Hello community, here is the log from the commit of package yast2-security for openSUSE:Factory checked in at 2019-12-14 12:04:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2-security (Old) and /work/SRC/openSUSE:Factory/.yast2-security.new.4691 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-security" Sat Dec 14 12:04:05 2019 rev:88 rq:756086 version:4.2.8 Changes: -------- --- /work/SRC/openSUSE:Factory/yast2-security/yast2-security.changes 2019-10-21 12:27:05.863872074 +0200 +++ /work/SRC/openSUSE:Factory/.yast2-security.new.4691/yast2-security.changes 2019-12-14 12:04:34.907391496 +0100 @@ -1,0 +2,24 @@ +Thu Dec 12 12:01:35 CET 2019 - [email protected] + +- Added to rnc file: sys_gid_max, sys_gid_min, sys_uid_max, + sys_uid_min, hibernate_system, kernel.sysrq, mandatory_services, + net.ipv4.ip_forward, net.ipv4.tcp_syncookies, + net.ipv6.conf.all.forwarding (bsc#1158301). +- 4.2.8 + +------------------------------------------------------------------- +Mon Nov 25 11:27:11 UTC 2019 - Imobach Gonzalez Sosa <[email protected]> + +- bsc#1155735, bsc#1157541: + - Read /usr/etc/login.defs. + - Write login.defs configuration to /etc/login.defs.d/. +- 4.2.7 + +------------------------------------------------------------------- +Fri Nov 22 12:21:59 UTC 2019 - Imobach Gonzalez Sosa <[email protected]> + +- Change default encryption method from DES to SHA512 (bsc#1157541, + CVE-2019-3700). +- 4.2.6 + +------------------------------------------------------------------- Old: ---- yast2-security-4.2.5.tar.bz2 New: ---- yast2-security-4.2.8.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-security.spec ++++++ --- /var/tmp/diff_new_pack.P7mHVv/_old 2019-12-14 12:04:35.475391397 +0100 +++ /var/tmp/diff_new_pack.P7mHVv/_new 2019-12-14 12:04:35.479391397 +0100 @@ -17,7 +17,7 @@ Name: yast2-security -Version: 4.2.5 +Version: 4.2.8 Release: 0 Summary: YaST2 - Security Configuration License: GPL-2.0-only @@ -34,8 +34,8 @@ BuildRequires: yast2-pam BuildRequires: rubygem(%{rb_default_ruby_abi}:rspec) BuildRequires: rubygem(%{rb_default_ruby_abi}:yast-rake) >= 0.2.5 -# Yast2::CFA::Sysctl -BuildRequires: yast2 >= 4.2.25 +# CFA::LoginDefsConfig +BuildRequires: yast2 >= 4.2.39 # Unfortunately we cannot move this to macros.yast, # bcond within macros are ignored by osc/OBS. %bcond_with yast_run_ci_tests @@ -45,8 +45,8 @@ # new Pam.ycp API Requires: yast2-pam >= 2.14.0 -# CFA::Sysctl -Requires: yast2 >= 4.2.25 +# CFA::LoginDefsConfig +Requires: yast2 >= 4.2.39 Requires: yast2-ruby-bindings >= 1.0.0 Provides: y2c_sec ++++++ yast2-security-4.2.5.tar.bz2 -> yast2-security-4.2.8.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.5/.travis.yml new/yast2-security-4.2.8/.travis.yml --- old/yast2-security-4.2.5/.travis.yml 2019-10-18 13:15:52.000000000 +0200 +++ new/yast2-security-4.2.8/.travis.yml 2019-12-12 15:23:51.000000000 +0100 @@ -9,3 +9,4 @@ # the "yast-travis-ruby" script is included in the base yastdevel/ruby image # see https://github.com/yast/docker-yast-ruby/blob/master/yast-travis-ruby - docker run -it -e TRAVIS_JOB_ID="$TRAVIS_JOB_ID" yast-security-image yast-travis-ruby + - docker run -it -e TRAVIS_JOB_ID="$TRAVIS_JOB_ID" yast-security-image rake check:doc diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.5/package/yast2-security.changes new/yast2-security-4.2.8/package/yast2-security.changes --- old/yast2-security-4.2.5/package/yast2-security.changes 2019-10-18 13:15:52.000000000 +0200 +++ new/yast2-security-4.2.8/package/yast2-security.changes 2019-12-12 