Hello community,
here is the log from the commit of package yast2-security for openSUSE:Factory checked in at 2016-03-07 13:25:49
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/yast2-security (Old)
and /work/SRC/openSUSE:Factory/.yast2-security.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-security"
Changes:
--------
--- /work/SRC/openSUSE:Factory/yast2-security/yast2-security.changes 2015-10-03 20:29:36.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.yast2-security.new/yast2-security.changes 2016-03-07 13:25:50.000000000 +0100
@@ -1,0 +2,7 @@
+Fri Feb 26 12:40:29 UTC 2016 - knut.anderssen@suse.com
+
+- Removed "Boot permissions - Interpretation of Ctrl + Alt + Del"
+ combo box "Reboot" entry for s390 architecture. (fate#319711)
+- 3.2.1
+
+-------------------------------------------------------------------
Old:
----
yast2-security-3.2.0.tar.bz2
New:
----
yast2-security-3.2.1.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ yast2-security.spec ++++++
--- /var/tmp/diff_new_pack.6sAKcQ/_old 2016-03-07 13:26:08.000000000 +0100
+++ /var/tmp/diff_new_pack.6sAKcQ/_new 2016-03-07 13:26:08.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package yast2-security
#
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: yast2-security
-Version: 3.2.0
+Version: 3.2.1
Release: 0
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -86,6 +86,7 @@
%{yast_scrconfdir}/*.scr
%{yast_schemadir}/autoyast/rnc/security.rnc
%{yast_ydatadir}/security
+%{yast_libdir}/security
%doc %{yast_docdir}
%changelog
++++++ yast2-security-3.2.0.tar.bz2 -> yast2-security-3.2.1.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.2.0/package/yast2-security.changes new/yast2-security-3.2.1/package/yast2-security.changes
--- old/yast2-security-3.2.0/package/yast2-security.changes 2015-09-24 17:06:12.000000000 +0200
+++ new/yast2-security-3.2.1/package/yast2-security.changes 2016-03-02 13:26:10.000000000 +0100
@@ -1,4 +1,11 @@
-------------------------------------------------------------------
+Fri Feb 26 12:40:29 UTC 2016 - knut.anderssen@suse.com
+
+- Removed "Boot permissions - Interpretation of Ctrl + Alt + Del"
+ combo box "Reboot" entry for s390 architecture. (fate#319711)
+- 3.2.1
+
+-------------------------------------------------------------------
Thu Sep 24 14:50:20 UTC 2015 - ancor@suse.com
- Bumped version number in order to branch the SLE version due to
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.2.0/package/yast2-security.spec new/yast2-security-3.2.1/package/yast2-security.spec
--- old/yast2-security-3.2.0/package/yast2-security.spec 2015-09-24 17:06:12.000000000 +0200
+++ new/yast2-security-3.2.1/package/yast2-security.spec 2016-03-02 13:26:10.000000000 +0100
@@ -17,7 +17,7 @@
Name: yast2-security
-Version: 3.2.0
+Version: 3.2.1
Release: 0
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -78,4 +78,5 @@
%{yast_scrconfdir}/*.scr
%{yast_schemadir}/autoyast/rnc/security.rnc
%{yast_ydatadir}/security
+%{yast_libdir}/security
%doc %{yast_docdir}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.2.0/src/Makefile.am new/yast2-security-3.2.1/src/Makefile.am
--- old/yast2-security-3.2.0/src/Makefile.am 2015-09-24 17:06:12.000000000 +0200
+++ new/yast2-security-3.2.1/src/Makefile.am 2016-03-02 13:26:10.000000000 +0100
@@ -19,6 +19,11 @@
include/security/routines.rb \
include/security/helps.rb
+
+ylibdir = @ylibdir@/security
+ylib_DATA = \
+ lib/security/ctrl_alt_del_config.rb
+
schemafilesdir = $(schemadir)/autoyast/rnc
schemafiles_DATA = \
autoyast-rnc/security.rnc
@@ -38,6 +43,6 @@
desktop_DATA = \
desktop/security.desktop
-EXTRA_DIST = $(module_DATA) $(client_DATA) $(ynclude_DATA) $(schemafiles_DATA) $(scrconf_DATA) $(ydata_DATA) $(desktop_DATA)
+EXTRA_DIST = $(module_DATA) $(client_DATA) $(ynclude_DATA) $(schemafiles_DATA) $(scrconf_DATA) $(ydata_DATA) $(desktop_DATA) $(ylib_DATA)
include $(top_srcdir)/Makefile.am.common
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.2.0/src/include/security/helps.rb new/yast2-security-3.2.1/src/include/security/helps.rb
--- old/yast2-security-3.2.0/src/include/security/helps.rb 2015-09-24 17:06:12.000000000 +0200
+++ new/yast2-security-3.2.1/src/include/security/helps.rb 2016-03-02 13:26:10.000000000 +0100
@@ -52,34 +52,13 @@
"<p><b><big>Aborting Saving</big></b><br>\nAbort the save procedure by pressing <b>Abort</b>.</p>"
),
# Boot dialog help 1/4
- "boot" => _(
- "<p><b><big>Boot Security</big></b></p>\n<p>In this dialog, change various boot settings related to security.</p>"
- ) +
- # Boot dialog help 2/4
- _(
- "<p><b>Interpretation of Ctrl + Alt + Del</b>:\n" +
- "Configure what the system should do in response to\n" +
- "someone at the console pressing the CTRL + ALT + DEL key\n" +
- "combination. Usually the system reboots. Sometimes it is desirable\n" +
- "to ignore this event, for example, when the system serves as both\n" +
- "workstation and server.</p>"
- ) +
- # Boot dialog help 3/4
- _(
- "<p><b>Shutdown Behaviour of Login Manager</b>:\nSet who is allowed to shut down the machine from KDM.</p>\n"
- ) +
- # Boot dialog help 4/4
- _(
- "<p><b>Hibernate System</b>:\n" +
- "Set the conditions for allowing users to hibernate the system. By default, user on active console has such right.\n" +
- "Other options are allowing the action to any user or requiring authentication in all cases.</p>\n"
- ),
+ "boot" => boot_dialog_help,
# Main dialog help 1/8
"main" => _(
- "<P><BIG><B>Configuring Local Security</B></BIG></P>\n" +
- "<p>Using predefined defaults, change the local security settings, which include\n" +
- " booting, login, password, user creation, and file permissions. The default\n" +
- " settings can be modified as needed.\n" +
+ "<P><BIG><B>Configuring Local Security</B></BIG></P>\n" \
+ "<p>Using predefined defaults, change the local security settings, which include\n" \
+ " booting, login, password, user creation, and file permissions. The default\n" \
+ " settings can be modified as needed.\n" \
"</p>"
) +
# Main dialog help 5/8
@@ -98,28 +77,28 @@
_("<p><b>Custom Settings</b>: Create your own configuration.</p>"),
# Login dialog help 1/4
"login" => _(
- "<p><big><b>Login Security</b></big></p>\n" +
- "<p>These login settings\n" +
+ "<p><big><b>Login Security</b></big></p>\n" \
+ "<p>These login settings\n" \
"are mainly stored in the /etc/login.defs file.</p>"
) +
# Login dialog help 2/4
_(
- "<p><b>Delay after Incorrect Login Attempt:</b>\n" +
- "It is advisable to wait some time after an incorrect login attempt to prevent\n" +
- "password guessing. Make the time small enough that users do not need to wait to\n" +
+ "<p><b>Delay after Incorrect Login Attempt:</b>\n" \
+ "It is advisable to wait some time after an incorrect login attempt to prevent\n" \
+ "password guessing. Make the time small enough that users do not need to wait to\n" \
"retry if a password is mistyped. A sensible value is three seconds (<tt>3</tt>).</p>"
) +
# Login dialog help 3/4
_(
- "<p><b>Record Successful Login Attempts:</b> Logging successful login\n" +
- "attempts is useful. It can warn you of unauthorized access to the\n" +
- "system (for example, a user logging in from a different location than usual).\n" +
+ "<p><b>Record Successful Login Attempts:</b> Logging successful login\n" \
+ "attempts is useful. It can warn you of unauthorized access to the\n" \
+ "system (for example, a user logging in from a different location than usual).\n" \
"</p>\n"
) +
# Login dialog help 4/4
_(
- "<p><b>Allow Remote Graphical Login:</b> Checking this allows access\n" +
- "to a graphical login screen for this machine over the network. Remote access\n" +
