Hello community,
here is the log from the commit of package webyast-base-ws for openSUSE:Factory
checked in at Fri Jan 14 11:56:05 CET 2011.
--------
New Changes file:
--- /dev/null 2010-08-26 16:28:41.000000000 +0200
+++ /mounts/work_src_done/STABLE/webyast-base-ws/webyast-base-ws.changes 2011-01-06 14:29:03.000000000 +0100
@@ -0,0 +1,589 @@
+-------------------------------------------------------------------
+Thu Jan 6 13:14:29 UTC 2011 - lslezak@suse.cz
+
+- fixed patching passenger_root in nginx.conf file
+- symlink additional nginx files (instead of hard copying)
+- 0.2.10
+
+-------------------------------------------------------------------
+Mon Dec 27 10:57:28 UTC 2010 - lslezak@suse.cz
+
+- temporarily disabled YastServiceTest - it gets stuck in
+ FACTORY/i586 build (workaround for bnc#661473)
+- 0.2.9
+
+-------------------------------------------------------------------
+Wed Dec 22 12:06:26 UTC 2010 - lslezak@suse.cz
+
+- use rubygem-ruby-dbus instead of ruby-dbus in FACTORY/11.4
+- 0.2.8
+
+-------------------------------------------------------------------
+Wed Dec 22 10:22:48 UTC 2010 - lslezak@suse.cz
+
+- added webyast-base-ws-rpmlintrc with disabled Dbus and PolicyKit
+ checks (so it builds in FACTORY/11.4)
+- 0.2.7
+
+-------------------------------------------------------------------
+Wed Dec 15 13:48:20 UTC 2010 - schubi@novell.com
+
+- switching to nginx
+ http://lists.opensuse.org/yast-devel/2010-12/msg00000.html
+- 0.2.6
+
+-------------------------------------------------------------------
+Wed Sep 15 16:13:01 UTC 2010 - schubi@novell.com
+
+- restart service correctly if the package has been renamed (bnc#637779)
+- 0.2.5
+
+-------------------------------------------------------------------
+Tue Sep 14 10:49:15 UTC 2010 - jreidinger@novell.com
+
+- VUL0: fix regex in permission service (bnc#616267)
+- 0.2.4
+
+-------------------------------------------------------------------
+Tue Sep 7 14:45:46 CEST 2010 - mvidner@suse.cz
+
+- reload D-Bus config explicitly (bnc#635826).
+- BuildRequire the more recent rubygem variants of polkit and rpam (bnc#636781)
+- 0.2.3
+
+-------------------------------------------------------------------
+Fri Aug 27 14:45:07 CEST 2010 - mzugec@suse.cz
+
+- configuration for logrotate (bnc#634404)
+- 0.2.2
+
+-------------------------------------------------------------------
+Wed Aug 25 18:08:09 CEST 2010 - mkudlvasr@suse.cz
+
+- Added BackgroundManager.process_exists? (for SLMS)
+
+-------------------------------------------------------------------
+Mon Aug 23 12:37:45 UTC 2010 - jreidinger@novell.com
+
+- add url to spec file (bnc#625537)
+- 0.2.1
+
+-------------------------------------------------------------------
+Thu Jul 29 08:14:08 UTC 2010 - jreidinger@novell.com
+
+- fix setting permissions to Samba users (bnc#624243)
+- 0.2.0
+
+-------------------------------------------------------------------
+Wed Jul 21 09:53:57 UTC 2010 - jreidinger@novell.com
+
+- fix path in yastws service
+- add ability to tell matching background process
+- 0.1.27
+
+-------------------------------------------------------------------
+Thu Jul 15 14:12:29 UTC 2010 - jreidinger@novell.com
+
+- reingrate changes from 1.0 maintenance
+- enable again rpam as it provide speed up for LDAP and AD
+- 0.1.26
+
+-------------------------------------------------------------------
+Tue Jul 13 11:21:24 UTC 2010 - jreidinger@novell.com
+
+- reduce dependency ( provide own yast-ui so it need not install
+ yast2-gtk with all of its dependencies )
+- 0.1.25
+
+-------------------------------------------------------------------
+Thu Jul 8 14:25:21 UTC 2010 - jreidinger@novell.com
+
+- fix caching for permissions
+- 0.1.24
+
+-------------------------------------------------------------------
+Thu Jul 8 10:20:22 UTC 2010 - jreidinger@novell.com
+
+- add test with real activeResource
+- remove obsolete roles configuration
+- 0.1.23
+
+-------------------------------------------------------------------
+Wed Jun 30 15:06:57 CEST 2010 - jreidinger@novell.com
+
