH).</p>" ) + # Misc dialog help 12/14 _( - "<p>Some systems set up a work-around by adding the dot (\".\") to the\n" + - "search path, enabling files in the current path to be found and executed.\n" + - "This is highly dangerous because you may accidentally launch unknown programs in\n" + - "the current directory instead of the usual systemwide files. As a result,\n" + - "executing <i>Trojan Horses</i>, which exploit this weakness and invade your system,\n" + + "<p>Some systems set up a work-around by adding the dot (\".\") to the\n" \ + "search path, enabling files in the current path to be found and executed.\n" \ + "This is highly dangerous because you may accidentally launch unknown programs in\n" \ + "the current directory instead of the usual systemwide files. As a result,\n" \ + "executing <i>Trojan Horses</i>, which exploit this weakness and invade your system,\n" \ "is rather easy if you set this option.</p>" ) + # Misc dialog help 13/14 @@ -245,8 +224,8 @@ ) + # Misc dialog help 14/14 _( - "<p><b>Enable Magic SysRq Keys</b><br> If you check this option, you\n" + - "will have some control over the system even if it crashes (for example, during kernel\n" + + "<p><b>Enable Magic SysRq Keys</b><br> If you check this option, you\n" \ + "will have some control over the system even if it crashes (for example, during kernel\n" \ "debugging). For details, see /usr/src/linux/Documentation/sysrq.txt</p>" ), # help text: security overview dialog 1/ @@ -269,19 +248,19 @@ @help_mapping = { "DISPLAYMANAGER_REMOTE_ACCESS" => _( - "<P>A display manager provides a graphical login screen and can be accessed\n" + - "across the network by an X server running on another system if so\n" + - "configured.</P><P>The windows that are being displayed would then transmit\n" + - "their data across the network. If that network is not fully trusted, then the\n" + - "network traffic can be eavesdropped by an attacker, gaining access not only to\n" + - "the graphical content of the display, but also to usernames and passwords that\n" + - "are being used.</P><P>If you do not need <EM>XDMCP</EM> for remote graphical\n" + + "<P>A display manager provides a graphical login screen and can be accessed\n" \ + "across the network by an X server running on another system if so\n" \ + "configured.</P><P>The windows that are being displayed would then transmit\n" \ + "their data across the network. If that network is not fully trusted, then the\n" \ + "network traffic can be eavesdropped by an attacker, gaining access not only to\n" \ + "the graphical content of the display, but also to usernames and passwords that\n" \ + "are being used.</P><P>If you do not need <EM>XDMCP</EM> for remote graphical\n" \ "logins, then disable this option.</P>" ), "SYSTOHC" => _( - "<P>Upon startup, the system time is being set from the hardware clock of the\n" + - "computer. As a consequence, setting the hardware clock before shutting down is\n" + - "necessary.</P><P>Consistent system time is essential for the system to create\n" + + "<P>Upon startup, the system time is being set from the hardware clock of the\n" \ + "computer. As a consequence, setting the hardware clock before shutting down is\n" \ + "necessary.</P><P>Consistent system time is essential for the system to create\n" \ "correct log messages.</P>" ), "SYSLOG_ON_NO_ERROR" => _( @@ -297,36 +276,36 @@ "<P>Administrators should never log on as <EM>root</EM> into an X Window session to minimize the usage of the root privileges.</P><P>This option does not help against careless administrators, but shall prevent attackers to be able to log on as <EM>root</EM> via the display manager if they guess or otherwise acquire the password.</P>" ), "DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN" => _( - "<P>X Window clients, e.g. programs that open a window on your display, connect\n" + - "to the X server that runs on the physical machine. Programs can also run on a\n" + - "different system and display their content on the X server through network\n" + - "connections.</P><P>When enabled, the X server listens on a port 6000 plus the\n" + - "display number. Since network traffic is transferred unencrypted and therefore\n" + - "subject to network sniffing, and since the port held open by the X server\n" + - "offers attack options, the secure setting is to disable it.</P><P>To display X\n" + + "<P>X Window clients, e.g. programs that open a window on your display, connect\n" \ + "to the X server that runs on the physical machine. Programs can also run on a\n" \ + "different system and display their content on the X server through network\n" \ + "connections.</P><P>When enabled, the X server listens on a port 6000 plus the\n" \ + "display number. Since network traffic is transferred unencrypted and therefore\n" \ + "subject to network sniffing, and since the port held open by the X server\n" \ + "offers attack options, the secure setting is to disable it.</P><P>To display X\n" \ "Window clients across a network, we recommend the use of secure shell (<EM>ssh</EM>), which allows the X Window clients to connect to the X server through the encrypted ssh connection.</P>" ), "SMTPD_LISTEN_REMOTE" => _( "<P>The email delivery subsystem is always started. However, it does not expose\nitself outside the system by default, since it does not listen on the SMTP network port 25.