+ "<p><b>Allow Remote Graphical Login:</b> Checking this allows access\n" \
+ "to a graphical login screen for this machine over the network. Remote access\n" \
"to your machine using a display manager might be a security risk.</p>"
),
# Password dialog help 1/8
@@ -128,30 +107,30 @@
) +
# Password dialog help 2/8
_(
- "<p><b>Check New Passwords</b>: It is wise to choose a password that\n" +
- "cannot be found in a dictionary and is not a name or other simple, common word.\n" +
+ "<p><b>Check New Passwords</b>: It is wise to choose a password that\n" \
+ "cannot be found in a dictionary and is not a name or other simple, common word.\n" \
"By checking the box, enforce password checking in regard to these rules.</p>"
) +
# Password dialog help
_(
- "<p><b>Minimum Acceptable Password Length:</b>\n" +
- "The minimum acceptable size for the new password reduced by the number\n" +
- "of different character classes (other, upper, lower and digit) used in the new\n" +
- "password. See man pam_cracklib for a more detailed explanation.\n" +
+ "<p><b>Minimum Acceptable Password Length:</b>\n" \
+ "The minimum acceptable size for the new password reduced by the number\n" \
+ "of different character classes (other, upper, lower and digit) used in the new\n" \
+ "password. See man pam_cracklib for a more detailed explanation.\n" \
"This option can only be modified when <b>Check New Passwords</b> is set.</p>"
) +
# Password dialog help 4/8
_(
- "<p><b>Passwords to Remember</b>:\n" +
- "Enter the number of user passwords to store and prevent the user from reusing.\n" +
+ "<p><b>Passwords to Remember</b>:\n" \
+ "Enter the number of user passwords to store and prevent the user from reusing.\n" \
"Enter 0 if passwords should not be stored.</p>"
) +
# Password dialog help 5a/8
_("<p><b>Password Encryption Method:</b></p>") +
# Password dialog help 5b/8
_(
- "<p><b>DES</b>, the Linux default method, works in all network environments,\n" +
- "but it restricts you to passwords no longer than eight characters. If you need\n" +
+ "<p><b>DES</b>, the Linux default method, works in all network environments,\n" \
+ "but it restricts you to passwords no longer than eight characters. If you need\n" \
"compatibility with other systems, use this method.</p>"
) +
# Password dialog help 5c/8
@@ -168,8 +147,8 @@
) +
# Password dialog help 8/8
_(
- "<p><b>Days before Password Expires Warning</b>: This entry sets the\n" +
- "number of days users are warned before their passwords expire. The longer the\n" +
+ "<p><b>Days before Password Expires Warning</b>: This entry sets the\n" \
+ "number of days users are warned before their passwords expire. The longer the\n" \
"time, the less likely it is that someone can guess passwords.</p>"
),
# Adduser dialog help 1/2
@@ -190,49 +169,49 @@
) +
# Misc dialog help 2/14
_(
- "<p><b>File Permissions</b>: Settings for the permissions\n" +
- "of certain system files are set according to the data in /etc/permissions.secure\n" +
- "or /etc/permissions.easy. Which file is used depends on this selection.\n" +
- "Launching SuSEconfig sets these permissions according to /etc/permissions.*.\n" +
- "This fixes files with incorrect permissions, whether this occurred accidentally\n" +
- "or by intruders.</p><p>\n" +
- "With <b>Easy</b>, most of the system files that are only readable by root\n" +
- "in Secure are modified so other users can also read these files.\n" +
- "Using <b>Secure</b>, certain system files, such as /var/log/messages, can only\n" +
- "be viewed by the user root. Some programs can only be launched by root or by\n" +
- "daemons, not by ordinary users.\n" +
- "The most secure setting is <b>Paranoid</B>. With it, you must\n" +
+ "<p><b>File Permissions</b>: Settings for the permissions\n" \
+ "of certain system files are set according to the data in /etc/permissions.secure\n" \
+ "or /etc/permissions.easy. Which file is used depends on this selection.\n" \
+ "Launching SuSEconfig sets these permissions according to /etc/permissions.*.\n" \
+ "This fixes files with incorrect permissions, whether this occurred accidentally\n" \
+ "or by intruders.</p><p>\n" \
+ "With <b>Easy</b>, most of the system files that are only readable by root\n" \
+ "in Secure are modified so other users can also read these files.\n" \
+ "Using <b>Secure</b>, certain system files, such as /var/log/messages, can only\n" \
+ "be viewed by the user root. Some programs can only be launched by root or by\n" \
+ "daemons, not by ordinary users.\n" \
+ "The most secure setting is <b>Paranoid</B>. With it, you must\n" \
"decide which users are able to run X applications and setuid programs.</p>\n"
) +
# Misc dialog help 6/14
_(
- "<p><b>User Launching updatedb</b>: The program updatedb runs \n" +
- "once a day. It scans your entire file system and creates a database (locatedb)\n" +
- "that stores the location of every file. The database can be searched by the\n" +
- "program \"locate\". Here, set the user that runs this command: <b>nobody</b>\n" +
+ "<p><b>User Launching updatedb</b>: The program updatedb runs \n" \
+ "once a day. It scans your entire file system and creates a database (locatedb)\n" \
+ "that stores the location of every file. The database can be searched by the\n" \
+ "program \"locate\". Here, set the user that runs this command: <b>nobody</b>\n" \
" (few files) or <b>root</b> (all files).</p>"
) +
# Misc dialog help 10/14
_(
- "<p><b>Current Directory in root's Path</b> On a DOS system,\n" +
- "the system first searches for executable files (programs) in the current\n" +
- "directory then in the current path variable. In contrast, a UNIX-like system\n" +
+ "<p><b>Current Directory in root's Path</b> On a DOS system,\n" \
+ "the system first searches for executable files (programs) in the current\n" \
+ "directory then in the current path variable. In contrast, a UNIX-like system\n" \
"searches for them exclusively via the search path (variable PATH).</p>"
) +
# Misc dialog help 11/14
_(
- "<p><b>Current Directory in the Path of Regular Users</b><br> A DOS\n" +
- "system first searches for executable files (programs) in the current directory\n" +
- "then in the current path variable. In contrast, a UNIX-like system searches\n" +
+ "<p><b>Current Directory in the Path of Regular Users</b><br> A DOS\n" \
+ "system first searches for executable files (programs) in the current directory\n" \
+ "then in the current path variable. In contrast, a UNIX-like system searches\n" \
"for them exclusively via the search path (variable PATH).</p>"
) +
# Misc dialog help 12/14
_(
- "<p>Some systems set up a work-around by adding the dot (\".\") to the\n" +
- "search path, enabling files in the current path to be found and executed.\n" +
- "This is highly dangerous because you may accidentally launch unknown programs in\n" +
- "the current directory instead of the usual systemwide files. As a result,\n" +
- "executing <i>Trojan Horses</i>, which exploit this weakness and invade your system,\n" +
+ "<p>Some systems set up a work-around by adding the dot (\".\") to the\n" \
+ "search path, enabling files in the current path to be found and executed.\n" \
+ "This is highly dangerous because you may accidentally launch unknown programs in\n" \
+ "the current directory instead of the usual systemwide files. As a result,\n" \
+ "executing <i>Trojan Horses</i>, which exploit this weakness and invade your system,\n" \
"is rather easy if you set this option.</p>"
) +
# Misc dialog help 13/14
@@ -245,8 +224,8 @@
) +
# Misc dialog help 14/14
_(
- "<p><b>Enable Magic SysRq Keys</b><br> If you check this option, you\n" +
- "will have some control over the system even if it crashes (for example, during kernel\n" +