+- simplify permissions module
+- switched Resource to BaseModel (maintenance, better to_json performance)
+- fixed setting a custom bug reporting URL(bnc#596558)
+- changed the format of JSON output to be parsable by ActiveResource
+- test for failure of generating the session secret (bnc#614037)
+- rename session_key to key as it is key from rails-2_3
+- improve logging of unknown exception and properly report it to frontend
+- move other testsuite requires to shared helper
+- enabled deploying for other users than yastws (mvidner)
+
+-------------------------------------------------------------------
+Mon May 31 11:59:22 CEST 2010 - schubi@suse.de
+
+- enabled translation, with rubygem-http_accept_language
+
+-------------------------------------------------------------------
+Fri May 28 13:55:47 UTC 2010 - jreidinger@novell.com
+
+- removed obsolete tests
+- properly pack DBus error as backend exception
+- BackendException is abstract exception (bnc#601941)
+- add granting method to permission model
+- filter nonsuse permission only if no filter is passed
+- grantwebyastrights is not a config file
+- add service for granting and revoking permissions
+
+-------------------------------------------------------------------
+Fri May 7 11:02:07 UTC 2010 - jreidinger@novell.com
+
+- user is logged in for 2 hours (instead 1 day) (bnc#583237)
+- 0.1.22
+
+-------------------------------------------------------------------
+Tue May 4 14:26:35 CEST 2010 - mvidner@suse.cz
+
+- Run a separate session bus for build-time tests (broken in 0.1.19)
+- 0.1.21
+
+-------------------------------------------------------------------
+Tue May 4 08:42:00 CEST 2010 - mvidner@suse.cz
+
+- Added CollectionResourceTests, companion to PluginBasicTests
+ (bnc#600097)
+- 0.1.20
+
+-------------------------------------------------------------------
+Mon May 3 12:50:32 UTC 2010 - kkaempf@novell.com
+
+- Report missing permission as 403:Forbidden (bnc#598794)
+- 0.1.19
+
+-------------------------------------------------------------------
+Fri Apr 30 12:52:05 UTC 2010 - jreidinger@novell.com
+
+- unify *.spec files (bnc#560061)
+- 0.1.18
+
+-------------------------------------------------------------------
+Wed Apr 28 10:31:30 UTC 2010 - jreidinger@novell.com
+
+- remove from configuration rails.inc which is removed and cleanup
+ lighttpd configuration (bnc#600389)
+- 0.1.17
+
+-------------------------------------------------------------------
+Tue Apr 27 11:41:42 UTC 2010 - jreidinger@novell.com
+
+- fix routing issue in resource controller (bnc#600060)
+- 0.1.16
+
+-------------------------------------------------------------------
+Tue Apr 27 07:55:20 UTC 2010 - jreidinger@novell.com
+
+- permission check accept also symbol
+- 0.1.15
+
+-------------------------------------------------------------------
+Mon Apr 26 13:43:44 UTC 2010 - schubi@novell.com
+
+- removed not needed cleanurl-v5.lua
+
+-------------------------------------------------------------------
+Fri Apr 23 13:09:55 UTC 2010 - jreidinger@novell.com
+
++++ 392 more lines (skipped)
++++ between /dev/null
++++ and /mounts/work_src_done/STABLE/webyast-base-ws/webyast-base-ws.changes
calling whatdependson for head-i586
New:
----
grantwebyastrights
nginx.conf
org.opensuse.yast.permissions.policy
webyast
webyast-base-ws.changes
webyast-base-ws-rpmlintrc
webyast-base-ws.spec
webyast.permissions.conf
webyastPermissionsService.rb
webyast.permissions.service.service
webyast-ws.lr.conf
www.tar.bz2
yast_user_roles
yastws
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ webyast-base-ws.spec ++++++
#
# spec file for package webyast-base-ws
#
# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: webyast-base-ws
Provides: yast2-webservice = %{version}
Obsoletes: yast2-webservice < %{version}
%if 0%{?suse_version} == 0 || %suse_version > 1110
# 11.2 or newer
%if 0%{?suse_version} > 1120
# since 11.3, they are in a separate subpackage
Requires: sysvinit-tools
%else
# Require startproc respecting -p, bnc#559534#c44
Requires: sysvinit > 2.86-215.2
%endif