</P><P>If you do not deliver emails to your system through the SMTP protocol, then disable this option.</P>" ), "DISABLE_RESTART_ON_UPDATE" => _( - "<P>If a package containing a service that is currently running is being\n" + - "updated, the service is restarted after the files in the package have been\n" + - "installed.</P><P>This makes sense in most cases, and it is safe to do,\n" + - "considering that many services either need their binaries or configuration\n" + - "files accessible in the file system. Otherwise these services would continue\n" + - "to run until the services are stopped, e.g. running daemons are\n" + - "killed.</P><P>This setting should only be changed if there is a specific\n" + + "<P>If a package containing a service that is currently running is being\n" \ + "updated, the service is restarted after the files in the package have been\n" \ + "installed.</P><P>This makes sense in most cases, and it is safe to do,\n" \ + "considering that many services either need their binaries or configuration\n" \ + "files accessible in the file system. Otherwise these services would continue\n" \ + "to run until the services are stopped, e.g. running daemons are\n" \ + "killed.</P><P>This setting should only be changed if there is a specific\n" \ "reason to do so.</P>" ), "DISABLE_STOP_ON_REMOVAL" => _( - "<P>If a package containing a service that is currently running is being\n" + - "uninstalled, the service is stopped before the files of the package are\n" + - "removed.</P><P>This makes sense in most cases, and it is safe to do,\n" + - "considering that many services either need their binaries or configuration\n" + - "files accessible in the file system. Otherwise these services would continue\n" + - "to run until they are stopped, e.g. running daemons are\n" + - "killed.</P><P>This setting should only be changed if there is a specific\n" + + "<P>If a package containing a service that is currently running is being\n" \ + "uninstalled, the service is stopped before the files of the package are\n" \ + "removed.</P><P>This makes sense in most cases, and it is safe to do,\n" \ + "considering that many services either need their binaries or configuration\n" \ + "files accessible in the file system. Otherwise these services would continue\n" \ + "to run until they are stopped, e.g. running daemons are\n" \ + "killed.</P><P>This setting should only be changed if there is a specific\n" \ "reason to do so.</P>" ), "net.ipv4.tcp_syncookies" => _( @@ -352,9 +331,53 @@ "EXTRA_SERVICES" => _( "<P>Every running service is a potential target of a security attack. Therefore it is recommended to turn off all services which are not used by the system.</P>" ) - } + } + end + + def boot_dialog_help + help = _( + "<p><b><big>Boot Security</big></b></p>\n<p>In this dialog, change various boot settings related to security.</p>" + ) + + if ::Security::CtrlAltDelConfig.default == "reboot" + # TRANSLATORS: part of help text - default action (the default is + # reboot) + details = _( + "Usually the system reboots. Sometimes it is desirable\n" \ + "to ignore this event, for example, when the system serves as both\n" \ + "workstation and server." + ) + else + # TRANSLATORS: part of help text - default action (the default is halt) + details = _( + "By default the system halts but sometimes it is desirable\n" \ + "to ignore this event, for example, when the system serves as both\n" \ + "workstation and server." + ) + end + + # Boot dialog help 2/4 + # TRANSLATORS: %s is help text - default action + help += _( + "<p><b>Interpretation of Ctrl + Alt + Del</b>:\n" \ + "Configure what the system should do in response to\n" \ + "someone at the console pressing the CTRL + ALT + DEL key\n" \ + "combination. %s</p>" + ) % details + + # Boot dialog help 3/4 + help += _( + "<p><b>Shutdown Behaviour of Login Manager</b>:\nSet who is allowed to shut down the machine from KDM.</p>\n" + ) + + # Boot dialog help 4/4 + _( + "<p><b>Hibernate System</b>:\n" \ + "Set the conditions for allowing users to hibernate the system. By default, user on active console has such right.\n" \ + "Other options are allowing the action to any user or requiring authentication in all cases.</p>\n" + ) + help # EOF end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.2.0/src/include/security/widgets.rb new/yast2-security-3.2.1/src/include/security/widgets.rb --- old/yast2-security-3.2.0/src/include/security/widgets.rb 2015-09-24 17:06:12.000000000 +0200 +++ new/yast2-security-3.2.1/src/include/security/widgets.rb 2016-03-02 13:26:10.000000000 +0100 @@ -100,15 +100,8 @@ "Label" => _( "&Interpretation of Ctrl + Alt + Del" ), - "Options" => [ - # ComboBox value - ["ignore", _("Ignore")], - # ComboBox value - ["reboot", _("Reboot")], - # ComboBox value - ["halt", _("Halt")] - ], - "Value" => "reboot" + "Options" => console_shutdown_options, + "Value" => ::Security::CtrlAltDelConfig.default }, "DISPLAYMANAGER_REMOTE_ACCESS" => { "Widget" => "CheckBox", @@ -267,9 +260,23 @@ "Label" => _("&Minimum"), "Value" => "100" } - } + } + end + + def boot_option_labels + { + "ignore" => _("Ignore"), + "reboot" => _("Reboot"), + "halt" => _("Halt") + } + end - # EOF + def console_shutdown_options + ::Security::CtrlAltDelConfig.options.map do |opt| + [opt, boot_option_labels[opt]] + end end + + # EOF end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.2.0/src/lib/security/ctrl_alt_del_config.rb