+ "<p><b>Enable Magic SysRq Keys</b><br> If you check this option, you\n" \
+ "will have some control over the system even if it crashes (for example, during kernel\n" \
"debugging). For details, see /usr/src/linux/Documentation/sysrq.txt</p>"
),
# help text: security overview dialog 1/
@@ -269,19 +248,19 @@
@help_mapping = {
"DISPLAYMANAGER_REMOTE_ACCESS" => _(
- "<P>A display manager provides a graphical login screen and can be accessed\n" +
- "across the network by an X server running on another system if so\n" +
- "configured.</P><P>The windows that are being displayed would then transmit\n" +
- "their data across the network. If that network is not fully trusted, then the\n" +
- "network traffic can be eavesdropped by an attacker, gaining access not only to\n" +
- "the graphical content of the display, but also to usernames and passwords that\n" +
- "are being used.</P><P>If you do not need <EM>XDMCP</EM> for remote graphical\n" +
+ "<P>A display manager provides a graphical login screen and can be accessed\n" \
+ "across the network by an X server running on another system if so\n" \
+ "configured.</P><P>The windows that are being displayed would then transmit\n" \
+ "their data across the network. If that network is not fully trusted, then the\n" \
+ "network traffic can be eavesdropped by an attacker, gaining access not only to\n" \
+ "the graphical content of the display, but also to usernames and passwords that\n" \
+ "are being used.</P><P>If you do not need <EM>XDMCP</EM> for remote graphical\n" \
"logins, then disable this option.</P>"
),
"SYSTOHC" => _(
- "<P>Upon startup, the system time is being set from the hardware clock of the\n" +
- "computer. As a consequence, setting the hardware clock before shutting down is\n" +
- "necessary.</P><P>Consistent system time is essential for the system to create\n" +
+ "<P>Upon startup, the system time is being set from the hardware clock of the\n" \
+ "computer. As a consequence, setting the hardware clock before shutting down is\n" \
+ "necessary.</P><P>Consistent system time is essential for the system to create\n" \
"correct log messages.</P>"
),
"SYSLOG_ON_NO_ERROR" => _(
@@ -297,36 +276,36 @@
"<P>Administrators should never log on as <EM>root</EM> into an X Window session to minimize the usage of the root privileges.</P><P>This option does not help against careless administrators, but shall prevent attackers to be able to log on as <EM>root</EM> via the display manager if they guess or otherwise acquire the password.</P>"
),
"DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN" => _(
- "<P>X Window clients, e.g. programs that open a window on your display, connect\n" +
- "to the X server that runs on the physical machine. Programs can also run on a\n" +
- "different system and display their content on the X server through network\n" +
- "connections.</P><P>When enabled, the X server listens on a port 6000 plus the\n" +
- "display number. Since network traffic is transferred unencrypted and therefore\n" +
- "subject to network sniffing, and since the port held open by the X server\n" +
- "offers attack options, the secure setting is to disable it.</P><P>To display X\n" +
+ "<P>X Window clients, e.g. programs that open a window on your display, connect\n" \
+ "to the X server that runs on the physical machine. Programs can also run on a\n" \
+ "different system and display their content on the X server through network\n" \
+ "connections.</P><P>When enabled, the X server listens on a port 6000 plus the\n" \
+ "display number. Since network traffic is transferred unencrypted and therefore\n" \
+ "subject to network sniffing, and since the port held open by the X server\n" \
+ "offers attack options, the secure setting is to disable it.</P><P>To display X\n" \
"Window clients across a network, we recommend the use of secure shell (<EM>ssh</EM>), which allows the X Window clients to connect to the X server through the encrypted ssh connection.</P>"
),
"SMTPD_LISTEN_REMOTE" => _(
"<P>The email delivery subsystem is always started. However, it does not expose\nitself outside the system by default, since it does not listen on the SMTP network port 25.</P><P>If you do not deliver emails to your system through the SMTP protocol, then disable this option.</P>"
),
"DISABLE_RESTART_ON_UPDATE" => _(
- "<P>If a package containing a service that is currently running is being\n" +
- "updated, the service is restarted after the files in the package have been\n" +
- "installed.</P><P>This makes sense in most cases, and it is safe to do,\n" +
- "considering that many services either need their binaries or configuration\n" +
- "files accessible in the file system. Otherwise these services would continue\n" +
- "to run until the services are stopped, e.g. running daemons are\n" +
- "killed.</P><P>This setting should only be changed if there is a specific\n" +
+ "<P>If a package containing a service that is currently running is being\n" \
+ "updated, the service is restarted after the files in the package have been\n" \
+ "installed.</P><P>This makes sense in most cases, and it is safe to do,\n" \
+ "considering that many services either need their binaries or configuration\n" \
+ "files accessible in the file system. Otherwise these services would continue\n" \
+ "to run until the services are stopped, e.g. running daemons are\n" \
+ "killed.</P><P>This setting should only be changed if there is a specific\n" \
"reason to do so.</P>"
),
"DISABLE_STOP_ON_REMOVAL" => _(
- "<P>If a package containing a service that is currently running is being\n" +
- "uninstalled, the service is stopped before the files of the package are\n" +
- "removed.</P><P>This makes sense in most cases, and it is safe to do,\n" +
- "considering that many services either need their binaries or configuration\n" +
- "files accessible in the file system. Otherwise these services would continue\n" +
- "to run until they are stopped, e.g. running daemons are\n" +
- "killed.</P><P>This setting should only be changed if there is a specific\n" +
+ "<P>If a package containing a service that is currently running is being\n" \
+ "uninstalled, the service is stopped before the files of the package are\n" \
+ "removed.</P><P>This makes sense in most cases, and it is safe to do,\n" \
+ "considering that many services either need their binaries or configuration\n" \
+ "files accessible in the file system. Otherwise these services would continue\n" \
+ "to run until they are stopped, e.g. running daemons are\n" \
+ "killed.</P><P>This setting should only be changed if there is a specific\n" \
"reason to do so.</P>"
),
"net.ipv4.tcp_syncookies" => _(
@@ -352,9 +331,53 @@
"EXTRA_SERVICES" => _(
"<P>Every running service is a potential target of a security attack. Therefore it is recommended to turn off all services which are not used by the system.</P>"
)
- }
+ }
+ end
+
+ def boot_dialog_help
+ help = _(
+ "<p><b><big>Boot Security</big></b></p>\n<p>In this dialog, change various boot settings related to security.</p>"
+ )
+
+ if ::Security::CtrlAltDelConfig.default == "reboot"
+ # TRANSLATORS: part of help text - default action (the default is
+ # reboot)
+ details = _(
+ "Usually the system reboots. Sometimes it is desirable\n" \
+ "to ignore this event, for example, when the system serves as both\n" \
+ "workstation and server."
+ )
+ else
+ # TRANSLATORS: part of help text - default action (the default is halt)
+ details = _(
+ "By default the system halts but sometimes it is desirable\n" \
+ "to ignore this event, for example, when the system serves as both\n" \
+ "workstation and server."