Requires: yast2-core >= 2.18.10
%else
# 11.1 or SLES11
Requires: yast2-core >= 2.17.30.1
Requires: sysvinit > 2.86-195.3.1
%endif
Requires: nginx-passenger
Requires: ruby-fcgi, sqlite, syslog-ng
%if 0%{?suse_version} == 0 || %suse_version <= 1130
Requires: ruby-dbus
%else
Requires: rubygem-ruby-dbus
%endif
Requires: rubygem-webyast-rake-tasks, rubygem-http_accept_language
Requires: yast2-dbus-server
# 634404
Recommends: logrotate
PreReq: PolicyKit, PackageKit, rubygem-rake, rubygem-sqlite3
PreReq: rubygem-rails-2_3 >= 2.3.4
PreReq: rubygem-rpam, rubygem-polkit, rubygem-gettext_rails
PreReq: yast2-runlevel
License: LGPLv2.1
Group: Productivity/Networking/Web/Utilities
Url: http://en.opensuse.org/Portal:WebYaST
AutoReqProv: on
Version: 0.2.10
Release: 1
Summary: WebYaST - base components for rest service
Source: www.tar.bz2
Source1: webyastPermissionsService.rb
Source2: webyast.permissions.conf
Source3: webyast.permissions.service.service
Source4: org.opensuse.yast.permissions.policy
Source5: grantwebyastrights
Source6: yast_user_roles
Source9: yastws
Source10: webyast
Source11: webyast-ws.lr.conf
Source12: nginx.conf
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: pkg-config ruby rubygem-mocha
# if we run the tests during build, we need most of Requires here too,
# except for deployment specific stuff
BuildRequires: rubygem-restility rubygem-webyast-rake-tasks
BuildRequires: dbus-1 sqlite yast2-core yast2-dbus-server
%if 0%{?suse_version} == 0 || %suse_version <= 1130
BuildRequires: ruby-dbus
%else
BuildRequires: rubygem-ruby-dbus
%endif
BuildRequires: PackageKit PolicyKit rubygem-sqlite3
BuildRequires: rubygem-rails-2_3 >= 2.3.4
BuildRequires: rubygem-polkit rubygem-rpam
# the testsuite is run during build
BuildRequires: rubygem-mocha rubygem-test-unit
BuildRequires: nginx-passenger
# This is for Hudson (build service) to setup the build env correctly
%if 0
BuildRequires: rubygem-test-unit
BuildRequires: rubygem-rcov >= 0.9.3.2
%endif
# we do not necessarily need any UI in case of WebYaST
Provides: yast2_ui
Provides: yast2_ui_pkg
# rpmlint warns about file duplicates, this should take care but
# doesn't build (?!)
#%if 0%{?suse_version} > 1020
#BuildRequires: fdupes
#%endif
BuildArch: noarch
%package testsuite
License: LGPLv2.1
Group: Productivity/Networking/Web/Utilities
Requires: webyast-base-ws = %{version}
Summary: Testsuite for webyast-base-ws package
#
%define pkg_home /var/lib/%{webyast_ws_user}
#
%description
WebYaST - Core components for REST based interface to system manipulation.
Authors:
--------
Duncan Mac-Vicar Prett
Klaus Kaempf
Bjoern Geuken
Stefan Schubert
%description testsuite
Testsuite for core WebYaST webservice package.
%prep
%setup -q -n www
%build
%check
# run the testsuite
RAILS_ENV=test rake db:migrate
RAILS_ENV=test $RPM_BUILD_ROOT%{webyast_ws_dir}/test/dbus-launch-simple rake test
#---------------------------------------------------------------
%install
#
# Install all web and frontend parts.
#
mkdir -p $RPM_BUILD_ROOT%{webyast_ws_dir}/log/
cp -a * $RPM_BUILD_ROOT%{webyast_ws_dir}/
rm -f $RPM_BUILD_ROOT%{webyast_ws_dir}/log/*
rm -f $RPM_BUILD_ROOT%{webyast_ws_dir}/COPYING
touch $RPM_BUILD_ROOT%{webyast_ws_dir}/db/schema.rb
%{__install} -d -m 0755 \
%{buildroot}%{pkg_home}/sockets/ \
%{buildroot}%{pkg_home}/cache/ \
%{buildroot}%{_sbindir} \
%{buildroot}%{_var}/log/%{webyast_ws_user}
#
# init script
#
%{__install} -D -m 0755 %SOURCE9 \
%{buildroot}%{_sysconfdir}/init.d/%{webyast_ws_service}
%{__ln_s} -f %{_sysconfdir}/init.d/%{webyast_ws_service} %{buildroot}%{_sbindir}/rc%{webyast_ws_service}
#
# configure nginx web service
mkdir -p $RPM_BUILD_ROOT/etc/yastws/
install -m 0644 %SOURCE12 $RPM_BUILD_ROOT/etc/yastws/
# create symlinks to nginx config files
ln -s /etc/nginx/fastcgi.conf $RPM_BUILD_ROOT/etc/yastws
ln -s /etc/nginx/fastcgi_params $RPM_BUILD_ROOT/etc/yastws
ln -s /etc/nginx/koi-utf $RPM_BUILD_ROOT/etc/yastws
ln -s /etc/nginx/koi-win $RPM_BUILD_ROOT/etc/yastws
ln -s /etc/nginx/mime.types $RPM_BUILD_ROOT/etc/yastws
ln -s /etc/nginx/scgi_params $RPM_BUILD_ROOT/etc/yastws