new/yast2-security-3.2.1/src/lib/security/ctrl_alt_del_config.rb --- old/yast2-security-3.2.0/src/lib/security/ctrl_alt_del_config.rb 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-security-3.2.1/src/lib/security/ctrl_alt_del_config.rb 2016-03-02 13:26:10.000000000 +0100 @@ -0,0 +1,104 @@ +# encoding: utf-8 + +# ------------------------------------------------------------------------------ +# Copyright (c) 2015 SUSE LLC, All Rights Reserved. +# +# This program is free software; you can redistribute it and/or modify it under +# the terms of version 2 of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more +# details. +# +# You should have received a copy of the GNU General Public License along with +# this program; if not, contact SUSE LLC. +# +# To contact SUSE about this file by physical or electronic mail, you may find +# current contact information at www.suse.com. +# ------------------------------------------------------------------------------ +# + +require "yast" + +module Security + module CtrlAltDelConfig + include Yast::Logger + Yast.import "SCR" + Yast.import "Arch" + Yast.import "Package" + Yast.import "FileUtils" + + SYSTEMD_FILE = "/etc/systemd/system/ctrl-alt-del.target" + + class << self + def systemd? + Yast::Package.Installed("systemd") + end + + def inittab? + Yast::FileUtils.Exists("/etc/inittab") + end + + def default + Yast::Arch.s390 ? "halt" : "reboot" + end + + def options + options = ["ignore", "reboot", "halt"] + + options.delete("reboot") if Yast::Arch.s390 + + options + end + + def current + return current_systemd if systemd? + return current_inittab if inittab? + nil + end + + def current_systemd + if !Yast::FileUtils.Exists(SYSTEMD_FILE) + ret = nil + else + link = Yast::SCR.Read(Yast::Path.new(".target.symlink"), SYSTEMD_FILE).to_s + ret = + case link + when "/usr/lib/systemd/system/poweroff.target" + "halt" + when "/usr/lib/systemd/system/reboot.target" + "reboot" + when "/usr/lib/systemd/system/ctrl-alt-del.target" + default + else + log.error "Not known link #{link}" + "ignore" + end + end + ret + end + + def current_inittab + ca = Yast::SCR.Read(Yast::Path.new(".etc.inittab.ca")) + ret = + case ca + when /\/bin\/true/, /\/bin\/false/ + "ignore" + when /reboot/, / -r/ + "reboot" + when /halt/, / -h/ + "halt" + when nil + log.error("No ca entry") + nil + else + log.error "Unknown ca status: #{ca}" + "ignore" + end + ret + end + end + end +end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.2.0/src/modules/Security.rb new/yast2-security-3.2.1/src/modules/Security.rb --- old/yast2-security-3.2.0/src/modules/Security.rb 2015-09-24 17:06:12.000000000 +0200 +++ new/yast2-security-3.2.1/src/modules/Security.rb 2016-03-02 13:26:10.000000000 +0100 @@ -27,11 +27,13 @@ # $Id$ require "yast" require "yaml" +require "security/ctrl_alt_del_config" module Yast class SecurityClass < Module include Yast::Logger + include ::Security::CtrlAltDelConfig def main Yast.import "UI" @@ -71,7 +73,7 @@ # All security settings @Settings = { - "CONSOLE_SHUTDOWN" => "reboot", + "CONSOLE_SHUTDOWN" => ::Security::CtrlAltDelConfig.default, "CRACKLIB_DICT_PATH" => "/usr/lib/cracklib_dict", "DISPLAYMANAGER_REMOTE_ACCESS" => "no", "kernel.sysrq" => "0", @@ -291,46 +293,19 @@ nil end + def inittab_shutdown_configured? + inittab = SCR.Dir(path(".etc.inittab")) + inittab.include?("ca") + end + # Read the information about ctrl+alt+del behavior # See bug 742783 for description def ReadConsoleShutdown - ret = "ignore" + ret = ::Security::CtrlAltDelConfig.current || ::Security::CtrlAltDelConfig.default - if Package.Installed("systemd") - if !FileUtils.Exists(@ctrl_alt_del_file) - ret = "reboot" - else - link = Convert.to_string( - SCR.Read(path(".target.symlink"), @ctrl_alt_del_file) - ) - if link == "/usr/lib/systemd/system/poweroff.target" - ret = "halt" - elsif link == "/usr/lib/systemd/system/reboot.target" || - link == "/usr/lib/systemd/system/ctrl-alt-del.target" - ret = "reboot" - end - end - return ret - end - inittab = SCR.Dir(path(".etc.inittab")) - if Builtins.contains(inittab, "ca") - ca = Convert.to_string(SCR.Read(path(".etc.inittab.ca"))) - if Builtins.issubstring(ca, "/bin/true") || - Builtins.issubstring(ca, "/bin/false") - Ops.set(@Settings, "CONSOLE_SHUTDOWN", "ignore") - elsif Builtins.issubstring(ca, "reboot") || - Builtins.issubstring(ca, " -r") - Ops.set(@Settings, "CONSOLE_SHUTDOWN", "reboot") - elsif Builtins.issubstring(ca, "halt") || - Builtins.issubstring(ca, " -h") - Ops.set(@Settings, "CONSOLE_SHUTDOWN", "halt") - else - Builtins.y2error("Unknown ca status: %1", ca) - Ops.set(@Settings, "CONSOLE_SHUTDOWN", "ignore") - end - else - Ops.set(@Settings, "CONSOLE_SHUTDOWN", "ignore") - end + return ret if ::Security::CtrlAltDelConfig.systemd? + + @Settings["CONSOLE_SHUTDOWN"] = ret if ::Security::CtrlAltDelConfig.inittab? nil end @@ -353,6 +328,8 @@ @Settings[var] = val unless val.nil? end end + + log.debug "Settings (after #{__callee__}): #{@Settings}" end # Read the settings from sysctl.conf @@ -363,6 +340,80 @@ val = default_value if val.nil? || val == "" @Settings[key] = val end + + log.debug "Settings (after #{__callee__}): #{@Settings}" + end + + def read_encryption_method + method = SCR.Read(path(".etc.login_defs.ENCRYPT_METHOD")).to_s.downcase + + method = "des" if !@encryption_methods.include?