Hello community, here is the log from the commit of package yast2-security for openSUSE:Factory checked in at 2020-03-01 21:26:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2-security (Old) and /work/SRC/openSUSE:Factory/.yast2-security.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-security" Sun Mar 1 21:26:55 2020 rev:91 rq:777874 version:4.2.11 Changes: -------- --- /work/SRC/openSUSE:Factory/yast2-security/yast2-security.changes 2020-01-24 14:10:54.618404328 +0100 +++ /work/SRC/openSUSE:Factory/.yast2-security.new.26092/yast2-security.changes 2020-03-01 21:27:05.912444897 +0100 @@ -1,0 +2,7 @@ +Mon Feb 3 16:02:35 CET 2020 - [email protected] + +- Using SysctlConfig class: Handle sysctl entries in different + directories (bsc#1151649). +- 4.2.11 + +------------------------------------------------------------------- Old: ---- yast2-security-4.2.10.tar.bz2 New: ---- yast2-security-4.2.11.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-security.spec ++++++ --- /var/tmp/diff_new_pack.go4GLL/_old 2020-03-01 21:27:07.096447302 +0100 +++ /var/tmp/diff_new_pack.go4GLL/_new 2020-03-01 21:27:07.104447318 +0100 @@ -17,7 +17,7 @@ Name: yast2-security -Version: 4.2.10 +Version: 4.2.11 Release: 0 Summary: YaST2 - Security Configuration License: GPL-2.0-only @@ -34,8 +34,8 @@ BuildRequires: yast2-pam BuildRequires: rubygem(%{rb_default_ruby_abi}:rspec) BuildRequires: rubygem(%{rb_default_ruby_abi}:yast-rake) >= 0.2.5 -# CFA::LoginDefsConfig -BuildRequires: yast2 >= 4.2.39 +# CFA::SysctlConfig +BuildRequires: yast2 >= 4.2.66 # Unfortunately we cannot move this to macros.yast, # bcond within macros are ignored by osc/OBS. %bcond_with yast_run_ci_tests @@ -45,8 +45,8 @@ # new Pam.ycp API Requires: yast2-pam >= 2.14.0 -# CFA::LoginDefsConfig -Requires: yast2 >= 4.2.39 +# CFA::SysctlConfig +Requires: yast2 >= 4.2.66 Requires: yast2-ruby-bindings >= 1.0.0 Provides: y2c_sec ++++++ yast2-security-4.2.10.tar.bz2 -> yast2-security-4.2.11.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.10/package/yast2-security.changes new/yast2-security-4.2.11/package/yast2-security.changes --- old/yast2-security-4.2.10/package/yast2-security.changes 2020-01-23 14:16:01.000000000 +0100 +++ new/yast2-security-4.2.11/package/yast2-security.changes 2020-02-21 10:22:33.000000000 +0100 @@ -1,4 +1,11 @@ ------------------------------------------------------------------- +Mon Feb 3 16:02:35 CET 2020 - [email protected] + +- Using SysctlConfig class: Handle sysctl entries in different + directories (bsc#1151649). +- 4.2.11 + +------------------------------------------------------------------- Thu Jan 23 13:04:04 UTC 2020 - Steffen Winterfeldt <[email protected]> - don't use /bin/systemctl compat symlink (bsc#1160890) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.10/package/yast2-security.spec new/yast2-security-4.2.11/package/yast2-security.spec --- old/yast2-security-4.2.10/package/yast2-security.spec 2020-01-23 14:16:01.000000000 +0100 +++ new/yast2-security-4.2.11/package/yast2-security.spec 2020-02-21 10:22:33.000000000 +0100 @@ -17,7 +17,7 @@ Name: yast2-security -Version: 4.2.10 +Version: 4.2.11 Release: 0 Group: System/YaST License: GPL-2.0-only @@ -34,8 +34,8 @@ BuildRequires: yast2-devtools >= 4.2.2 BuildRequires: rubygem(%{rb_default_ruby_abi}:yast-rake) >= 0.2.5 BuildRequires: rubygem(%{rb_default_ruby_abi}:rspec) -# CFA::LoginDefsConfig -BuildRequires: yast2 >= 4.2.39 +# CFA::SysctlConfig +BuildRequires: yast2 >= 4.2.66 # Unfortunately we cannot move this to macros.yast, # bcond within macros are ignored by osc/OBS. %bcond_with yast_run_ci_tests @@ -45,8 +45,8 @@ # new Pam.ycp API Requires: yast2-pam >= 2.14.0 -# CFA::LoginDefsConfig -Requires: yast2 >= 4.2.39 +# CFA::SysctlConfig +Requires: yast2 >= 4.2.66 Requires: yast2-ruby-bindings >= 1.0.0 Provides: y2c_sec yast2-config-security diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.10/src/data/security/level1.yml new/yast2-security-4.2.11/src/data/security/level1.yml --- old/yast2-security-4.2.10/src/data/security/level1.yml 2020-01-23 14:16:01.000000000 +0100 +++ new/yast2-security-4.2.11/src/data/security/level1.yml 2020-02-21 10:22:33.000000000 +0100 @@ -34,6 +34,6 @@ USERDEL_POSTCMD: "/usr/sbin/userdel-post.local" USERDEL_PRECMD: "/usr/sbin/userdel-pre.local" kernel.sysrq: '0' -net.ipv4.ip_forward: '0' -net.ipv4.tcp_syncookies: '1' -net.ipv6.conf.all.forwarding: '0' +net.ipv4.ip_forward: false +net.ipv4.tcp_syncookies: true +net.ipv6.conf.all.forwarding: false diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.10/src/data/security/level2.yml new/yast2-security-4.2.11/src/data/security/level2.yml --- old/yast2-security-4.2.10/src/data/security/level2.yml 2020-01-23 14:16:01.000000000 +0100 +++ new/yast2-security-4.2.11/src/data/security/level2.yml 2020-02-21 10:22:33.000000000 +0100 @@ -34,6 +34,6 @@ USERDEL_POSTCMD: "/usr/sbin/userdel-post.local" USERDEL_PRECMD: "/usr/sbin/userdel-pre.local" kernel.sysrq: '0' -net.ipv4.ip_forward: '0' -net.ipv4.tcp_syncookies: '1' -net.ipv6.conf.all.forwarding: '0' +net.ipv4.ip_forward: false +net.ipv4.tcp_syncookies: true +net.ipv6.conf.all.forwarding: false diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.10/src/data/security/level3.yml new/yast2-security-4.2.11/src/data/security/level3.yml --- old/yast2-security-4.2.10/src/data/security/level3.yml 2020-01-23 14:16:01.000000000 +0100 +++ new/yast2-security-4.2.11/src/data/security/level3.yml 2020-02-21 10:22:33.000000000 +0100 @@ -34,6 +34,6 @@ USERDEL_POSTCMD: "/usr/sbin/userdel-post.local" USERDEL_PRECMD: "/usr/sbin/userdel-pre.local" kernel.sysrq: '0' -net.ipv4.ip_forward: '0' -net.ipv4.tcp_syncookies: '1' -net.ipv6.conf.all.forwarding: '0' +net.ipv4.ip_forward: false +net.ipv4.tcp_syncookies: true +net.ipv6.conf.all.forwarding: false diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.10/src/include/security/dialogs.rb new/yast2-security-4.2.11/src/include/security/dialogs.rb --- old/yast2-security-4.2.10/src/include/security/dialogs.rb 2020-01-23 14:16:01.000000000 +0100 +++ new/yast2-security-4.2.11/src/include/security/dialogs.rb 2020-02-21 10:22:33.000000000 +0100 @@ -117,7 +117,9 @@ "yes" => "no", "no" => "yes", "1" => "0", - "0" => "1" + "0" => "1", + true => false, + false => true } # mapping for "Configure" links @@ -150,9 +152,9 @@ # handle the special cases at first if Builtins.contains(@configurable_options, option) ret = _("Configure") - elsif ["1", "yes"].include?(value) + elsif ["1", "yes", true].include?(value) ret = _("Enabled") - elsif ["0", "no"].include?