ln -s /etc/nginx/uwsgi_params $RPM_BUILD_ROOT/etc/yastws
ln -s /etc/nginx/win-utf $RPM_BUILD_ROOT/etc/yastws
# Policies
mkdir -p $RPM_BUILD_ROOT/usr/share/PolicyKit/policy
install -m 0644 %SOURCE4 $RPM_BUILD_ROOT/usr/share/PolicyKit/policy/
install -m 0644 %SOURCE6 $RPM_BUILD_ROOT/etc/
install -m 0555 %SOURCE5 $RPM_BUILD_ROOT/usr/sbin/
# firewall service definition, bnc#545627
mkdir -p $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services
install -m 0644 %SOURCE10 $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services
# logrotate configuration bnc#634404
mkdir $RPM_BUILD_ROOT/etc/logrotate.d
install -m 0644 %SOURCE11 $RPM_BUILD_ROOT/etc/logrotate.d
# create yastwsdirs (config, var and data)
mkdir -p $RPM_BUILD_ROOT/etc/webyast
mkdir -p $RPM_BUILD_ROOT/var/lib/yastws
mkdir -p $RPM_BUILD_ROOT/usr/share/yastws
# create empty tmp directory
mkdir -p $RPM_BUILD_ROOT%{webyast_ws_dir}/tmp
mkdir -p $RPM_BUILD_ROOT%{webyast_ws_dir}/tmp/cache
mkdir -p $RPM_BUILD_ROOT%{webyast_ws_dir}/tmp/pids
mkdir -p $RPM_BUILD_ROOT%{webyast_ws_dir}/tmp/sessions
mkdir -p $RPM_BUILD_ROOT%{webyast_ws_dir}/tmp/sockets
# install permissions service
mkdir -p $RPM_BUILD_ROOT/usr/sbin/
install -m 0500 %SOURCE1 $RPM_BUILD_ROOT/usr/sbin/
mkdir -p $RPM_BUILD_ROOT/etc/dbus-1/system.d/
install -m 0644 %SOURCE2 $RPM_BUILD_ROOT/etc/dbus-1/system.d/
mkdir -p $RPM_BUILD_ROOT/usr/share/dbus-1/system-services/
install -m 0444 %SOURCE3 $RPM_BUILD_ROOT/usr/share/dbus-1/system-services/
#create dummy update-script
mkdir -p %buildroot/var/adm/update-scripts
touch %buildroot/var/adm/update-scripts/%name-%version-%release-1
#---------------------------------------------------------------
%clean
rm -rf $RPM_BUILD_ROOT
#---------------------------------------------------------------
%pre
#
# e.g. adding user
#
/usr/sbin/groupadd -r %{webyast_ws_user} &>/dev/null ||:
/usr/sbin/useradd -g %{webyast_ws_user} -s /bin/false -r -c "User for YaST-Webservice" -d %{pkg_home} %{webyast_ws_user} &>/dev/null ||:
# services will not be restarted correctly if
# the package name will changed while the update
# So the service will be restarted by an update-script
# which will be called AFTER the installation
if /bin/rpm -q yast2-webservice > /dev/null ; then
echo "renaming yast2-webservice to webyast-base-ws"
if /sbin/yast runlevel summary service=yastws 2>&1|grep " 3 "|grep yastws >/dev/null ; then
echo "yastws is inserted into the runlevel"
echo "#!/bin/sh" > %name-%version-%release-1
echo "/sbin/yast runlevel add service=yastws" >> %name-%version-%release-1
echo "/usr/sbin/rcyastws restart" >> %name-%version-%release-1
else
if /usr/sbin/rcyastws status > /dev/null ; then
echo "yastws is running"
echo "#!/bin/sh" > %name-%version-%release-1
echo "/usr/sbin/rcyastws restart" >> %name-%version-%release-1
fi
fi
if [ -f %name-%version-%release-1 ] ; then
install -D -m 755 %name-%version-%release-1 /var/adm/update-scripts
rm %name-%version-%release-1
echo "Please check the service runlevels and restart WebYaST service with \"rcyastws restart\" if the update has not been called with zypper,yast or packagekit"
fi
fi
exit 0
#---------------------------------------------------------------
%post
%fillup_and_insserv %{webyast_ws_service}
#
#granting permissions for yastws
#
if [ `/usr/bin/polkit-auth --user %{webyast_ws_user} | grep -c "org.freedesktop.packagekit.system-update"` -eq 0 ]; then
# FIXME: remove ||: (don't hide errors), has to be correctly implemented for package update...
/usr/bin/polkit-auth --user %{webyast_ws_user} --grant org.freedesktop.packagekit.system-update > /dev/null ||:
fi
if [ `/usr/bin/polkit-auth --user %{webyast_ws_user} | grep -c "org.freedesktop.policykit.read"` -eq 0 ]; then
# FIXME: remove ||: (don't hide errors), has to be correctly implemented for package update...
/usr/bin/polkit-auth --user %{webyast_ws_user} --grant org.freedesktop.policykit.read > /dev/null ||:
fi
if [ `/usr/bin/polkit-auth --user %{webyast_ws_user} | grep -c "org.opensuse.yast.module-manager.import"` -eq 0 ]; then