(method) + + @Settings["PASSWD_ENCRYPTION"] = method + end + + def read_pam_settings + read_encryption_method + + # cracklib and pwhistory settings (default values) + @Settings["PASS_MIN_LEN"] = "5" + @Settings["PASSWD_REMEMBER_HISTORY"] = "0" + @Settings["CRACKLIB_DICT_PATH"] = "/usr/lib/cracklib_dict" + + pam_cracklib = Pam.Query("cracklib") || {} + @Settings["PASSWD_USE_CRACKLIB"] = pam_cracklib.size > 0 ? "yes" : "no" + + pam_cracklib.fetch("password", []).each do |entry| + key,value = entry.split("=") + if value + @Settings["CRACKLIB_DICT_PATH"] = value if key == "dictpath" + @Settings["PASS_MIN_LEN"] = value if key == "minlen" + end + end + + pam_history = Pam.Query("pwhistory") || {} + pam_history.fetch("password", []).each do |entry| + key,value = entry.split("=") + if key == "remember" && value + @Settings["PASSWD_REMEMBER_HISTORY"] = value + end + end + log.debug "Settings (after #{__callee__}): #{@Settings}" + end + + def read_permissions + perm = case @Settings["PERMISSION_SECURITY"].to_s + when /easy/ + "easy" + when /paranoid/ + "paranoid" + else + "secure" + end + + @Settings["PERMISSION_SECURITY"] = perm + + log.debug "PERMISSION SECURITY (after #{__callee__}): " \ + "#{@Settings['PERMISSION_SECURITY']}" + + perm + end + + def read_polkit_settings + action = "org.freedesktop.upower.hibernate" + + hibernate = SCR.Read(Builtins.add(path(".etc.polkit-default-privs_local"), action)).to_s + + @Settings["HIBERNATE_SYSTEM"] = case hibernate + when "auth_admin:auth_admin:auth_admin" + "auth_admin" + when "yes:yes:yes" + "anyone" + else + "active_console" + end + log.debug "HIBERNATE_SYSTEM (after #{__callee__}): " \ + "#{@Settings['HIBERNATE_SYSTEM']}" end # Read all security settings @@ -373,107 +424,27 @@ # Read security settings read_from_locations - Builtins.y2milestone("Settings=%1", @Settings) - - Ops.set(@Settings, "CONSOLE_SHUTDOWN", ReadConsoleShutdown()) - Builtins.y2debug("Settings=%1", @Settings) + @Settings["CONSOLE_SHUTDOWN"] = ReadConsoleShutdown() + log.debug "Settings (after read console shutdown): #{@Settings}" # Read runlevel setting ReadServiceSettings() - # Read pam settings - - method = Convert.to_string( - SCR.Read(path(".etc.login_defs.ENCRYPT_METHOD")) - ) - if method == nil || - !Builtins.contains(@encryption_methods, Builtins.tolower(method)) - method = "des" - end - Ops.set(@Settings, "PASSWD_ENCRYPTION", Builtins.tolower(method)) - - # cracklib and pwhistory settings - Ops.set(@Settings, "PASS_MIN_LEN", "5") - Ops.set(@Settings, "PASSWD_USE_CRACKLIB", "no") - Ops.set(@Settings, "PASSWD_REMEMBER_HISTORY", "0") - - pam_cracklib = Pam.Query("cracklib") - if Ops.greater_than(Builtins.size(pam_cracklib), 0) - Ops.set(@Settings, "PASSWD_USE_CRACKLIB", "yes") - end - # save the default value - Ops.set(@Settings, "CRACKLIB_DICT_PATH", "/usr/lib/cracklib_dict") - Builtins.foreach(Ops.get_list(pam_cracklib, "password", [])) do |val| - lval = Builtins.splitstring(val, "=") - if Builtins.issubstring(val, "dictpath=") - Ops.set( - @Settings, - "CRACKLIB_DICT_PATH", - Ops.get_string(lval, 1, "/usr/lib/cracklib_dict") - ) - end - if Builtins.issubstring(val, "minlen=") && - Ops.get_string(lval, 1, "") != "" - Ops.set(@Settings, "PASS_MIN_LEN", Ops.get_string(lval, 1, "5")) - end - end - - pam_history = Pam.Query("pwhistory") - Builtins.foreach(Ops.get_list(pam_history, "password", [])) do |val| - lval = Builtins.splitstring(val, "=") - if Builtins.issubstring(val, "remember=") && - Ops.get_string(lval, 1, "") != "" - Ops.set( - @Settings, - "PASSWD_REMEMBER_HISTORY", - Ops.get_string(lval, 1, "0") - ) - end - end - - Builtins.y2debug("Settings=%1", @Settings) + read_pam_settings # Local permissions hack + read_permissions - perm = Ops.get(@Settings, "PERMISSION_SECURITY", "") - if Builtins.issubstring(perm, "easy") - perm = "easy" - elsif Builtins.issubstring(perm, "paranoid") - perm = "paranoid" - elsif Builtins.issubstring(perm, "secure") - perm = "secure" - else - perm = "secure" - end - Ops.set(@Settings, "PERMISSION_SECURITY", perm) - Builtins.y2debug("Settings=%1", @Settings) - - # read local polkit settings - action = "org.freedesktop.upower.hibernate" - hibernate = Convert.to_string( - SCR.Read(Builtins.add(path(".etc.polkit-default-privs_local"), action)) - ) - if hibernate != nil - Ops.set(@Settings, "HIBERNATE_SYSTEM", "active_console") - if hibernate == "auth_admin:auth_admin:auth_admin" - Ops.set(@Settings, "HIBERNATE_SYSTEM", "auth_admin") - end - if hibernate == "yes:yes:yes" - Ops.set(@Settings, "HIBERNATE_SYSTEM", "anyone") - end - end - Builtins.y2debug( - "HIBERNATE_SYSTEM: %1", - Ops.get(@Settings, "HIBERNATE_SYSTEM", "") - ) + read_polkit_settings read_kernel_settings - Builtins.y2debug("Settings=%1", @Settings) # remember the read values @Settings_bak = deep_copy(@Settings) + + log.info "Settings after Read: #{@Settings}" true end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.2.0/test/security_test.rb new/yast2-security-3.2.1/test/security_test.rb --- old/yast2-security-3.2.0/test/security_test.rb 2015-09-24 17:06:13.000000000 +0200 +++ new/yast2-security-3.2.1/test/security_test.rb 2016-03-02 13:26:10.000000000 +0100 @@ -1,6 +1,7 @@ #!