+ )
+ end
+
+ # Boot dialog help 2/4
+ # TRANSLATORS: %s is help text - default action
+ help += _(
+ "<p><b>Interpretation of Ctrl + Alt + Del</b>:\n" \
+ "Configure what the system should do in response to\n" \
+ "someone at the console pressing the CTRL + ALT + DEL key\n" \
+ "combination. %s</p>"
+ ) % details
+
+ # Boot dialog help 3/4
+ help += _(
+ "<p><b>Shutdown Behaviour of Login Manager</b>:\nSet who is allowed to shut down the machine from KDM.</p>\n"
+ ) +
+ # Boot dialog help 4/4
+ _(
+ "<p><b>Hibernate System</b>:\n" \
+ "Set the conditions for allowing users to hibernate the system. By default, user on active console has such right.\n" \
+ "Other options are allowing the action to any user or requiring authentication in all cases.</p>\n"
+ )
+ help
# EOF
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.2.0/src/include/security/widgets.rb new/yast2-security-3.2.1/src/include/security/widgets.rb
--- old/yast2-security-3.2.0/src/include/security/widgets.rb 2015-09-24 17:06:12.000000000 +0200
+++ new/yast2-security-3.2.1/src/include/security/widgets.rb 2016-03-02 13:26:10.000000000 +0100
@@ -100,15 +100,8 @@
"Label" => _(
"&Interpretation of Ctrl + Alt + Del"
),
- "Options" => [
- # ComboBox value
- ["ignore", _("Ignore")],
- # ComboBox value
- ["reboot", _("Reboot")],
- # ComboBox value
- ["halt", _("Halt")]
- ],
- "Value" => "reboot"
+ "Options" => console_shutdown_options,
+ "Value" => ::Security::CtrlAltDelConfig.default
},
"DISPLAYMANAGER_REMOTE_ACCESS" => {
"Widget" => "CheckBox",
@@ -267,9 +260,23 @@
"Label" => _("&Minimum"),
"Value" => "100"
}
- }
+ }
+ end
+
+ def boot_option_labels
+ {
+ "ignore" => _("Ignore"),
+ "reboot" => _("Reboot"),
+ "halt" => _("Halt")
+ }
+ end
- # EOF
+ def console_shutdown_options
+ ::Security::CtrlAltDelConfig.options.map do |opt|
+ [opt, boot_option_labels[opt]]
+ end
end
+
+ # EOF
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.2.0/src/lib/security/ctrl_alt_del_config.rb new/yast2-security-3.2.1/src/lib/security/ctrl_alt_del_config.rb
--- old/yast2-security-3.2.0/src/lib/security/ctrl_alt_del_config.rb 1970-01-01 01:00:00.000000000 +0100
+++ new/yast2-security-3.2.1/src/lib/security/ctrl_alt_del_config.rb 2016-03-02 13:26:10.000000000 +0100
@@ -0,0 +1,104 @@
+# encoding: utf-8
+
+# ------------------------------------------------------------------------------
+# Copyright (c) 2015 SUSE LLC, All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or modify it under
+# the terms of version 2 of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+# details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program; if not, contact SUSE LLC.
+#
+# To contact SUSE about this file by physical or electronic mail, you may find
+# current contact information at www.suse.com.
+# ------------------------------------------------------------------------------
+#
+
+require "yast"
+
+module Security
+ module CtrlAltDelConfig
+ include Yast::Logger
+ Yast.import "SCR"
+ Yast.import "Arch"
+ Yast.import "Package"
+ Yast.import "FileUtils"
+
+ SYSTEMD_FILE = "/etc/systemd/system/ctrl-alt-del.target"
+
+ class << self
+ def systemd?
+ Yast::Package.Installed("systemd")
+ end
+
+ def inittab?
+ Yast::FileUtils.Exists("/etc/inittab")
+ end
+
+ def default
+ Yast::Arch.s390 ? "halt" : "reboot"
+ end
+
+ def options
+ options = ["ignore", "reboot", "halt"]
+
+ options.delete("reboot") if Yast::Arch.s390
+
+ options
+ end
+
+ def current
+ return current_systemd if systemd?
+ return current_inittab if inittab?
+ nil
+ end
+
+ def current_systemd
+ if !Yast::FileUtils.Exists(SYSTEMD_FILE)
+ ret = nil
+ else
+ link = Yast::SCR.Read(Yast::Path.new(".target.symlink"), SYSTEMD_FILE).to_s
+ ret =
+ case link
+ when "/usr/lib/systemd/system/poweroff.target"
+ "halt"
+ when "/usr/lib/systemd/system/reboot.target"
+ "reboot"
+ when "/usr/lib/systemd/system/ctrl-alt-del.target"
+ default
+ else
+ log.error "Not known link #{link}"
+ "ignore"
+ end
+ end
+ ret
+ end
+
+ def current_inittab
+ ca = Yast::SCR.Read(Yast::Path.new(".etc.inittab.ca"))
+ ret =
+ case ca
+ when /\/bin\/true/, /\/bin\/false/
+ "ignore"
+ when /reboot/, / -r/
+ "reboot"
+ when /halt/, / -h/
+ "halt"
+ when nil
+ log.error("No ca entry")
+ nil
+ else
+ log.error "Unknown ca status: #{ca}"
+ "ignore"
+ end
+ ret
+ end
+ end
+ end
+end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.2.0/src/modules/Security.rb new/yast2-security-3.2.1/src/modules/Security.rb
--- old/yast2-security-3.2.0/src/modules/Security.rb 2015-09-24 17:06:12.000000000 +0200
+++ new/yast2-security-3.2.1/src/modules/Security.rb 2016-03-02 13:26:10.000000000 +0100
@@ -27,11 +27,13 @@
# $Id$
require "yast"
require "yaml"
+require "security/ctrl_alt_del_config"
module Yast
class SecurityClass < Module
include Yast::Logger
+ include ::Security::CtrlAltDelConfig
def main
Yast.import "UI"
@@ -71,7 +73,7 @@
# All security settings
@Settings = {
- "CONSOLE_SHUTDOWN" => "reboot",
+ "CONSOLE_SHUTDOWN" => ::Security::CtrlAltDelConfig.default,
"CRACKLIB_DICT_PATH" => "/usr/lib/cracklib_dict",
"DISPLAYMANAGER_REMOTE_ACCESS" => "no",
"kernel.sysrq" => "0",
@@ -291,46 +293,19 @@
nil
end
+ def inittab_shutdown_configured?
+ inittab = SCR.Dir(path(".etc.inittab"))
+ inittab.include?("ca")
+ end
+
# Read the information about ctrl+alt+del behavior
# See bug 742783 for description
def ReadConsoleShutdown
- ret = "ignore"
+ ret = ::Security::CtrlAltDelConfig.current || ::Security::CtrlAltDelConfig.default
- if Package.Installed("systemd")
- if !FileUtils.Exists(@ctrl_alt_del_file)
- ret = "reboot"
- else
- link = Convert.to_string(
- SCR.Read(path(".target.symlink"), @ctrl_alt_del_file)
- )
- if link == "/usr/lib/systemd/system/poweroff.target"
- ret = "halt"
- elsif link == "/usr/lib/systemd/system/reboot.target" ||
- link == "/usr/lib/systemd/system/ctrl-alt-del.target"
- ret = "reboot"
- end
- end
- return ret
- end
- inittab = SCR.Dir(path(".etc.inittab"))
- if Builtins.contains(inittab, "ca")
- ca = Convert.to_string(SCR.Read(path(".etc.inittab.ca")))
- if Builtins.issubstring(ca, "/bin/true") ||
- Builtins.issubstring(ca, "/bin/false")
- Ops.set(@Settings, "CONSOLE_SHUTDOWN", "ignore")
- elsif Builtins.issubstring(ca, "reboot") ||
- Builtins.issubstring(ca, " -r")
- Ops.set(@Settings, "CONSOLE_SHUTDOWN", "reboot")
- elsif Builtins.issubstring(ca, "halt") ||
- Builtins.issubstring(ca, " -h")
- Ops.set(@Settings, "CONSOLE_SHUTDOWN", "halt")
- else
- Builtins.y2error("Unknown ca status: %1", ca)
- Ops.set(@Settings, "CONSOLE_SHUTDOWN", "ignore")
- end
- else
- Ops.set(@Settings, "CONSOLE_SHUTDOWN", "ignore")
- end
+ return ret if ::Security::CtrlAltDelConfig.systemd?