# FIXME: remove ||: (don't hide errors), has to be correctly implemented for package update...
/usr/bin/polkit-auth --user %{webyast_ws_user} --grant org.opensuse.yast.module-manager.import > /dev/null ||:
fi
#
# granting all permissions for root
#
/usr/sbin/grantwebyastrights --user root --action grant > /dev/null ||:
#
# create database
#
cd %{webyast_ws_dir}
#migrate database
RAILS_ENV=production rake db:migrate
chown -R %{webyast_ws_user}: db
chown -R %{webyast_ws_user}: log
echo "Database is ready"
#
# patching nginx configuration
#
if [ -d /usr/lib64 ]; then
sed -i "s/passenger_root \/usr\/lib/passenger_root \/usr\/lib64/" /etc/yastws/nginx.conf
fi
#
# try-reload D-Bus config (bnc#635826)
#
dbus-send --print-reply --system --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig >/dev/null ||:
#---------------------------------------------------------------
%preun
%stop_on_removal %{webyast_ws_service}
#---------------------------------------------------------------
%postun
%restart_on_update %{webyast_ws_service}
%{insserv_cleanup}
#---------------------------------------------------------------
# restart yastws on nginx update (bnc#559534)
%triggerin -- nginx
%restart_on_update %{webyast_ws_service}
#---------------------------------------------------------------
%files
%defattr(-,root,root)
#this /etc/yastws is for ligght conf for yastws
%dir /etc/yastws
%dir %{webyast_ws_dir}
%dir %{_datadir}/PolicyKit
%dir %{_datadir}/PolicyKit/policy
%attr(-,%{webyast_ws_user},%{webyast_ws_user}) %dir %{pkg_home}
%attr(-,%{webyast_ws_user},%{webyast_ws_user}) %dir %{pkg_home}/sockets
%attr(-,%{webyast_ws_user},%{webyast_ws_user}) %dir %{pkg_home}/cache
%attr(-,%{webyast_ws_user},%{webyast_ws_user}) %dir %{_var}/log/%{webyast_ws_user}
#logrotate configuration file
%config(noreplace) /etc/logrotate.d/webyast-ws.lr.conf
#this /etc/webyast is for webyast configuration files
%dir /etc/webyast/
%dir %{_datadir}/yastws
%dir %attr(-,%{webyast_ws_user},root) /var/lib/yastws
%dir %{webyast_ws_dir}/db
%{webyast_ws_dir}/app
%{webyast_ws_dir}/db/migrate
%ghost %{webyast_ws_dir}/db/schema.rb
%{webyast_ws_dir}/doc
%{webyast_ws_dir}/lib
%{webyast_ws_dir}/public
%{webyast_ws_dir}/Rakefile
%{webyast_ws_dir}/script
%dir %{webyast_ws_dir}/config
%{webyast_ws_dir}/config/boot.rb
%{webyast_ws_dir}/config/database.yml
%{webyast_ws_dir}/config/environments
%{webyast_ws_dir}/config/initializers
%{webyast_ws_dir}/config/routes.rb
#also users can run granting script, as permissions is handled by policyKit right for granting permissions
%attr(555,root,root) /usr/sbin/grantwebyastrights
%attr(755,root,root) %{webyast_ws_dir}/start.sh
%attr(500,root,root) /usr/sbin/webyastPermissionsService.rb
%attr(444,root,root) /usr/share/dbus-1/system-services/webyast.permissions.service.service
%attr(644,root,root) %config /etc/dbus-1/system.d/webyast.permissions.conf
%doc %{webyast_ws_dir}/README
%attr(-,%{webyast_ws_user},%{webyast_ws_user}) %{webyast_ws_dir}/log
%attr(-,%{webyast_ws_user},%{webyast_ws_user}) %{webyast_ws_dir}/tmp
#nginx stuff
%config(noreplace) /etc/yastws/nginx.conf
%config /etc/yastws/fastcgi.conf
%config /etc/yastws/fastcgi_params
%config /etc/yastws/koi-utf
%config /etc/yastws/koi-win
%config /etc/yastws/mime.types
%config /etc/yastws/scgi_params
%config /etc/yastws/uwsgi_params
%config /etc/yastws/win-utf
%config /etc/sysconfig/SuSEfirewall2.d/services/webyast
%config /usr/share/PolicyKit/policy/org.opensuse.yast.permissions.policy
%config %{webyast_ws_dir}/config/environment.rb
%config(noreplace) /etc/yast_user_roles
%config %{_sysconfdir}/init.d/%{webyast_ws_service}
%{_sbindir}/rc%{webyast_ws_service}
%doc COPYING
%ghost %attr(755,root,root) /var/adm/update-scripts/%name-%version-%release-1
%files testsuite
%defattr(-,root,root)