15:23:51.000000000 +0100 @@ -1,4 +1,28 @@ ------------------------------------------------------------------- +Thu Dec 12 12:01:35 CET 2019 - [email protected] + +- Added to rnc file: sys_gid_max, sys_gid_min, sys_uid_max, + sys_uid_min, hibernate_system, kernel.sysrq, mandatory_services, + net.ipv4.ip_forward, net.ipv4.tcp_syncookies, + net.ipv6.conf.all.forwarding (bsc#1158301). +- 4.2.8 + +------------------------------------------------------------------- +Mon Nov 25 11:27:11 UTC 2019 - Imobach Gonzalez Sosa <[email protected]> + +- bsc#1155735, bsc#1157541: + - Read /usr/etc/login.defs. + - Write login.defs configuration to /etc/login.defs.d/. +- 4.2.7 + +------------------------------------------------------------------- +Fri Nov 22 12:21:59 UTC 2019 - Imobach Gonzalez Sosa <[email protected]> + +- Change default encryption method from DES to SHA512 (bsc#1157541, + CVE-2019-3700). +- 4.2.6 + +------------------------------------------------------------------- Fri Oct 18 13:06:46 CEST 2019 - [email protected] - Added extra_services to security.rnc file (bsc#1153623). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.5/package/yast2-security.spec new/yast2-security-4.2.8/package/yast2-security.spec --- old/yast2-security-4.2.5/package/yast2-security.spec 2019-10-18 13:15:52.000000000 +0200 +++ new/yast2-security-4.2.8/package/yast2-security.spec 2019-12-12 15:23:51.000000000 +0100 @@ -17,7 +17,7 @@ Name: yast2-security -Version: 4.2.5 +Version: 4.2.8 Release: 0 Group: System/YaST License: GPL-2.0-only @@ -34,8 +34,8 @@ BuildRequires: yast2-devtools >= 4.2.2 BuildRequires: rubygem(%{rb_default_ruby_abi}:yast-rake) >= 0.2.5 BuildRequires: rubygem(%{rb_default_ruby_abi}:rspec) -# Yast2::CFA::Sysctl -BuildRequires: yast2 >= 4.2.25 +# CFA::LoginDefsConfig +BuildRequires: yast2 >= 4.2.39 # Unfortunately we cannot move this to macros.yast, # bcond within macros are ignored by osc/OBS. %bcond_with yast_run_ci_tests @@ -45,8 +45,8 @@ # new Pam.ycp API Requires: yast2-pam >= 2.14.0 -# CFA::Sysctl -Requires: yast2 >= 4.2.25 +# CFA::LoginDefsConfig +Requires: yast2 >= 4.2.39 Requires: yast2-ruby-bindings >= 1.0.0 Provides: y2c_sec yast2-config-security diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.5/src/autoyast-rnc/security.rnc new/yast2-security-4.2.8/src/autoyast-rnc/security.rnc --- old/yast2-security-4.2.5/src/autoyast-rnc/security.rnc 2019-10-18 13:15:52.000000000 +0200 +++ new/yast2-security-4.2.8/src/autoyast-rnc/security.rnc 2019-12-12 15:23:51.000000000 +0100 @@ -45,12 +45,22 @@ system_gid_min = element system_gid_min { text } system_uid_max = element system_uid_max { text } system_uid_min = element system_uid_min { text } +sys_gid_max = element sys_gid_max { text } +sys_gid_min = element sys_gid_min { text } +sys_uid_max = element sys_uid_max { text } +sys_uid_min = element sys_uid_min { text } systohc = element systohc { text } uid_max = element uid_max { text } uid_min = element uid_min { text } useradd_cmd = element useradd_cmd { text } userdel_postcmd = element userdel_postcmd { text } userdel_precmd = element userdel_precmd { text } +hibernate_system = element hibernate_system { text } +kernel.sysrq = element kernel.sysrq { text } +mandatory_services = element mandatory_services { text } +net.ipv4.ip_forward = element net.ipv4.ip_forward { text } +net.ipv4.tcp_syncookies = element net.ipv4.tcp_syncookies { text } +net.ipv6.conf.all.forwarding = element net.ipv6.conf.all.forwarding { text } y2_security = console_shutdown | cracklib_dict_path @@ -91,12 +101,22 @@ | system_gid_min | system_uid_max | system_uid_min + | sys_gid_max + | sys_gid_min + | sys_uid_max + | sys_uid_min | systohc | uid_max | uid_min | useradd_cmd | userdel_postcmd | userdel_precmd + | hibernate_system + | kernel.sysrq + | mandatory_services + | net.ipv4.ip_forward + | net.ipv4.tcp_syncookies + | net.ipv6.conf.all.forwarding | group_encryption | sec_ip_forward | displaymanager_shutdown diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.5/src/clients/security.rb new/yast2-security-4.2.8/src/clients/security.rb --- old/yast2-security-4.2.5/src/clients/security.rb 2019-10-18 13:15:52.000000000 +0200 +++ new/yast2-security-4.2.8/src/clients/security.rb 2019-12-12 15:23:51.000000000 +0100 @@ -210,7 +210,7 @@ Ops.set( Security.Settings, "PASSWD_ENCRYPTION", - Ops.get_string(options, "passwd", "des") + Ops.get_string(options, "passwd", Security.default_encrypt_method) ) Security.modified = true end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.5/src/clients/security_auto.rb new/yast2-security-4.2.8/src/clients/security_auto.rb --- old/yast2-security-4.2.5/src/clients/security_auto.rb 2019-10-18 13:15:52.000000000 +0200 +++ new/yast2-security-4.2.8/src/clients/security_auto.rb 2019-12-12 15:23:51.000000000 +0100 @@ -85,7 +85,7 @@ Ops.set( @param, "passwd_encryption", - Ops.get_string(@param, "encryption", "des") + Ops.get_string(@param, "encryption", Security.default_encrypt_method) ) end @ret = Security.Import( diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.5/src/include/security/routines.rb new/yast2-security-4.2.8/src/include/security/routines.rb --- old/yast2-security-4.2.5/src/include/security/routines.rb 2019-10-18 13:15:52.000000000 +0200 +++ new/yast2-security-4.2.8/src/include/security/routines.rb 2019-12-12 15:23:51.000000000 +0100 @@ -59,7 +59,7 @@ end # Return a widget from the WIDGETS map created acording to the ID. - # @param [String] ID security setting identifier + # @param [String] _ID security setting identifier # @return created widget # @see <a href="widgets.html">widgets.ycp</a> def settings2widget(_ID) @@ -153,7 +153,7 @@ end # Query the widget with `id(ID) for its `Value - # @param [String] ID security setting identifier + # @param [String] _ID security setting identifier def widget2settings(_ID) ret = UI.QueryWidget(Id(_ID), :Value) new = "" @@ -189,8 +189,8 @@ # Frame with spacings # @param [Float] f1 horizontal spacing # @param [Float] f2 vertical spacing - # @param [String] S frame label - # @param [Yast::Term] T frame contents + # @param [String] _S frame label + # @param [Yast::Term] _T frame contents # @return frame with contents def XFrame(f1, f2, _S, _T) f1 = deep_copy(f1) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.5/src/modules/Security.rb new/yast2-security-4.2.8/src/modules/Security.rb --- old/yast2-security-4.2.5/src/modules/Security.rb 2019-10-18 13:15:52.000000000 +0200 +++ new/yast2-security-4.2.8/src/modules/Security.rb 2019-12-12 15:23:51.000000000 +0100 @@ -28,12 +28,15 @@ require "yast" require "yast2/systemd/service" require "cfa/sysctl" +require "cfa/shadow_config" require "yaml" require "security/ctrl_alt_del_config" require "security/display_manager" module Yast class SecurityClass < Module + DEFAULT_ENCRYPT_METHOD = "sha512".freeze + private_constant :DEFAULT_ENCRYPT_METHOD include Yast::Logger include ::Security::CtrlAltDelConfig @@ -43,6 +46,25 @@ "no" => "0" } + SHADOW_ATTRS = [ + "FAIL_DELAY", + "GID_MAX", + "GID_MIN", + "PASS_MAX_DAYS", + "PASS_MIN_DAYS", + "PASS_WARN_AGE", + "UID_MAX", + "UID_MIN", + "SYS_UID_MAX", + "SYS_UID_MIN", + "SYS_GID_MAX", + "SYS_GID_MIN", + "USERADD_CMD", + "USERDEL_PRECMD", + "USERDEL_POSTCMD" + ].freeze + + attr_reader :display_manager def main @@ -151,23 +173,6 @@ # Security settings locations @Locations = { - ".etc.login_defs" => [ - "FAIL_DELAY", - "GID_MAX", - "GID_MIN", - "PASS_MAX_DAYS", - "PASS_MIN_DAYS", - "PASS_WARN_AGE", - "UID_MAX", - "UID_MIN", - "SYS_UID_MAX", - "SYS_UID_MIN", - "SYS_GID_MAX", - "SYS_GID_MIN", - "USERADD_CMD", - "USERDEL_PRECMD", - "USERDEL_POSTCMD" - ], ".sysconfig.security" => ["PERMISSION_SECURITY"], ".sysconfig.services" => [ "DISABLE_RESTART_ON_UPDATE", @@ -252,6 +257,8 @@ "net.ipv4.ip_forward" => "/etc/init.d/boot.ipconfig start", "net.ipv6.conf.all.forwarding" => "/etc/init.d/boot.ipconfig start" } + + @shadow_config = nil end # List of missing mandatory services @@ -342,6 +349,17 @@ log.debug "Settings (after #{__callee__}): #{@Settings}" end + # Reads login.defs configuration + def read_shadow_config + SHADOW_ATTRS.each do |attr| + value = shadow_config.public_send(attr.downcase) + next if value.nil? + + @Settings[attr] = shadow_config.public_send(attr.downcase) + end + log.debug "Settings (after #{__callee__}): #{@Settings}" + end + # Read the settings from sysctl.conf def read_kernel_settings # NOTE: the call to #sort is only needed to satisfy the old testsuite @@ -355,9 +373,9 @@ end def read_encryption_method - method = SCR.Read(path(".etc.login_defs.ENCRYPT_METHOD")).to_s.downcase + method = shadow_config.encrypt_method.to_s.downcase - method = "des" if !@encryption_methods.include?(method) + method = "sha512" if !@encryption_methods.include?(method) @Settings["PASSWD_ENCRYPTION"] = method end @@ -431,6 +449,7 @@ # Read security settings read_from_locations + read_shadow_config ReadConsoleShutdown() @@ -515,14 +534,18 @@ end end + # Write login.defs configuration + def write_shadow_config + SHADOW_ATTRS.each do |attr| + shadow_config.public_send("#{attr.to_s.downcase}=", @Settings[attr]) + end + encr = @Settings.fetch("PASSWD_ENCRYPTION", default_encrypt_method) + shadow_config.encrypt_method = encr if encr != @Settings_bak["PASSWD_ENCRYPTION"] + shadow_config.save + end + # Write settings related to PAM behavior def write_pam_settings - # pam stuff - encr = @Settings.fetch("PASSWD_ENCRYPTION", "sha512") - if encr != @Settings_bak["PASSWD_ENCRYPTION"] - SCR.Write(path(".etc.login_defs.ENCRYPT_METHOD"), encr) - end - # use cracklib? if @Settings["PASSWD_USE_CRACKLIB"] == "yes" Pam.Add("cracklib") @@ -670,6 +693,7 @@ @Settings["PERMISSION_SECURITY"] << " local" end write_to_locations + write_shadow_config # Write inittab settings return false if Abort() @@ -765,6 +789,13 @@ [] end + # Expose the default encryption method to other parts of the module + # + # @return [String] + def default_encrypt_method + DEFAULT_ENCRYPT_METHOD + end + publish :variable => :mandatory_services, :type => "const list <list <string>>" publish :variable => :optional_services, :type => "const list <string>" publish :function => :MissingMandatoryServices, :type => "list <list <string>> ()" @@ -850,10 +881,14 @@ end # @param key [String] Key to set the value for - # @return value [String] Value to assign to the given key + # @param value [String] Value to assign to the given key def write_sysctl_value(key, value) sysctl_file.public_send(SYSCTL_KEY_TO_METH[key].to_s + "=", value) end + + def shadow_config + @shadow_config ||= CFA::ShadowConfig.load + end end # Checks if the service is allowed (i.e. not considered 'extra') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.5/test/levels_test.rb new/yast2-security-4.2.8/test/levels_test.rb --- old/yast2-security-4.2.5/test/levels_test.rb 2019-10-18 13:15:52.000000000 +0200 +++ new/yast2-security-4.2.8/test/levels_test.rb 2019-12-12 15:23:51.000000000 +0100 @@ -1,6 +1,7 @@ #!