/usr/bin/env rspec -require_relative 'test_helper' +require_relative "test_helper" +require "security/ctrl_alt_del_config" def services_for(names, aliases = {}) names.map do |n| @@ -24,7 +25,9 @@ self.properties = Struct::DummyProperties.new(aliases) end - def enabled?; true; end + def enabled? + true + end end import "Security" @@ -72,7 +75,9 @@ context "with services that are aliases of optional services" do let(:service_names) { %w(apparmor auditd anacron firewalld wicked rsyslog) } - let(:aliases) { {"rsyslog" => "rsyslog.service syslog.service", "anacron" => "anacron cron"} } + let(:aliases) do + { "rsyslog" => "rsyslog.service syslog.service", "anacron" => "anacron cron" } + end it "sets settings for extra services as 'secure'" do expect(Security.Settings["EXTRA_SERVICES"]).to eq("secure") @@ -115,16 +120,16 @@ end it "does not write nil values" do - expect(SCR).to_not receive(:Write). - with(path(".sysconfig.mail.SMTPD_LISTEN_REMOTE"), anything) + expect(SCR).to_not receive(:Write) + .with(path(".sysconfig.mail.SMTPD_LISTEN_REMOTE"), anything) Security.Settings["SMTPD_LISTEN_REMOTE"] = nil Security.write_to_locations end it "does not write unchanged values" do - expect(SCR).to_not receive(:Write). - with(path(".sysconfig.mail.SMTPD_LISTEN_REMOTE"), anything) + expect(SCR).to_not receive(:Write) + .with(path(".sysconfig.mail.SMTPD_LISTEN_REMOTE"), anything) Security.Settings["SMTPD_LISTEN_REMOTE"] = "no" Security.write_to_locations @@ -134,8 +139,8 @@ Security.Settings["AllowShutdown"] = "Root" Security.write_to_locations - expect(written_value_for(".kde4.kdmrc.AllowShutdown")). - to eq("Root") + expect(written_value_for(".kde4.kdmrc.AllowShutdown")) + .to eq("Root") expect(was_written?(".kde4.kdmrc")).to eq(true) end @@ -185,8 +190,8 @@ Security.Settings["net.ipv4.ip_forward"] = "1" Security.write_kernel_settings - expect(written_value_for(".etc.sysctl_conf.net.ipv4.ip_forward")). - to eq("1") + expect(written_value_for(".etc.sysctl_conf.net.ipv4.ip_forward")) + .to eq("1") expect(was_written?(".etc.sysctl_conf")).to eq(true) end end @@ -207,5 +212,386 @@ end end end + + describe "#ReadConsoleShutdown" do + let(:ctrl_alt_del_file) { "/etc/systemd/system/ctrl-alt-del.target" } + let(:target_link) { "/usr/lib/systemd/system/poweroff.target" } + + context "when systemd is installed" do + + context "on a non s390 architecture" do + before do + allow(Arch).to receive(:s390) { false } + end + + context "when ctrl+alt+del file not exist" do + it "returns 'reboot'" do + allow(FileUtils).to receive(:Exists).with(ctrl_alt_del_file) { false } + + expect(Security.ReadConsoleShutdown).to eql("reboot") + end + end + + context "when ctrl+del+alt file exist" do + before do + allow(FileUtils).to receive(:Exists).with(ctrl_alt_del_file) { true } + end + + it "returns 'ignore' by default" do + allow(SCR).to receive(:Read).with(path(".target.symlink"), ctrl_alt_del_file) + .and_return("dummy_file") + + expect(Security.ReadConsoleShutdown).to eql("ignore") + end + + it "returns 'halt' if links to poweroff.target" do + allow(SCR).to receive(:Read).with(path(".target.symlink"), ctrl_alt_del_file) + .and_return(target_link) + + expect(Security.ReadConsoleShutdown).to eql("halt") + end + + it "returns 'reboot' if links to reboot.target" do + target_link = "/usr/lib/systemd/system/reboot.target" + allow(SCR).to receive(:Read).with(path(".target.symlink"), ctrl_alt_del_file) + .and_return(target_link) + + expect(Security.ReadConsoleShutdown).to eql("reboot") + end + + it "returns 'reboot' if links to ctrl-alt-del.target" do + target_link = "/usr/lib/systemd/system/ctrl-alt-del.target" + allow(SCR).to receive(:Read).with(path(".target.symlink"), ctrl_alt_del_file) + .and_return(target_link) + + expect(Security.ReadConsoleShutdown).to eql("reboot") + end + + end + end + + context "on a s390 architecture" do + before do + allow(Arch).to receive(:s390) { true } + end + + context "when ctrl+alt+del file not exist" do + it "returns 'reboot'" do + allow(FileUtils).to receive(:Exists).with(ctrl_alt_del_file) { false } + + expect(Security.ReadConsoleShutdown).to eql("halt") + end + end + + context "when ctrl+del+alt file exist" do + before do + allow(FileUtils).to receive(:Exists).with(ctrl_alt_del_file) { true } + end + + it "returns 'ignore' by default" do + allow(SCR).to receive(:Read).with(path(".target.symlink"), ctrl_alt_del_file) + .and_return("dummy_file") + + expect(Security.ReadConsoleShutdown).to eql("ignore") + end + + it "returns 'halt' if links to poweroff.target" do + allow(SCR).to receive(:Read).with(path(".target.symlink"), ctrl_alt_del_file) + .and_return(target_link) + + expect(Security.ReadConsoleShutdown).to eql("halt") + end + + it "returns 'reboot' if links to reboot.target" do + target_link = "/usr/lib/systemd/system/reboot.target" + allow(SCR).to receive(:Read).with(path(".target.symlink"), ctrl_alt_del_file) + .and_return(target_link) + + expect(Security.ReadConsoleShutdown).to eql("reboot") + end + + it "returns 'halt' if links to ctrl-alt-del.target" do + target_link = "/usr/lib/systemd/system/ctrl-alt-del.target" + allow(SCR).to receive(:Read).with(path(".target.symlink"), ctrl_alt_del_file) + .and_return(target_link) + + expect(Security.ReadConsoleShutdown).to eql("halt") + end + + end + end + end + + context "when systemd is not installed but inittab exist" do + before do + allow(Package).to receive(:Installed).with("systemd") { false } + end + + it "always returns nil" do + allow(FileUtils).to receive(:Exists).with("/etc/inittab") + .and_return(false, true) + allow(::Security::CtrlAltDelConfig).to