%{webyast_ws_dir}/test
#---------------------------------------------------------------
%changelog
++++++ grantwebyastrights ++++++
#!/usr/bin/ruby
#
#--
# Webyast Webservice framework
#
# Copyright (C) 2009, 2010 Novell, Inc.
# This library is free software; you can redistribute it and/or modify
# it only under the terms of version 2.1 of the GNU Lesser General Public
# License as published by the Free Software Foundation.
#
# This library is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
# details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
#++
#
# grantwebyastrights
#
# show, grant and revoke policies for YaST webservice
#
# run: grantwebyastrights
#
# FIXME grant really All rights to run webyast, (so also packagekit rights, hal rights for system plugin etc)
#
require 'fileutils'
require 'getoptlong'
$debug = 0
def usage why
STDERR.puts why
STDERR.puts ""
STDERR.puts "Usage: grantwebyastrights --user <user> --action (show|grant|revoke)"
STDERR.puts "NOTE: This program should be run by user root"
STDERR.puts ""
STDERR.puts "This call grant/revoke ALL permissions for the YaST Webservice."
STDERR.puts "In order to grant/revoke single rights use:"
STDERR.puts "polkit-auth --user <user> (--grant|-revoke) <policyname>"
STDERR.puts ""
STDERR.puts "In order to show all possible permissions use:"
STDERR.puts "polkit-action"
exit 1
end
options = GetoptLong.new(
[ "--user", GetoptLong::REQUIRED_ARGUMENT ],
[ "--action", GetoptLong::REQUIRED_ARGUMENT ]
)
user = nil
action = nil
begin
options.each do |opt, arg|
case opt
when "--user": user = arg
when "--action": action = arg
when "--debug": $debug += 1
end
end
rescue GetoptLong::InvalidOption => o
usage "Invalid option #{o}"
end
$debug = nil if $debug == 0
usage "excessive arguments" unless ARGV.empty?
usage "user parameter missing" unless user
usage "action parameter (show|grant|revoke) missing" unless action
SuseString = "org.opensuse.yast"
def webyast_perm?(perm)
return (perm.include? SuseString) && (not perm.include? ".scr")
end
def granted_perms(user)
perms = `polkit-auth --user '#{user}' --explicit`
#do NOT raise if an error happens here cause while the package installation this call returns always an error
# raise "polkit-auth failed with ret code #{$?.exitstatus}. Output: #{perms}" unless $?.exitstatus.zero?
perms = perms.split "\n"
perms.reject! { |perm| not webyast_perm?(perm) }
return perms
end
def webyast_perms
perms = `polkit-action`
raise "polkit-action failed with ret code #{$?.exitstatus}. Output: #{perms}" unless $?.exitstatus.zero?
perms = perms.split "\n"
perms.reject! { |perm| not webyast_perm?(perm) }
return perms
end
begin
case action
when "grant" then
granted = granted_perms user
non_granted = webyast_perms.reject{ |perm| granted.include? perm }
non_granted.each do |policy|
STDOUT.puts "granting: #{policy}"
out = `polkit-auth --user '#{user}' --grant '#{policy}'`
#do NOT raise if an error happens here cause while the package installation this call can return an error for already existing
#permissions ( It is not possible to check this before)
#raise "Granting permissions failed with ret code #{$?.exitstatus}. Output: #{out}" unless $?.exitstatus.zero?
end
when "show"
STDOUT.puts granted_perms(user).join("\n")
when "revoke"
granted = granted_perms user
granted.each do |policy|
STDOUT.puts "revoking: #{policy}"
out = `polkit-auth --user '#{user}' --revoke '#{policy}'`
raise "Revoking permissions failed with ret code #{$?.exitstatus}. Output: #{out}" unless $?.exitstatus.zero?
end
end
rescue Exception => e
STDERR.puts e.message
Process.exit! 1
end
++++++ nginx.conf ++++++
user yastws yastws;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
pid /var/run/yastws.pid;
events {
worker_connections 1024;
}
http {
# Note: passenger_root option is automatically updated by
# /etc/init.d/yastws script at start up
passenger_root /usr/lib64/ruby/gems/1.8/gems/passenger-3.0.1;
passenger_ruby /usr/bin/ruby;
passenger_pool_idle_time 300;
passenger_min_instances 0;
passenger_default_user yastws;
passenger_user yastws;
passenger_max_pool_size 1;
passenger_max_instances_per_app 1;
passenger_spawn_method conservative;
client_body_temp_path /var/lib/nginx/tmp_yastws 1 2;
fastcgi_temp_path /var/lib//nginx/fastcgi_yastws 1 2;
proxy_temp_path /var/lib//nginx/proxy_yastws 1 2;
include mime.types;
default_type application/octet-stream;
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 4984;
server_name localhost;
root /srv/www/yastws/public;
passenger_enabled on;
rails_framework_spawner_idle_time 300;
rails_app_spawner_idle_time 300;
}
}
++++++ webyast ++++++
# SuSEfirewall2 service definition
## Name: WebYaST
## Description: The back end of WebYaST, http://en.opensuse.org/WebYaST
# space separated list of allowed TCP ports
TCP="4984"
++++++ webyast-base-ws-rpmlintrc ++++++
# ignore security warnings (unauthorized DBus service and it's permissions) for now
addFilter("E: suse-dbus-unauthorized-service")
addFilter("I: polkit-unauthorized-privilege")