+
+ @Settings["CONSOLE_SHUTDOWN"] = ret if ::Security::CtrlAltDelConfig.inittab?
nil
end
@@ -353,6 +328,8 @@
@Settings[var] = val unless val.nil?
end
end
+
+ log.debug "Settings (after #{__callee__}): #{@Settings}"
end
# Read the settings from sysctl.conf
@@ -363,6 +340,80 @@
val = default_value if val.nil? || val == ""
@Settings[key] = val
end
+
+ log.debug "Settings (after #{__callee__}): #{@Settings}"
+ end
+
+ def read_encryption_method
+ method = SCR.Read(path(".etc.login_defs.ENCRYPT_METHOD")).to_s.downcase
+
+ method = "des" if !@encryption_methods.include?(method)
+
+ @Settings["PASSWD_ENCRYPTION"] = method
+ end
+
+ def read_pam_settings
+ read_encryption_method
+
+ # cracklib and pwhistory settings (default values)
+ @Settings["PASS_MIN_LEN"] = "5"
+ @Settings["PASSWD_REMEMBER_HISTORY"] = "0"
+ @Settings["CRACKLIB_DICT_PATH"] = "/usr/lib/cracklib_dict"
+
+ pam_cracklib = Pam.Query("cracklib") || {}
+ @Settings["PASSWD_USE_CRACKLIB"] = pam_cracklib.size > 0 ? "yes" : "no"
+
+ pam_cracklib.fetch("password", []).each do |entry|
+ key,value = entry.split("=")
+ if value
+ @Settings["CRACKLIB_DICT_PATH"] = value if key == "dictpath"
+ @Settings["PASS_MIN_LEN"] = value if key == "minlen"
+ end
+ end
+
+ pam_history = Pam.Query("pwhistory") || {}
+ pam_history.fetch("password", []).each do |entry|
+ key,value = entry.split("=")
+ if key == "remember" && value
+ @Settings["PASSWD_REMEMBER_HISTORY"] = value
+ end
+ end
+ log.debug "Settings (after #{__callee__}): #{@Settings}"
+ end
+
+ def read_permissions
+ perm = case @Settings["PERMISSION_SECURITY"].to_s
+ when /easy/
+ "easy"
+ when /paranoid/
+ "paranoid"
+ else
+ "secure"
+ end
+
+ @Settings["PERMISSION_SECURITY"] = perm
+
+ log.debug "PERMISSION SECURITY (after #{__callee__}): " \
+ "#{@Settings['PERMISSION_SECURITY']}"
+
+ perm
+ end
+
+ def read_polkit_settings
+ action = "org.freedesktop.upower.hibernate"
+
+ hibernate = SCR.Read(Builtins.add(path(".etc.polkit-default-privs_local"), action)).to_s
+
+ @Settings["HIBERNATE_SYSTEM"] = case hibernate
+ when "auth_admin:auth_admin:auth_admin"
+ "auth_admin"
+ when "yes:yes:yes"
+ "anyone"
+ else
+ "active_console"
+ end
+ log.debug "HIBERNATE_SYSTEM (after #{__callee__}): " \
+ "#{@Settings['HIBERNATE_SYSTEM']}"
end
# Read all security settings
@@ -373,107 +424,27 @@
# Read security settings
read_from_locations
- Builtins.y2milestone("Settings=%1", @Settings)
-
- Ops.set(@Settings, "CONSOLE_SHUTDOWN", ReadConsoleShutdown())
- Builtins.y2debug("Settings=%1", @Settings)
+ @Settings["CONSOLE_SHUTDOWN"] = ReadConsoleShutdown()
+ log.debug "Settings (after read console shutdown): #{@Settings}"
# Read runlevel setting
ReadServiceSettings()
- # Read pam settings
-
- method = Convert.to_string(
- SCR.Read(path(".etc.login_defs.ENCRYPT_METHOD"))
- )
- if method == nil ||
- !Builtins.contains(@encryption_methods, Builtins.tolower(method))
- method = "des"
- end
- Ops.set(@Settings, "PASSWD_ENCRYPTION", Builtins.tolower(method))
-
- # cracklib and pwhistory settings
- Ops.set(@Settings, "PASS_MIN_LEN", "5")
- Ops.set(@Settings, "PASSWD_USE_CRACKLIB", "no")
- Ops.set(@Settings, "PASSWD_REMEMBER_HISTORY", "0")
-
- pam_cracklib = Pam.Query("cracklib")
- if Ops.greater_than(Builtins.size(pam_cracklib), 0)
- Ops.set(@Settings, "PASSWD_USE_CRACKLIB", "yes")
- end
- # save the default value
- Ops.set(@Settings, "CRACKLIB_DICT_PATH", "/usr/lib/cracklib_dict")
- Builtins.foreach(Ops.get_list(pam_cracklib, "password", [])) do |val|
- lval = Builtins.splitstring(val, "=")
- if Builtins.issubstring(val, "dictpath=")
- Ops.set(
- @Settings,
- "CRACKLIB_DICT_PATH",
- Ops.get_string(lval, 1, "/usr/lib/cracklib_dict")
- )
- end
- if Builtins.issubstring(val, "minlen=") &&
- Ops.get_string(lval, 1, "") != ""
- Ops.set(@Settings, "PASS_MIN_LEN", Ops.get_string(lval, 1, "5"))
- end
- end
-
- pam_history = Pam.Query("pwhistory")
- Builtins.foreach(Ops.get_list(pam_history, "password", [])) do |val|
- lval = Builtins.splitstring(val, "=")
- if Builtins.issubstring(val, "remember=") &&
- Ops.get_string(lval, 1, "") != ""
- Ops.set(
- @Settings,
- "PASSWD_REMEMBER_HISTORY",
- Ops.get_string(lval, 1, "0")
- )
- end
- end
-
- Builtins.y2debug("Settings=%1", @Settings)
+ read_pam_settings
# Local permissions hack
+ read_permissions
- perm = Ops.get(@Settings, "PERMISSION_SECURITY", "")
- if Builtins.issubstring(perm, "easy")
- perm = "easy"
- elsif Builtins.issubstring(perm, "paranoid")
- perm = "paranoid"
- elsif Builtins.issubstring(perm, "secure")
- perm = "secure"
- else
- perm = "secure"
- end
- Ops.set(@Settings, "PERMISSION_SECURITY", perm)
- Builtins.y2debug("Settings=%1", @Settings)
-
- # read local polkit settings
- action = "org.freedesktop.upower.hibernate"
- hibernate = Convert.to_string(
- SCR.Read(Builtins.add(path(".etc.polkit-default-privs_local"), action))
- )
- if hibernate != nil
- Ops.set(@Settings, "HIBERNATE_SYSTEM", "active_console")
- if hibernate == "auth_admin:auth_admin:auth_admin"
- Ops.set(@Settings, "HIBERNATE_SYSTEM", "auth_admin")
- end
- if hibernate == "yes:yes:yes"
- Ops.set(@Settings, "HIBERNATE_SYSTEM", "anyone")
- end
- end
- Builtins.y2debug(
- "HIBERNATE_SYSTEM: %1",
- Ops.get(@Settings, "HIBERNATE_SYSTEM", "")
- )
+ read_polkit_settings
read_kernel_settings
- Builtins.y2debug("Settings=%1", @Settings)
# remember the read values
@Settings_bak = deep_copy(@Settings)
+
+ log.info "Settings after Read: #{@Settings}"
true
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.2.0/test/security_test.rb new/yast2-security-3.2.1/test/security_test.rb
--- old/yast2-security-3.2.0/test/security_test.rb 2015-09-24 17:06:13.000000000 +0200
+++ new/yast2-security-3.2.1/test/security_test.rb 2016-03-02 13:26:10.000000000 +0100
@@ -1,6 +1,7 @@
#!/usr/bin/env rspec
-require_relative 'test_helper'
+require_relative "test_helper"
+require "security/ctrl_alt_del_config"
def services_for(names, aliases = {})
names.map do |n|
@@ -24,7 +25,9 @@
self.properties = Struct::DummyProperties.new(aliases)
end
- def enabled?; true; end
+ def enabled?
+ true
+ end
end
import "Security"
@@ -72,7 +75,9 @@
context "with services that are aliases of optional services" do
let(:service_names) { %w(apparmor auditd anacron firewalld wicked rsyslog) }
- let(:aliases) { {"rsyslog" => "rsyslog.service syslog.service", "anacron" => "anacron cron"} }
+ let(:aliases) do
+ { "rsyslog" => "rsyslog.service syslog.service", "anacron" => "anacron cron" }
+ end
it "sets settings for extra services as 'secure'" do
expect(Security.Settings["EXTRA_SERVICES"]).to eq("secure")
@@ -115,16 +120,16 @@
end
it "does not write nil values" do
- expect(SCR).to_not receive(:Write).