(value) + elsif ["0", "no", false].include?(value) ret = _("Disabled") else return @UNKNOWN_STATUS @@ -257,23 +259,15 @@ }, { "id" => "net.ipv4.tcp_syncookies", - "is_secure" => Ops.get( - Security.Settings, - "net.ipv4.tcp_syncookies", - "" - ) == "1" + "is_secure" => Security.Settings[ "net.ipv4.tcp_syncookies" ] }, { "id" => "net.ipv4.ip_forward", - "is_secure" => Ops.get(Security.Settings, "net.ipv4.ip_forward", "") == "0" + "is_secure" => !Security.Settings["net.ipv4.ip_forward"] }, { "id" => "net.ipv6.conf.all.forwarding", - "is_secure" => Ops.get( - Security.Settings, - "net.ipv6.conf.all.forwarding", - "" - ) == "0" + "is_secure" => !Security.Settings["net.ipv6.conf.all.forwarding"] }, { "id" => "MANDATORY_SERVICES", @@ -481,12 +475,7 @@ Builtins.y2milestone("Clicked %1 link", ret) current_value = Ops.get(Security.Settings, Convert.to_string(ret), "") - - new_value = Ops.get_string( - @link_value_mapping, - current_value, - current_value - ) + new_value = @link_value_mapping[current_value] # set the new value and refresh the overview if Builtins.haskey(@link_value_mapping, current_value) && diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.10/src/modules/Security.rb new/yast2-security-4.2.11/src/modules/Security.rb --- old/yast2-security-4.2.10/src/modules/Security.rb 2020-01-23 14:16:01.000000000 +0100 +++ new/yast2-security-4.2.11/src/modules/Security.rb 2020-02-21 10:22:33.000000000 +0100 @@ -27,7 +27,7 @@ # $Id$ require "yast" require "yast2/systemd/service" -require "cfa/sysctl" +require "cfa/sysctl_config" require "cfa/shadow_config" require "yaml" require "security/ctrl_alt_del_config" @@ -42,8 +42,8 @@ include ::Security::CtrlAltDelConfig SYSCTL_VALUES = { - "yes" => "1", - "no" => "0" + "yes" => true, + "no" => false } SHADOW_ATTRS = [ @@ -118,9 +118,9 @@ "CRACKLIB_DICT_PATH" => "/usr/lib/cracklib_dict", "DISPLAYMANAGER_REMOTE_ACCESS" => "no", "kernel.sysrq" => "0", - "net.ipv4.tcp_syncookies" => "1", - "net.ipv4.ip_forward" => "0", - "net.ipv6.conf.all.forwarding" => "0", + "net.ipv4.tcp_syncookies" => true, + "net.ipv4.ip_forward" => false, + "net.ipv6.conf.all.forwarding" => false, "FAIL_DELAY" => "3", "GID_MAX" => "60000", "GID_MIN" => "1000", @@ -189,9 +189,9 @@ # Default values for /etc/sysctl.conf keys @sysctl = { "kernel.sysrq" => "0", - "net.ipv4.tcp_syncookies" => "1", - "net.ipv4.ip_forward" => "0", - "net.ipv6.conf.all.forwarding" => "0" + "net.ipv4.tcp_syncookies" => true, + "net.ipv4.ip_forward" => false, + "net.ipv6.conf.all.forwarding" => false } # Mapping of /etc/sysctl.conf keys to old (obsoleted) sysconfig ones @@ -245,7 +245,7 @@ @write_only = false # Force reading of sysctl configuration - @sysctl_file = nil + @sysctl_config = nil @activation_mapping = { "DHCPD_RUN_CHROOTED" => "/usr/bin/systemctl try-restart dhcpd.service", @@ -583,14 +583,17 @@ @sysctl.sort.each do |key, default_value| val = @Settings.fetch(key, default_value) int_val = Integer(val) rescue nil - if int_val.nil? - log.error "value #{val} for #{key} is not integer, not writing" + if int_val.nil? && ![TrueClass, FalseClass].include?