++++++ webyast.permissions.conf ++++++
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy user="root">
<allow own="webyast.permissions.service" />
<allow send_destination="webyast.permissions.service" />
</policy>
<!-- anyone can call service as it is protected by policyKit -->
<policy context="default">
<allow send_destination="webyast.permissions.service" />
</policy>
</busconfig>
++++++ webyastPermissionsService.rb ++++++
#!/usr/bin/env ruby
#--
# Webyast Webservice framework
#
# Copyright (C) 2009, 2010 Novell, Inc.
# This library is free software; you can redistribute it and/or modify
# it only under the terms of version 2.1 of the GNU Lesser General Public
# License as published by the Free Software Foundation.
#
# This library is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
# details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
#++
require 'rubygems'
require 'dbus'
require 'etc'
require 'polkit'
# Choose the bus (could also be DBus::session_bus, which is not suitable for a system service)
bus = DBus::system_bus
# Define the service name
service = bus.request_service("webyast.permissions.service")
class WebyastPermissionsService < DBus::Object
# overriding DBus::Object#dispatch
# It is needed because dispatch sent just parameters and without sender it is
# imposible to check permissions of sender. So to avoid it add as last
# parameter sender id.
def dispatch(msg)
msg.params << msg.sender
super(msg)
end
def log(msg)
f = File.new("/srv/www/yastws/log/permission_service.log","a",0600)
f.write(msg+"\n")
f.close
end
# Create an interface.
dbus_interface "webyast.permissions.Interface" do
dbus_method :grant, "out result:as, in permissions:as, in user:s" do |permissions,user,sender|
result = execute("grant", permissions, user,sender)
log "Grant permissions #{permissions.inspect} for user #{user} with result #{result.inspect}"
[result]
end
dbus_method :revoke, "out result:as, in permissions:as, in user:s" do |permissions,user,sender|
result = execute("revoke", permissions, user,sender)
log "Revoke permissions #{permissions.inspect} for user #{user} with result #{result.inspect}"
[result]
end
end
USER_REGEX=/\A[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]?\Z/
USER_WITH_DOMAIN_REGEX=/\A[a-zA-Z0-9][a-zA-Z0-9\-.]*\\[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]?\Z/
def execute (command, permissions, user, sender)
#TODO polkit check, user escaping, perm whitespacing
return ["NOPERM"] unless check_polkit sender
return ["USER_INVALID"] if invalid_user_name? user
result = []
permissions.each do |p|
#whitespace check for valid permission string to avoid attack
if p.match(/^[a-zA-Z][a-zA-Z0-9.-]*$/)
result << `polkit-auth --user '#{user}' --#{command} '#{p}' 2>&1`
else
result << "perm #{p} is INVALID"
end
end
return result
end
PERMISSION="org.opensuse.yast.permissions.write"
def check_polkit(sender)
uid = DBus::SystemBus.instance.proxy.GetConnectionUnixUser(sender)[0]
user = Etc.getpwuid(uid).name
begin
return PolKit.polkit_check(PERMISSION, user) == :yes
rescue Exception => e
return false
end
end
def invalid_user_name? user
active_directory_enabled = `/usr/sbin/pam-config -q --winbind 2>/dev/null | wc -w`.to_i > 0
return false if user.match(USER_REGEX)
return false if active_directory_enabled && user.match(USER_WITH_DOMAIN_REGEX)
return true
end
end
# Set the object path
obj = WebyastPermissionsService.new("/webyast/permissions/Interface")
# Export it!
service.export(obj)
# Now listen to incoming requests
main = DBus::Main.new
main << bus
main.run
++++++ webyast.permissions.service.service ++++++
# DBus service activation config
[D-BUS Service]
Name=webyast.permissions.service
Exec=/usr/sbin/webyastPermissionsService.rb
User=root
++++++ webyast-ws.lr.conf ++++++
/srv/www/yastws/log/production.log /srv/www/yastws/log/development.log /srv/www/yastws/log/lighttpd.access.log /srv/www/yastws/log/lighttpd.error.log {