/usr/bin/env rspec require_relative 'test_helper' +require "cfa/shadow_config" module Yast class LevelsTester < Client @@ -22,6 +23,13 @@ let(:tester) { LevelsTester.new } subject(:settings) { tester.Levels } + let(:shadow_config) { CFA::ShadowConfig.new } + + before do + allow(CFA::ShadowConfig).to receive(:load).and_return(shadow_config) + allow(shadow_config).to receive(:save) + end + it "reads the settings from the yaml files" do expect(settings["Level1"]["FAIL_DELAY"]).to eq "6" expect(settings["Level2"]["FAIL_DELAY"]).to eq "6" @@ -55,10 +63,10 @@ expect(SCR).to exec_bash("ln -s -f /dev/null /etc/systemd/system/ctrl-alt-del.target") expect(SCR).to exec_bash("echo 0 > /proc/sys/kernel/sysrq") expect(SCR).to exec_bash("/usr/bin/chkstat --system") + expect(shadow_config).to receive(:fail_delay=).with("6") tester.apply_level2 - expect(written_value_for(".etc.login_defs.FAIL_DELAY")).to eq "6" expect(written_value_for(".sysconfig.locate.RUN_UPDATEDB_AS")).to eq "nobody" end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.5/test/security_test.rb new/yast2-security-4.2.8/test/security_test.rb --- old/yast2-security-4.2.5/test/security_test.rb 2019-10-18 13:15:52.000000000 +0200 +++ new/yast2-security-4.2.8/test/security_test.rb 2019-12-12 15:23:51.000000000 +0100 @@ -37,10 +37,13 @@ describe Security do let(:sysctl_file) { CFA::Sysctl.new } + let(:shadow_config) { CFA::ShadowConfig.new } before do allow(CFA::Sysctl).to receive(:new).and_return(sysctl_file) allow(sysctl_file).to receive(:save) + allow(CFA::ShadowConfig).to receive(:load).and_return(shadow_config) + allow(shadow_config).to receive(:save) Security.main end @@ -106,6 +109,7 @@ describe "#Write" do it "writes and applies all the settings" do expect(Security).to receive(:write_to_locations) + expect(Security).to receive(:write_shadow_config) expect(Security).to receive(:write_console_shutdown) expect(Security).to receive(:write_pam_settings) expect(Security).to receive(:write_polkit_settings) @@ -155,13 +159,23 @@ end it "updates changed values" do - Security.Settings["USERADD_CMD"] = "cmd" - Security.Settings["USERDEL_PRECMD"] = "" + Security.Settings["SYSTOHC"] = "yes" Security.write_to_locations - expect(written_value_for(".etc.login_defs.USERADD_CMD")).to eq("cmd") - expect(written_value_for(".etc.login_defs.USERDEL_PRECMD")).to eq("") - expect(was_written?(".etc.login_defs")).to eq(true) + expect(written_value_for(".sysconfig.clock.SYSTOHC")).to eq("yes") + expect(was_written?(".sysconfig.clock")).to eq(true) + end + end + + describe "#write_shadow_config" do + before do + Security.Settings["FAIL_DELAY"] = "10" + end + + it "writes login.defs configuration" do + expect(shadow_config).to receive(:fail_delay=).with("10") + expect(shadow_config).to receive(:save) + Security.write_shadow_config end end @@ -638,6 +652,17 @@ end end + describe "#read_shadow_config" do + before do + allow(shadow_config).to receive(:fail_delay).and_return("10") + end + + it "reads login.defs configuration" do + Security.read_shadow_config + expect(Security.Settings["FAIL_DELAY"]).to eq("10") + end + end + describe "#Read" do it "reads settings and returns true" do expect(Security).to receive(:read_from_locations)