receive(:current) + .and_return("reboot", "halt") + + expect(Security.ReadConsoleShutdown).to eql(nil) + expect(Security.ReadConsoleShutdown).to eql(nil) + end + + context "on a non s390 architecture" do + before do + allow(Arch).to receive(:s390) { false } + allow(::Security::CtrlAltDelConfig).to receive(:inittab?) { true } + end + + context "when no inittab ca entry" do + it "returns 'reboot'" do + allow(FileUtils).to receive(:Exists).with("/etc/inittab") { false } + + Security.ReadConsoleShutdown + expect(Security.Settings["CONSOLE_SHUTDOWN"]).to eq("reboot") + end + end + + context "when inittab ca entry exist" do + before do + allow(FileUtils).to receive(:Exists).with("/etc/inittab") { true } + end + + it "sets settings for shutdown as 'ignore' by default" do + allow(SCR).to receive(:Read).with(path(".etc.inittab.ca")) + .and_return("12345:ctrlaltdel:/bin/false") + + Security.ReadConsoleShutdown + expect(Security.Settings["CONSOLE_SHUTDOWN"]).to eq("ignore") + end + + it "sets settings for shutdown as 'halt' if contains 'halt' or ' -h'" do + allow(SCR).to receive(:Read).with(path(".etc.inittab.ca")) + .and_return("12345:ctrlaltdel:/sbin/shutdown -h now") + + Security.ReadConsoleShutdown + expect(Security.Settings["CONSOLE_SHUTDOWN"]).to eq("halt") + end + + it "sets settings for shutdown as 'reboot' if contains 'reboot' or -r" do + allow(SCR).to receive(:Read).with(path(".etc.inittab.ca")) + .and_return("12345:ctrlaltdel:/sbin/shutdown -r now") + + Security.ReadConsoleShutdown + expect(Security.Settings["CONSOLE_SHUTDOWN"]).to eq("reboot") + end + + end + end + + context "on a s390 architecture" do + before do + allow(Arch).to receive(:s390) { true } + allow(::Security::CtrlAltDelConfig).to receive(:inittab?) { true } + end + + context "when no inittab ca entry" do + it "returns 'halt'" do + allow(FileUtils).to receive(:Exists).with("/etc/inittab") { false } + + Security.ReadConsoleShutdown + expect(Security.Settings["CONSOLE_SHUTDOWN"]).to eq("halt") + end + end + + context "when inittab ca entry exist" do + before do + allow(FileUtils).to receive(:Exists).with("/etc/inittab") { true } + end + + it "sets settings for shutdown as 'ignore' by default" do + allow(SCR).to receive(:Read).with(path(".etc.inittab.ca")) + .and_return("12345:ctrlaltdel:/bin/echo 'Not implemented'") + + Security.ReadConsoleShutdown + expect(Security.Settings["CONSOLE_SHUTDOWN"]).to eq("ignore") + end + + it "sets settings for shutdown as 'halt' if contains 'halt' or ' -h'" do + allow(SCR).to receive(:Read).with(path(".etc.inittab.ca")) + .and_return("12345:/sbin/shutdown -h now") + + Security.ReadConsoleShutdown + expect(Security.Settings["CONSOLE_SHUTDOWN"]).to eq("halt") + end + + it "sets settings for shutdown as 'reboot' if contains 'reboot' or -r" do + allow(SCR).to receive(:Read).with(path(".etc.inittab.ca")) + .and_return("12345:ctrlaltdel:/sbin/shutdown -r now") + + Security.ReadConsoleShutdown + expect(Security.Settings["CONSOLE_SHUTDOWN"]).to eq("reboot") + end + + end + end + end + end + + describe "#read_pam_settings" do + before do + change_scr_root(File.join(DATA_PATH, "system")) + end + + after do + reset_scr_root + end + + it "sets passwd encryption setting based on /etc/login.defs" do + allow(Pam).to receive(:Query) + + expect(Security.Settings["PASSWD_ENCRYPTION"]).to eql("sha512") + Security.read_pam_settings + end + + it "sets cracklib settings" do + allow(Pam).to receive(:Query).with("pwhistory") + allow(Pam).to receive(:Query).with("cracklib") + .and_return("password" => ["dictpath=/shared/cracklib_dict", "minlen="]) + + Security.read_pam_settings + expect(Security.Settings["PASSWD_USE_CRACKLIB"]).to eql("yes") + expect(Security.Settings["CRACKLIB_DICT_PATH"]).to eql("/shared/cracklib_dict") + expect(Security.Settings["PASS_MIN_LEN"]).to eql("5") + end + + it "sets password remember history settings" do + allow(Pam).to receive(:Query).with("cracklib") + allow(Pam).to receive(:Query).with("pwhistory") + .and_return("password" => ["remember=5"]) + + Security.read_pam_settings + expect(Security.Settings["PASSWD_REMEMBER_HISTORY"]).to eql("5") + end + end + + describe "#read_permissions" do + + context "depending on current persission" do + it "sets security permission to 'easy' if contains easy" do + Security.Settings["PERMISSION_SECURITY"] = "it_is_easy_to_test" + + expect(Security.read_permissions).to eql("easy") + expect(Security.Settings["PERMISSION_SECURITY"]).to eql("easy") + end + + it "sets security permission to 'paranoid' if contains paranoid" do + Security.Settings["PERMISSION_SECURITY"] = "paranoid_permission" + + expect(Security.read_permissions).to eql("paranoid") + expect(Security.Settings["PERMISSION_SECURITY"]).to eql("paranoid") + end + + it "sets secure by default" do + Security.Settings["PERMISSION_SECURITY"] = nil + + expect(Security.read_permissions).to eql("secure") + expect(Security.Settings["PERMISSION_SECURITY"]).to eql("secure") + end + end + + end + + describe "#read_polkit_settings" do + let(:polkit) do + path(".etc.polkit-default-privs_local") + "org.freedesktop.upower.hibernate" + end + + context "depending on current polkit config" do + + it "sets correctly hibernate system settings to 'anyone'" do + allow(SCR).to receive(:Read).with(polkit) { "yes:yes:yes" } + + Security.read_polkit_settings + expect(Security.Settings["HIBERNATE_SYSTEM"]).to