- with(path(".sysconfig.mail.SMTPD_LISTEN_REMOTE"), anything)
+ expect(SCR).to_not receive(:Write)
+ .with(path(".sysconfig.mail.SMTPD_LISTEN_REMOTE"), anything)
Security.Settings["SMTPD_LISTEN_REMOTE"] = nil
Security.write_to_locations
end
it "does not write unchanged values" do
- expect(SCR).to_not receive(:Write).
- with(path(".sysconfig.mail.SMTPD_LISTEN_REMOTE"), anything)
+ expect(SCR).to_not receive(:Write)
+ .with(path(".sysconfig.mail.SMTPD_LISTEN_REMOTE"), anything)
Security.Settings["SMTPD_LISTEN_REMOTE"] = "no"
Security.write_to_locations
@@ -134,8 +139,8 @@
Security.Settings["AllowShutdown"] = "Root"
Security.write_to_locations
- expect(written_value_for(".kde4.kdmrc.AllowShutdown")).
- to eq("Root")
+ expect(written_value_for(".kde4.kdmrc.AllowShutdown"))
+ .to eq("Root")
expect(was_written?(".kde4.kdmrc")).to eq(true)
end
@@ -185,8 +190,8 @@
Security.Settings["net.ipv4.ip_forward"] = "1"
Security.write_kernel_settings
- expect(written_value_for(".etc.sysctl_conf.net.ipv4.ip_forward")).
- to eq("1")
+ expect(written_value_for(".etc.sysctl_conf.net.ipv4.ip_forward"))
+ .to eq("1")
expect(was_written?(".etc.sysctl_conf")).to eq(true)
end
end
@@ -207,5 +212,386 @@
end
end
end
+
+ describe "#ReadConsoleShutdown" do
+ let(:ctrl_alt_del_file) { "/etc/systemd/system/ctrl-alt-del.target" }
+ let(:target_link) { "/usr/lib/systemd/system/poweroff.target" }
+
+ context "when systemd is installed" do
+
+ context "on a non s390 architecture" do
+ before do
+ allow(Arch).to receive(:s390) { false }
+ end
+
+ context "when ctrl+alt+del file not exist" do
+ it "returns 'reboot'" do
+ allow(FileUtils).to receive(:Exists).with(ctrl_alt_del_file) { false }
+
+ expect(Security.ReadConsoleShutdown).to eql("reboot")
+ end
+ end
+
+ context "when ctrl+del+alt file exist" do
+ before do
+ allow(FileUtils).to receive(:Exists).with(ctrl_alt_del_file) { true }
+ end
+
+ it "returns 'ignore' by default" do
+ allow(SCR).to receive(:Read).with(path(".target.symlink"), ctrl_alt_del_file)
+ .and_return("dummy_file")
+
+ expect(Security.ReadConsoleShutdown).to eql("ignore")
+ end
+
+ it "returns 'halt' if links to poweroff.target" do
+ allow(SCR).to receive(:Read).with(path(".target.symlink"), ctrl_alt_del_file)
+ .and_return(target_link)
+
+ expect(Security.ReadConsoleShutdown).to eql("halt")
+ end
+
+ it "returns 'reboot' if links to reboot.target" do
+ target_link = "/usr/lib/systemd/system/reboot.target"
+ allow(SCR).to receive(:Read).with(path(".target.symlink"), ctrl_alt_del_file)
+ .and_return(target_link)
+
+ expect(Security.ReadConsoleShutdown).to eql("reboot")
+ end
+
+ it "returns 'reboot' if links to ctrl-alt-del.target" do
+ target_link = "/usr/lib/systemd/system/ctrl-alt-del.target"
+ allow(SCR).to receive(:Read).with(path(".target.symlink"), ctrl_alt_del_file)
+ .and_return(target_link)
+
+ expect(Security.ReadConsoleShutdown).to eql("reboot")
+ end
+
+ end
+ end
+
+ context "on a s390 architecture" do
+ before do
+ allow(Arch).to receive(:s390) { true }
+ end
+
+ context "when ctrl+alt+del file not exist" do
+ it "returns 'reboot'" do
+ allow(FileUtils).to receive(:Exists).with(ctrl_alt_del_file) { false }
+
+ expect(Security.ReadConsoleShutdown).to eql("halt")
+ end
+ end
+
+ context "when ctrl+del+alt file exist" do
+ before do
+ allow(FileUtils).to receive(:Exists).with(ctrl_alt_del_file) { true }
+ end
+
+ it "returns 'ignore' by default" do
+ allow(SCR).to receive(:Read).with(path(".target.symlink"), ctrl_alt_del_file)
+ .and_return("dummy_file")
+
+ expect(Security.ReadConsoleShutdown).to eql("ignore")
+ end
+
+ it "returns 'halt' if links to poweroff.target" do
+ allow(SCR).to receive(:Read).with(path(".target.symlink"), ctrl_alt_del_file)
+ .and_return(target_link)
+
+ expect(Security.ReadConsoleShutdown).to eql("halt")
+ end
+
+ it "returns 'reboot' if links to reboot.target" do
+ target_link = "/usr/lib/systemd/system/reboot.target"
+ allow(SCR).to receive(:Read).with(path(".target.symlink"), ctrl_alt_del_file)
+ .and_return(target_link)
+
+ expect(Security.ReadConsoleShutdown).to eql("reboot")
+ end
+
+ it "returns 'halt' if links to ctrl-alt-del.target" do
+ target_link = "/usr/lib/systemd/system/ctrl-alt-del.target"
+ allow(SCR).to receive(:Read).with(path(".target.symlink"), ctrl_alt_del_file)
+ .and_return(target_link)
+
+ expect(Security.ReadConsoleShutdown).to eql("halt")
+ end
+
+ end
+ end
+ end
+
+ context "when systemd is not installed but inittab exist" do
+ before do
+ allow(Package).to receive(:Installed).with("systemd") { false }
+ end
+
+ it "always returns nil" do
+ allow(FileUtils).to receive(:Exists).with("/etc/inittab")
+ .and_return(false, true)
+ allow(::Security::CtrlAltDelConfig).to receive(:current)
+ .and_return("reboot", "halt")
+
+ expect(Security.ReadConsoleShutdown).to eql(nil)
+ expect(Security.ReadConsoleShutdown).to eql(nil)
+ end
+
+ context "on a non s390 architecture" do
+ before do
+ allow(Arch).to receive(:s390) { false }
+ allow(::Security::CtrlAltDelConfig).to receive(:inittab?) { true }
+ end
+
+ context "when no inittab ca entry" do
+ it "returns 'reboot'" do
+ allow(FileUtils).to receive(:Exists).with("/etc/inittab") { false }
+
+ Security.ReadConsoleShutdown
+ expect(Security.Settings["CONSOLE_SHUTDOWN"]).to eq("reboot")
+ end
+ end
+
+ context "when inittab ca entry exist" do
+ before do
+ allow(FileUtils).to receive(:Exists).with("/etc/inittab") { true }
+ end
+
+ it "sets settings for shutdown as 'ignore' by default" do
+ allow(SCR).to receive(:Read).with(path(".etc.inittab.ca"))
+ .and_return("12345:ctrlaltdel:/bin/false")
+
+ Security.ReadConsoleShutdown
+ expect(Security.Settings["CONSOLE_SHUTDOWN"]).to eq("ignore")
+ end
+
+ it "sets settings for shutdown as 'halt' if contains 'halt' or ' -h'" do
+ allow(SCR).to receive(:Read).with(path(".etc.inittab.ca"))
+ .and_return("12345:ctrlaltdel:/sbin/shutdown -h now")
+
+ Security.ReadConsoleShutdown
+ expect(Security.Settings["CONSOLE_SHUTDOWN"]).to eq("halt")
+ end
+
+ it "sets settings for shutdown as 'reboot' if contains 'reboot' or -r" do