(val.class) + log.error "value #{val} for #{key} has wrong type, not writing" elsif val != read_sysctl_value(key) write_sysctl_value(key, val) written = true end end - sysctl_file.save if written + + if written && !sysctl_config.conflict? + sysctl_config.save + end # enable sysrq? sysrq = Integer(@Settings.fetch("kernel.sysrq", "0")) rescue nil @@ -726,6 +729,26 @@ # @return [Boolean] True on success def Import(settings) settings = deep_copy(settings) + if settings.key?("KERNEL.SYSRQ") + settings["kernel.sysrq"] = settings.delete("KERNEL.SYSRQ") + end + if settings.key?("NET.IPV4.TCP_SYNCOOKIES") + settings["net.ipv4.tcp_syncookies"] = settings.delete("NET.IPV4.TCP_SYNCOOKIES") + end + if settings.key?("NET.IPV4.IP_FORWARD") + settings["net.ipv4.ip_forward"] = settings.delete("NET.IPV4.IP_FORWARD") + end + if settings.key?("NET.IPV6.CONF.ALL.FORWARDING") + settings["net.ipv6.conf.all.forwarding"] = settings.delete("NET.IPV6.CONF.ALL.FORWARDING") + end + + # conversion to true/false + ["net.ipv4.tcp_syncookies", "net.ipv4.ip_forward", "net.ipv6.conf.all.forwarding"].each do |key| + if settings.key?(key) && settings[key].is_a?(::String) + settings[key] = settings[key] == "1" ? true : false + end + end + return true if settings == {} @modified = true @@ -736,13 +759,14 @@ else if @sysctl.key?(k) && settings.key?(@sysctl2sysconfig[k]) val = settings[@sysctl2sysconfig[k]].to_s - tmpSettings[k] = SYSCTL_VALUES[val] || val + tmpSettings[k] = SYSCTL_VALUES.key?(val) ? SYSCTL_VALUES[val] : val else tmpSettings[k] = settings[@obsolete_login_defs[k]] || v end end end @Settings = tmpSettings + true end @@ -750,7 +774,15 @@ # (For use by autoinstallation.) # @return [Hash] Dumped settings (later acceptable by Import ()) def Export - Builtins.eval(@Settings) + settings = deep_copy(@Settings) + # conversion to 0/1 string + ["net.ipv4.tcp_syncookies", "net.ipv4.ip_forward", "net.ipv6.conf.all.forwarding"].each do |key| + if [TrueClass, FalseClass].include?(settings[key].class) + settings[key] = settings[key] ? "1" : "0" + end + end + + settings end # Create a textual summary and a list of unconfigured cards @@ -858,31 +890,31 @@ # # @note It memoizes the value until {#main} is called. # - # @return [Yast2::CFA::Sysctl] - def sysctl_file - return @sysctl_file if @sysctl_file - @sysctl_file = CFA::Sysctl.new - @sysctl_file.load - @sysctl_file + # @return [Yast2::CFA::SysctlConfig] + def sysctl_config + return @sysctl_config if @sysctl_config + @sysctl_config = CFA::SysctlConfig.new + @sysctl_config.load + @sysctl_config end - # Map sysctl keys to method names from the CFA::Sysctl class. + # Map sysctl keys to method names from the CFA::SysctlConfig class. SYSCTL_KEY_TO_METH = { "kernel.sysrq" => :kernel_sysrq, - "net.ipv4.tcp_syncookies" => :raw_tcp_syncookies, - "net.ipv4.ip_forward" => :raw_forward_ipv4, - "net.ipv6.conf.all.forwarding" => :raw_forward_ipv6 + "net.ipv4.tcp_syncookies" => :tcp_syncookies, + "net.ipv4.ip_forward" => :forward_ipv4, + "net.ipv6.conf.all.forwarding" => :forward_ipv6 }.freeze # @param key [String] Key to get the value for def read_sysctl_value(key) - sysctl_file.public_send(SYSCTL_KEY_TO_METH[key]) + sysctl_config.public_send(SYSCTL_KEY_TO_METH[key]) end # @param key [String] Key to set the value for # @param value [String] Value to assign to the given key def write_sysctl_value(key, value) - sysctl_file.public_send(SYSCTL_KEY_TO_METH[key].to_s + "=", value) + sysctl_config.public_send(SYSCTL_KEY_TO_METH[key].to_s + "=", value) end def shadow_config diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.10/test/security_test.rb new/yast2-security-4.2.11/test/security_test.rb --- old/yast2-security-4.2.10/test/security_test.rb 2020-01-23 14:16:01.000000000 +0100 +++ new/yast2-security-4.2.11/test/security_test.rb 2020-02-21 10:22:33.000000000 +0100 @@ -36,12 +36,12 @@ import "Service" describe Security do - let(:sysctl_file) { CFA::Sysctl.new } + let(:sysctl_config) { CFA::SysctlConfig.new } let(:shadow_config) { CFA::ShadowConfig.new } before do - allow(CFA::Sysctl).to receive(:new).and_return(sysctl_file) - allow(sysctl_file).to receive(:save) + allow(CFA::SysctlConfig).to receive(:new).and_return(sysctl_config) + allow(sysctl_config).to receive(:save) allow(CFA::ShadowConfig).to receive(:load).and_return(shadow_config) allow(shadow_config).to receive(:save) Security.main @@ -193,26 +193,26 @@ context "writing to sysctl.conf" do before do allow(SCR).to exec_bash(/echo .* \/kernel\/sysrq/) + allow(sysctl_config).to receive(:conflict?).and_return(false) end it "does not write invalid values" do Security.Settings["kernel.sysrq"] = "yes" Security.Settings["net.ipv4.ip_forward"] = "" - expect(sysctl_file).to_not receive(:kernel_sysrq).with("yes") - expect(sysctl_file).to_not receive(:raw_forward_ipv4=).with("") + expect(sysctl_config).to_not receive(:kernel_sysrq).with("yes") + expect(sysctl_config).to_not receive(:raw_forward_ipv4=).with("") Security.write_kernel_settings end it "does not write unchanged values" do - Security.Settings["net.ipv4.ip_forward"] = "0" - expect(sysctl_file).to_not receive(:raw_forward_ipv4=).with("0") + Security.Settings["net.ipv4.ip_forward"] = false + expect(sysctl_config).to_not receive(:save) Security.write_kernel_settings end it "writes changed values" do - Security.Settings["net.ipv4.ip_forward"] = "1" - expect(sysctl_file).to receive(:raw_forward_ipv4=).with("1") - expect(sysctl_file).to receive(:save) + Security.Settings["net.ipv4.ip_forward"] = true + expect(sysctl_config).to receive(:save) Security.write_kernel_settings end end @@ -575,9 +575,9 @@ it "sets kernel settings based on /etc/sysctl.conf" do expect(Security.Settings["kernel.sysrq"]).to eql("0") - expect(Security.Settings["net.ipv4.tcp_syncookies"]).to eql("1") - expect(Security.Settings["net.ipv4.ip_forward"]).to eql("0") - expect(Security.Settings["net.ipv6.conf.all.forwarding"]).to eql("0") + expect(Security.Settings["net.ipv4.tcp_syncookies"]).to eql(true) + expect(Security.Settings["net.ipv4.ip_forward"]).to eql(false) + expect(Security.Settings["net.ipv6.conf.all.forwarding"]).to eql(false) end end @@ -684,7 +684,7 @@ Security.Settings["MANDATORY_SERVICES"] = "no" # SYSCTL - Security.Settings["net.ipv4.ip_forward"] = "1" + Security.Settings["net.ipv4.ip_forward"] = true # OBSOLETE LOGIN DEFS Security.Settings["SYS_UID_MIN"] = 200 @@ -710,7 +710,7 @@ it "imports SYSCTL settings modifying key names and adapting values" do expect(Security.Import("IP_FORWARD" => "no")).to eql(true) - expect(Security.Settings["net.ipv4.ip_forward"]).to eql("0") + expect(Security.Settings["net.ipv4.ip_forward"]).to eql(false) end it "imports LOGIN DEFS settings transforming key name" do