eql("anyone") + end + + it "sets correctly hibernate settings to 'auth_admin'" do + allow(SCR).to receive(:Read).with(polkit) { "auth_admin:auth_admin:auth_admin" } + + Security.read_polkit_settings + expect(Security.Settings["HIBERNATE_SYSTEM"]).to eql("auth_admin") + end + it "sets correctly hibernate settings to 'active_console' as default" do + allow(SCR).to receive(:Read).with(polkit) { "any_other_entry" } + + Security.read_polkit_settings + expect(Security.Settings["HIBERNATE_SYSTEM"]).to eql("active_console") + end + end + + end + + describe "#read_kernel_settings" do + before do + change_scr_root(File.join(DATA_PATH, "system")) + Security.Settings["kernel.sysrq"] = nil + Security.Settings["net.ipv4.tcp_syncookies"] = nil + Security.Settings["net.ipv4.ip_forward"] = nil + Security.Settings["net.ipv6.conf.all.forwarding"] = nil + + Security.read_kernel_settings + end + + after do + reset_scr_root + end + + it "sets kernel settings based on /etc/sysctl.conf" do + expect(Security.Settings["kernel.sysrq"]).to eql("0") + expect(Security.Settings["net.ipv4.tcp_syncookies"]).to eql("1") + expect(Security.Settings["net.ipv4.ip_forward"]).to eql("0") + expect(Security.Settings["net.ipv6.conf.all.forwarding"]).to eql("0") + end + end + + describe "#read_from_locations" do + before do + change_scr_root(File.join(DATA_PATH, "system")) + allow(SCR).to receive(:Read).with(path(".kde4.kdmrc.AllowShutdown")) + .and_return("All") + Security.read_from_locations + end + + after do + reset_scr_root + end + + it "sets login definitions based on /etc/login.defs" do + expect(Security.Settings["FAIL_DELAY"]).to eql("3") + end + + it "sets kde4 allow shutdown based on kdmrc" do + expect(Security.Settings["AllowShutdown"]).to eql("All") + end + + it "sets different settings based on /etc/sysconfig/*" do + expect(Security.Settings["DISPLAYMANAGER_REMOTE_ACCESS"]).to eql("yes") + expect(Security.Settings["DISPLAYMANAGER_ROOT_LOGIN_REMOTE"]).to eql("yes") + expect(Security.Settings["DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN"]).to eql("no") + expect(Security.Settings["PERMISSION_SECURITY"]).to eql("easy local") + expect(Security.Settings["DISABLE_RESTART_ON_UPDATE"]).to eql("no") + end + + end + + describe "#Read" do + it "reads settings and returns true" do + expect(Security).to receive(:read_from_locations) + expect(Security).to receive(:ReadConsoleShutdown) + expect(Security).to receive(:ReadServiceSettings) + expect(Security).to receive(:read_pam_settings) + expect(Security).to receive(:read_permissions) + expect(Security).to receive(:read_polkit_settings) + + expect(Security.Read).to eql(true) + end + end + end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.2.0/testsuite/tests/Read.out new/yast2-security-3.2.1/testsuite/tests/Read.out --- old/yast2-security-3.2.0/testsuite/tests/Read.out 2015-09-24 17:06:13.000000000 +0200 +++ new/yast2-security-3.2.1/testsuite/tests/Read.out 1970-01-01 01:00:00.000000000 +0100 @@ -1,95 +0,0 @@ -Read .etc.login_defs.FAIL_DELAY "l2" -Read .etc.login_defs.GID_MAX "l3" -Read .etc.login_defs.GID_MIN "l4" -Read .etc.login_defs.PASS_MAX_DAYS "l7" -Read .etc.login_defs.PASS_MIN_DAYS "l9" -Read .etc.login_defs.PASS_WARN_AGE "l11" -Read .etc.login_defs.UID_MAX "l12" -Read .etc.login_defs.UID_MIN "l13" -Read .etc.login_defs.SYS_UID_MAX nil -Read .etc.login_defs.SYS_UID_MIN nil -Read .etc.login_defs.SYS_GID_MAX nil -Read .etc.login_defs.SYS_GID_MIN nil -Read .etc.login_defs.USERADD_CMD "l18" -Read .etc.login_defs.USERDEL_PRECMD "l19" -Read .etc.login_defs.USERDEL_POSTCMD "l20" -Read .kde4.kdmrc.AllowShutdown "r3" -Read .target.size "/etc/sysconfig/clock" 1 -Read .sysconfig.clock.SYSTOHC "r12" -Read .target.size "/etc/sysconfig/cron" 1 -Read .sysconfig.cron.SYSLOG_ON_NO_ERROR "r15" -Read .target.size "/etc/sysconfig/displaymanager" 1 -Read .sysconfig.displaymanager.DISPLAYMANAGER_REMOTE_ACCESS "r9" -Read .target.size "/etc/sysconfig/displaymanager" 1 -Read .sysconfig.displaymanager.DISPLAYMANAGER_ROOT_LOGIN_REMOTE "r16" -Read .target.size "/etc/sysconfig/displaymanager" 1 -Read .sysconfig.displaymanager.DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN "r17" -Read .target.size "/etc/sysconfig/locate" 1 -Read .sysconfig.locate.RUN_UPDATEDB_AS "r7" -Read .target.size "/etc/sysconfig/mail" 1 -Read .sysconfig.mail.SMTPD_LISTEN_REMOTE "r18" -Read .target.size "/etc/sysconfig/security" 1 -Read .sysconfig.security.PERMISSION_SECURITY "paranoid" -Read .target.size "/etc/sysconfig/services" 1 -Read .sysconfig.services.DISABLE_RESTART_ON_UPDATE nil -Read .target.size "/etc/sysconfig/services" 1 -Read .sysconfig.services.DISABLE_STOP_ON_REMOVAL nil -Read .target.symlink "/etc/systemd/system/ctrl-alt-del.target" nil -Read .etc.login_defs.ENCRYPT_METHOD "garbage" -Execute .target.bash_output "/usr/sbin/pam-config -q --cracklib" $["exit":0, "stderr":"", "stdout":""] -Execute .target.bash_output "/usr/sbin/pam-config -q --pwhistory" $["exit":0, "stderr":"", "stdout":""] -Read .etc.polkit-default-privs_local."org.freedesktop.upower.hibernate" "r12" -Read .etc.sysctl_conf."kernel.sysrq" "r8" -Read .etc.sysctl_conf."net.ipv4.ip_forward" "r10" -Read .etc.sysctl_conf."net.ipv4.tcp_syncookies" "r9" -Read .etc.sysctl_conf."net.ipv6.conf.all.forwarding" "r11" -Return true -Dump des -Read .etc.login_defs.FAIL_DELAY nil -Read .etc.login_defs.GID_MAX "l3" -Read .etc.login_defs.GID_MIN "l4" -Read .etc.login_defs.PASS_MAX_DAYS "l7" -Read .etc.login_defs.PASS_MIN_DAYS "l9" -Read .etc.login_defs.PASS_WARN_AGE "l11" -Read .etc.login_defs.UID_MAX "l12" -Read .etc.login_defs.UID_MIN "l13" -Read .etc.login_defs.SYS_UID_MAX nil -Read .etc.login_defs.SYS_UID_MIN nil -Read .etc.login_defs.SYS_GID_MAX nil -Read .etc.login_defs.SYS_GID_MIN nil -Read .etc.login_defs.USERADD_CMD "l18" -Read .etc.login_defs.USERDEL_PRECMD "l19" -Read .etc.login_defs.USERDEL_POSTCMD "l20" -Read .kde4.kdmrc.AllowShutdown "r3" -Read .target.size "/etc/sysconfig/clock" 1 -Read .sysconfig.clock.SYSTOHC "r12" -Read .target.size "/etc/sysconfig/cron" 1 -Read .sysconfig.cron.SYSLOG_ON_NO_ERROR "r15" -Read .target.size "/etc/sysconfig/displaymanager" 1 -Read .sysconfig.displaymanager.DISPLAYMANAGER_REMOTE_ACCESS "r9" -Read .target.size "/etc/sysconfig/displaymanager" 1 -Read .sysconfig.displaymanager.DISPLAYMANAGER_ROOT_LOGIN_REMOTE "r16" -Read .target.size "/etc/sysconfig/displaymanager" 1 -Read .sysconfig.displaymanager.DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN "r17" -Read .target.size "/etc/sysconfig/locate" 1 -Read .sysconfig.locate.RUN_UPDATEDB_AS "r7" -Read .target.size "/etc/sysconfig/mail" 1 -Read .sysconfig.mail.SMTPD_LISTEN_REMOTE "r18" -Read .target.size "/etc/sysconfig/security" 1 -Read .sysconfig.security.PERMISSION_SECURITY "paranoid" -Read .target.size "/etc/sysconfig/services" 1 -Read .sysconfig.services.DISABLE_RESTART_ON_UPDATE nil -Read .target.size "/etc/sysconfig/services" 1 -Read .sysconfig.services.DISABLE_STOP_ON_REMOVAL nil -Read .target.symlink "/etc/systemd/system/ctrl-alt-del.target" nil -Read .etc.login_defs.ENCRYPT_METHOD "SHA512" -Execute .target.bash_output "/usr/sbin/pam-config -q --cracklib" $["exit":0, "stderr":"", "stdout":""] -Execute .target.bash_output "/usr/sbin/pam-config -q --pwhistory" $["exit":0, "stderr":"", "stdout":""] -Read .etc.polkit-default-privs_local."org.freedesktop.upower.hibernate" "r12" -Read .etc.sysctl_conf."kernel.sysrq" "r8" -Read .etc.sysctl_conf."net.ipv4.ip_forward" "r10" -Read .etc.sysctl_conf."net.ipv4.tcp_syncookies" "r9" -Read .etc.sysctl_conf."net.ipv6.conf.all.forwarding" "r11" -Return true -Dump none -Dump sha512 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.2.0/testsuite/tests/Read.rb new/yast2-security-3.2.1/testsuite/tests/Read.rb --- old/yast2-security-3.2.0/testsuite/tests/Read.rb 2015-09-24 17:06:13.000000000 +0200 +++ new/yast2-security-3.2.1/testsuite/tests/Read.rb 1970-01-01 01:00:00.000000000 +0100 @@ -1,122 +0,0 @@ -# encoding: utf-8 - -# YaST2: Modules testsuite -# -# Description: -# Testsuite for the security module -# -# Authors: -# Michal Svec <[email protected]> -# -# $Id$ -# -# testedfiles: Security.ycp PamSettings.ycp Pam.ycp -module Yast - class ReadClient < Client - def main - Yast.import "Testsuite" - Yast.import "Security" - - @scr_info = { - "sysconfig" => { - "security" => { - "PERMISSION_SECURITY" => "paranoid", - "DISABLE_RESTART_ON_UPDATE" => "r13", - "DISABLE_STOP_ON_REMOVAL" => "r14" - }, - "suseconfig" => { - "CWD_IN_ROOT_PATH" => "r2", - "CWD_IN_USER_PATH" => "r3" - }, - "displaymanager" => { - "DISPLAYMANAGER_REMOTE_ACCESS" => "r9", - "DISPLAYMANAGER_ROOT_LOGIN_REMOTE" => "r16", - "DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN" => "r17" - }, - "locate" => { "RUN_UPDATEDB_AS" => "r7" }, - "clock" => { "SYSTOHC" => "r12" }, - "cron" => { "SYSLOG_ON_NO_ERROR" => "r15" }, - "mail" => { "SMTPD_LISTEN_REMOTE" => "r18" } - }, - "kde4" => { - "kdmrc" => { "AllowShutdown" => "r3" } - }, - "etc" => { - "login_defs" => { - "FAIL_DELAY" => "l2", - "GID_MAX" => "l3", - "GID_MIN" => "l4", - "PASS_MAX_DAYS" => "l7", - "PASS_MIN_DAYS" => "l9", - "PASS_MIN_LEN" => "l10", - "PASS_WARN_AGE" => "l11", - "UID_MAX" => "l12", - "UID_MIN" => "l13", - "SYSTEM_UID_MAX" => "l14", - "SYSTEM_UID_MIN" => "l15", - "SYSTEM_GID_MAX" => "l16", - "SYSTEM_GID_MIN" => "l17", - "USERADD_CMD" => "l18", - "USERDEL_PRECMD" => "l19", - "USERDEL_POSTCMD" => "l20", - "ENCRYPT_METHOD" => "garbage" - }, - "inittab" => { - "ca" => ":ctrlaltdel:/sbin/shutdown -r -t 4 now" - }, - "sysctl_conf" => { - "kernel.sysrq" => "r8", - "net.ipv4.tcp_syncookies" => "r9", - "net.ipv4.ip_forward" => "r10", - "net.ipv6.conf.all.forwarding" => "r11" - }, - "polkit-default-privs_local" => { - "org.freedesktop.upower.hibernate" => "r12" - } - }, - "target" => { - "size" => 1, - # FileUtils::Exists (ctrl_alt_del_file) returns true, so symlink is called - "stat" => { - 1 => 2 - } - }, - "pam" => { - "passwd" => { - "password" => { - "pam_unix" => [ - { "arguments" => "nullok use_first_pass use_authtok" } - ] - } - } - } - } - - @E = { - "target" => { - "bash_output" => { - 'exit'=>0, - 'stdout' => '', - 'stderr' => '' - } - } - } - - Testsuite.Test(lambda { Security.Read }, [@scr_info, {}, @E], nil) - # read garbage, changed to des - Testsuite.Dump(Ops.get(Security.Settings, "PASSWD_ENCRYPTION")) - - Ops.set(@scr_info, ["etc", "login_defs", "ENCRYPT_METHOD"], "SHA512") - # reads nil -> not in the Settings - Ops.set(@scr_info, ["etc", "login_defs", "FAIL_DELAY"], nil) - Testsuite.Test(lambda { Security.Read }, [@scr_info, {}, @E], nil) - - Testsuite.Dump(Ops.get(Security.Settings, "FAIL_DELAY", "none")) - Testsuite.Dump(Ops.get(Security.Settings, "PASSWD_ENCRYPTION")) - - nil - end - end -end - -Yast::ReadClient.new.main