+ allow(SCR).to receive(:Read).with(path(".etc.inittab.ca"))
+ .and_return("12345:ctrlaltdel:/sbin/shutdown -r now")
+
+ Security.ReadConsoleShutdown
+ expect(Security.Settings["CONSOLE_SHUTDOWN"]).to eq("reboot")
+ end
+
+ end
+ end
+
+ context "on a s390 architecture" do
+ before do
+ allow(Arch).to receive(:s390) { true }
+ allow(::Security::CtrlAltDelConfig).to receive(:inittab?) { true }
+ end
+
+ context "when no inittab ca entry" do
+ it "returns 'halt'" do
+ allow(FileUtils).to receive(:Exists).with("/etc/inittab") { false }
+
+ Security.ReadConsoleShutdown
+ expect(Security.Settings["CONSOLE_SHUTDOWN"]).to eq("halt")
+ end
+ end
+
+ context "when inittab ca entry exist" do
+ before do
+ allow(FileUtils).to receive(:Exists).with("/etc/inittab") { true }
+ end
+
+ it "sets settings for shutdown as 'ignore' by default" do
+ allow(SCR).to receive(:Read).with(path(".etc.inittab.ca"))
+ .and_return("12345:ctrlaltdel:/bin/echo 'Not implemented'")
+
+ Security.ReadConsoleShutdown
+ expect(Security.Settings["CONSOLE_SHUTDOWN"]).to eq("ignore")
+ end
+
+ it "sets settings for shutdown as 'halt' if contains 'halt' or ' -h'" do
+ allow(SCR).to receive(:Read).with(path(".etc.inittab.ca"))
+ .and_return("12345:/sbin/shutdown -h now")
+
+ Security.ReadConsoleShutdown
+ expect(Security.Settings["CONSOLE_SHUTDOWN"]).to eq("halt")
+ end
+
+ it "sets settings for shutdown as 'reboot' if contains 'reboot' or -r" do
+ allow(SCR).to receive(:Read).with(path(".etc.inittab.ca"))
+ .and_return("12345:ctrlaltdel:/sbin/shutdown -r now")
+
+ Security.ReadConsoleShutdown
+ expect(Security.Settings["CONSOLE_SHUTDOWN"]).to eq("reboot")
+ end
+
+ end
+ end
+ end
+ end
+
+ describe "#read_pam_settings" do
+ before do
+ change_scr_root(File.join(DATA_PATH, "system"))
+ end
+
+ after do
+ reset_scr_root
+ end
+
+ it "sets passwd encryption setting based on /etc/login.defs" do
+ allow(Pam).to receive(:Query)
+
+ expect(Security.Settings["PASSWD_ENCRYPTION"]).to eql("sha512")
+ Security.read_pam_settings
+ end
+
+ it "sets cracklib settings" do
+ allow(Pam).to receive(:Query).with("pwhistory")
+ allow(Pam).to receive(:Query).with("cracklib")
+ .and_return("password" => ["dictpath=/shared/cracklib_dict", "minlen="])
+
+ Security.read_pam_settings
+ expect(Security.Settings["PASSWD_USE_CRACKLIB"]).to eql("yes")
+ expect(Security.Settings["CRACKLIB_DICT_PATH"]).to eql("/shared/cracklib_dict")
+ expect(Security.Settings["PASS_MIN_LEN"]).to eql("5")
+ end
+
+ it "sets password remember history settings" do
+ allow(Pam).to receive(:Query).with("cracklib")
+ allow(Pam).to receive(:Query).with("pwhistory")
+ .and_return("password" => ["remember=5"])
+
+ Security.read_pam_settings
+ expect(Security.Settings["PASSWD_REMEMBER_HISTORY"]).to eql("5")
+ end
+ end
+
+ describe "#read_permissions" do
+
+ context "depending on current persission" do
+ it "sets security permission to 'easy' if contains easy" do
+ Security.Settings["PERMISSION_SECURITY"] = "it_is_easy_to_test"
+
+ expect(Security.read_permissions).to eql("easy")
+ expect(Security.Settings["PERMISSION_SECURITY"]).to eql("easy")
+ end
+
+ it "sets security permission to 'paranoid' if contains paranoid" do
+ Security.Settings["PERMISSION_SECURITY"] = "paranoid_permission"
+
+ expect(Security.read_permissions).to eql("paranoid")
+ expect(Security.Settings["PERMISSION_SECURITY"]).to eql("paranoid")
+ end
+
+ it "sets secure by default" do
+ Security.Settings["PERMISSION_SECURITY"] = nil
+
+ expect(Security.read_permissions).to eql("secure")
+ expect(Security.Settings["PERMISSION_SECURITY"]).to eql("secure")
+ end
+ end
+
+ end
+
+ describe "#read_polkit_settings" do
+ let(:polkit) do
+ path(".etc.polkit-default-privs_local") + "org.freedesktop.upower.hibernate"
+ end
+
+ context "depending on current polkit config" do
+
+ it "sets correctly hibernate system settings to 'anyone'" do
+ allow(SCR).to receive(:Read).with(polkit) { "yes:yes:yes" }
+
+ Security.read_polkit_settings
+ expect(Security.Settings["HIBERNATE_SYSTEM"]).to eql("anyone")
+ end
+
+ it "sets correctly hibernate settings to 'auth_admin'" do
+ allow(SCR).to receive(:Read).with(polkit) { "auth_admin:auth_admin:auth_admin" }
+
+ Security.read_polkit_settings
+ expect(Security.Settings["HIBERNATE_SYSTEM"]).to eql("auth_admin")
+ end
+ it "sets correctly hibernate settings to 'active_console' as default" do
+ allow(SCR).to receive(:Read).with(polkit) { "any_other_entry" }
+
+ Security.read_polkit_settings
+ expect(Security.Settings["HIBERNATE_SYSTEM"]).to eql("active_console")
+ end
+ end
+
+ end
+
+ describe "#read_kernel_settings" do
+ before do
+ change_scr_root(File.join(DATA_PATH, "system"))
+ Security.Settings["kernel.sysrq"] = nil
+ Security.Settings["net.ipv4.tcp_syncookies"] = nil
+ Security.Settings["net.ipv4.ip_forward"] = nil
+ Security.Settings["net.ipv6.conf.all.forwarding"] = nil
+
+ Security.read_kernel_settings
+ end
+
+ after do
+ reset_scr_root
+ end
+
+ it "sets kernel settings based on /etc/sysctl.conf" do
+ expect(Security.Settings["kernel.sysrq"]).to eql("0")
+ expect(Security.Settings["net.ipv4.tcp_syncookies"]).to eql("1")
+ expect(Security.Settings["net.ipv4.ip_forward"]).to eql("0")
+ expect(Security.Settings["net.ipv6.conf.all.forwarding"]).to eql("0")
+ end
+ end
+
+ describe "#read_from_locations" do
+ before do
+ change_scr_root(File.join(DATA_PATH, "system"))
+ allow(SCR).to receive(:Read).with(path(".kde4.kdmrc.AllowShutdown"))
+ .and_return("All")
+ Security.read_from_locations
+ end
+
+ after do
+ reset_scr_root
+ end
+
+ it "sets login definitions based on /etc/login.defs" do
+ expect(Security.Settings["FAIL_DELAY"]).to eql("3")
+ end
+
+ it "sets kde4 allow shutdown based on kdmrc" do
+ expect(Security.Settings["AllowShutdown"]).to eql("All")
+ end
+
+ it "sets different settings based on /etc/sysconfig/*" do
+ expect(Security.Settings["DISPLAYMANAGER_REMOTE_ACCESS"]).to eql("yes")
+ expect(Security.Settings["DISPLAYMANAGER_ROOT_LOGIN_REMOTE"]).to eql("yes")
+ expect(Security.Settings["DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN"]).to eql("no")
+ expect(Security.Settings["PERMISSION_SECURITY"]).to eql("easy local")
+ expect(Security.Settings["DISABLE_RESTART_ON_UPDATE"]).to eql("no")
+ end
+
+ end
+
+ describe "#Read" do
+ it "reads settings and returns true" do
+ expect(Security).to receive(:read_from_locations)
+ expect(Security).to receive(:ReadConsoleShutdown)
+ expect(Security).to receive(:ReadServiceSettings)
+ expect(Security).to receive(:read_pam_settings)
+ expect(Security).to receive(:read_permissions)
+ expect(Security).to receive(:read_polkit_settings)
+
+ expect(Security.Read).to eql(true)
+ end
+ end
+
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.2.0/testsuite/tests/Read.out new/yast2-security-3.2.1/testsuite/tests/Read.out
--- old/yast2-security-3.2.0/testsuite/tests/Read.out 2015-09-24 17:06:13.000000000 +0200
+++ new/yast2-security-3.2.1/testsuite/tests/Read.out 1970-01-01 01:00:00.000000000 +0100
@@ -1,95 +0,0 @@
-Read .etc.login_defs.FAIL_DELAY "l2"
-Read .etc.login_defs.GID_MAX "l3"
-Read .etc.login_defs.GID_MIN "l4"
-Read .etc.login_defs.PASS_MAX_DAYS "l7"
-Read .etc.login_defs.PASS_MIN_DAYS "l9"
-Read .etc.login_defs.PASS_WARN_AGE "l11"
-Read .etc.login_defs.UID_MAX "l12"
-Read .etc.login_defs.UID_MIN "l13"
-Read .etc.login_defs.SYS_UID_MAX nil
-Read .etc.login_defs.SYS_UID_MIN nil
-Read .etc.login_defs.SYS_GID_MAX nil
-Read .etc.login_defs.SYS_GID_MIN nil
-Read .etc.login_defs.USERADD_CMD "l18"
-Read .etc.login_defs.USERDEL_PRECMD "l19"
-Read .etc.login_defs.USERDEL_POSTCMD "l20"
-Read .kde4.kdmrc.AllowShutdown "r3"
-Read .target.size "/etc/sysconfig/clock" 1
-Read .sysconfig.clock.SYSTOHC "r12"
-Read .target.size "/etc/sysconfig/cron" 1
-Read .sysconfig.cron.SYSLOG_ON_NO_ERROR "r15"
-Read .target.size "/etc/sysconfig/displaymanager" 1
-Read .sysconfig.displaymanager.DISPLAYMANAGER_REMOTE_ACCESS "r9"
-Read .target.size "/etc/sysconfig/displaymanager" 1
-Read .sysconfig.displaymanager.DISPLAYMANAGER_ROOT_LOGIN_REMOTE "r16"
-Read .target.size "/etc/sysconfig/displaymanager" 1
-Read .sysconfig.displaymanager.DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN "r17"
-Read .target.size "/etc/sysconfig/locate" 1
-Read .sysconfig.locate.RUN_UPDATEDB_AS "r7"
-Read .target.size "/etc/sysconfig/mail" 1
-Read .sysconfig.mail.SMTPD_LISTEN_REMOTE "r18"
-Read .target.size "/etc/sysconfig/security" 1
-Read .sysconfig.security.PERMISSION_SECURITY "paranoid"
-Read .target.size "/etc/sysconfig/services" 1
-Read .sysconfig.services.DISABLE_RESTART_ON_UPDATE nil
-Read .target.size "/etc/sysconfig/services" 1
-Read .sysconfig.services.DISABLE_STOP_ON_REMOVAL nil
-Read .target.symlink "/etc/systemd/system/ctrl-alt-del.target" nil
-Read .etc.login_defs.ENCRYPT_METHOD "garbage"
-Execute .target.bash_output "/usr/sbin/pam-config -q --cracklib" $["exit":0, "stderr":"", "stdout":""]
-Execute .target.bash_output "/usr/sbin/pam-config -q --pwhistory" $["exit":0, "stderr":"", "stdout":""]
-Read .etc.polkit-default-privs_local."org.freedesktop.upower.hibernate" "r12"
-Read .etc.sysctl_conf."kernel.sysrq" "r8"
-Read .etc.sysctl_conf."net.ipv4.ip_forward" "r10"
-Read .etc.sysctl_conf."net.ipv4.tcp_syncookies" "r9"
-Read .etc.sysctl_conf."net.ipv6.conf.all.forwarding" "r11"
-Return true
-Dump des
-Read .etc.login_defs.FAIL_DELAY nil
-Read .etc.login_defs.GID_MAX "l3"
-Read .etc.login_defs.GID_MIN "l4"
-Read .etc.login_defs.PASS_MAX_DAYS "l7"
-Read .etc.login_defs.PASS_MIN_DAYS "l9"
-Read .etc.login_defs.PASS_WARN_AGE "l11"
-Read .etc.login_defs.UID_MAX "l12"
-Read .etc.login_defs.UID_MIN "l13"
-Read .etc.login_defs.SYS_UID_MAX nil
-Read .etc.login_defs.SYS_UID_MIN nil
-Read .etc.login_defs.SYS_GID_MAX nil
-Read .etc.login_defs.SYS_GID_MIN nil
-Read .etc.login_defs.USERADD_CMD "l18"
-Read .etc.login_defs.USERDEL_PRECMD "l19"
-Read .etc.login_defs.USERDEL_POSTCMD "l20"
-Read .kde4.kdmrc.AllowShutdown "r3"
-Read .target.size "/etc/sysconfig/clock" 1
-Read .sysconfig.clock.SYSTOHC "r12"
-Read .target.size "/etc/sysconfig/cron" 1
-Read .sysconfig.cron.SYSLOG_ON_NO_ERROR "r15"
-Read .target.size "/etc/sysconfig/displaymanager" 1
-Read .sysconfig.displaymanager.DISPLAYMANAGER_REMOTE_ACCESS "r9"
-Read .target.size "/etc/sysconfig/displaymanager" 1
-Read .sysconfig.displaymanager.DISPLAYMANAGER_ROOT_LOGIN_REMOTE "r16"
-Read .target.size "/etc/sysconfig/displaymanager" 1
-Read .sysconfig.displaymanager.DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN "r17"
-Read .target.size "/etc/sysconfig/locate" 1
-Read .sysconfig.locate.RUN_UPDATEDB_AS "r7"
-Read .target.size "/etc/sysconfig/mail" 1
-Read .sysconfig.mail.SMTPD_LISTEN_REMOTE "r18"
-Read .target.size "/etc/sysconfig/security" 1
-Read .sysconfig.security.PERMISSION_SECURITY "paranoid"
-Read .target.size "/etc/sysconfig/services" 1
-Read .sysconfig.services.DISABLE_RESTART_ON_UPDATE nil
-Read .target.size "/etc/sysconfig/services" 1
-Read .sysconfig.services.DISABLE_STOP_ON_REMOVAL nil
-Read .target.symlink "/etc/systemd/system/ctrl-alt-del.target" nil
-Read .etc.login_defs.ENCRYPT_METHOD "SHA512"
-Execute .target.bash_output "/usr/sbin/pam-config -q --cracklib" $["exit":0, "stderr":"", "stdout":""]
-Execute .target.bash_output "/usr/sbin/pam-config -q --pwhistory" $["exit":0, "stderr":"", "stdout":""]
-Read .etc.polkit-default-privs_local."org.freedesktop.upower.hibernate" "r12"
-Read .etc.sysctl_conf."kernel.sysrq" "r8"
-Read .etc.sysctl_conf."net.ipv4.ip_forward" "r10"
-Read .etc.sysctl_conf."net.ipv4.tcp_syncookies" "r9"
-Read .etc.sysctl_conf."net.ipv6.conf.all.forwarding" "r11"
-Return true
-Dump none
-Dump sha512
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-3.2.0/testsuite/tests/Read.rb new/yast2-security-3.2.1/testsuite/tests/Read.rb
--- old/yast2-security-3.2.0/testsuite/tests/Read.rb 2015-09-24 17:06:13.000000000 +0200
+++ new/yast2-security-3.2.1/testsuite/tests/Read.rb 1970-01-01 01:00:00.000000000 +0100
@@ -1,122 +0,0 @@
-# encoding: utf-8
-
-# YaST2: Modules testsuite
-#
-# Description:
-# Testsuite for the security module
-#
-# Authors:
-# Michal Svec