compress
dateext
maxage 365
rotate 99
size=+4096k
notifempty
missingok
create 600 yastws yastws
postrotate
/etc/init.d/yastws reload
endscript
}
++++++ yast_user_roles ++++++
#
# file : /etc/yast_user_roles
#
# This file describes roles of a user accounts for the YaST Webservice
# "user accounts": System account which is accessable e.g. via PAM.
# "roles" : Describes user accounts for which policies have
# been generated
#
# Format: <user> ,,...<role n>
#++++++ yastws ++++++
#!/bin/sh
#
# Copyright (C) 1995--2007 Marcus Rückert, SUSE / Novell Inc.
#
# This library is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or (at
# your option) any later version.
#
# This library is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307,
# USA.
#
# /etc/init.d/yastws
# and its symbolic link
# /(usr/)sbin/rcyastws
#
#
# LSB compatible service control script; see http://www.linuxbase.org/spec/
#
# Note: This template uses functions rc_XXX defined in /etc/rc.status on
# UnitedLinux/SUSE/Novell based Linux distributions. If you want to base your
# script on this template and ensure that it works on non UL based LSB
# compliant Linux distributions, you either have to provide the rc.status
# functions from UL or change the script to work without them.
# See skeleton.compat for a template that works with other distros as well.
#
### BEGIN INIT INFO
# Provides: yastws
# Required-Start: $syslog $remote_fs
# Should-Start: $time ypbind sendmail yastwc
# Required-Stop: $syslog $remote_fs
# Should-Stop: $time ypbind sendmail yastwc
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: yastws
# Description: Start yastws
### END INIT INFO
#
# Any extensions to the keywords given above should be preceeded by
# X-VendorTag- (X-UnitedLinux- X-SuSE- for us) according to LSB.
#
# Notes on Required-Start/Should-Start:
# * There are two different issues that are solved by Required-Start
# and Should-Start
# (a) Hard dependencies: This is used by the runlevel editor to determine
# which services absolutely need to be started to make the start of
# this service make sense. Example: nfsserver should have
# Required-Start: $portmap
# Also, required services are started before the dependent ones.
# The runlevel editor will warn about such missing hard dependencies
# and suggest enabling. During system startup, you may expect an error,
# if the dependency is not fulfilled.
# (b) Specifying the init script ordering, not real (hard) dependencies.
# This is needed by insserv to determine which service should be
# started first (and at a later stage what services can be started
# in parallel). The tag Should-Start: is used for this.
# It tells, that if a service is available, it should be started
# before. If not, never mind.
# * When specifying hard dependencies or ordering requirements, you can
# use names of services (contents of their Provides: section)
# or pseudo names starting with a $. The following ones are available
# according to LSB (1.1):
# $local_fs all local file systems are mounted
# (most services should need this!)
# $remote_fs all remote file systems are mounted
# (note that /usr may be remote, so
# many services should Require this!)
# $syslog system logging facility up
# $network low level networking (eth card, ...)
# $named hostname resolution available
# $netdaemons all network daemons are running
# The $netdaemons pseudo service has been removed in LSB 1.2.
# For now, we still offer it for backward compatibility.
# These are new (LSB 1.2):
# $time the system time has been set correctly
# $portmap SunRPC portmapping service available
# UnitedLinux extensions:
# $ALL indicates that a script should be inserted
# at the end
# * The services specified in the stop tags
# (Required-Stop/Should-Stop)
# specify which services need to be still running when this service
# is shut down. Often the entries there are just copies or a subset
# from the respective start tag.
# * Should-Start/Stop are now part of LSB as of 2.0,
# formerly SUSE/Unitedlinux used X-UnitedLinux-Should-Start/-Stop.
# insserv does support both variants.
# * X-UnitedLinux-Default-Enabled: yes/no is used at installation time
# (%fillup_and_insserv macro in %post of many RPMs) to specify whether
# a startup script should default to be enabled after installation.
# It's not used by insserv.
#
# Note on runlevels:
# 0 - halt/poweroff 6 - reboot
# 1 - single user 2 - multiuser without network exported
# 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm)
#
# Note on script names:
# http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html
# A registry has been set up to manage the init script namespace.
# http://www.lanana.org/
# Please use the names already registered or register one or use a
# vendor prefix.
# Check for missing binaries (stale symlinks should not happen)
# Note: Special treatment of stop for LSB conformance
NGINX_BIN=/usr/sbin/nginx
test -x $NGINX_BIN || { echo "$NGINX_BIN not installed";
if [ "$1" = "stop" ]; then exit 0;
else exit 5; fi; }
# Check for existence of needed config file and read it
NGINX_CONFIG=/etc/yastws/nginx.conf
test -r $NGINX_CONFIG || { echo "$NGINX_CONFIG not existing";
if [ "$1" = "stop" ]; then exit 0;
else exit 6; fi; }
PID_FILE=/var/run/yastws.pid
# Source LSB init functions
# providing start_daemon, killproc, pidofproc,
# log_success_msg, log_failure_msg and log_warning_msg.
# This is currently not used by UnitedLinux based distributions and
# not needed for init scripts for UnitedLinux only. If it is used,
# the functions from rc.status should not be sourced or used.
#. /lib/lsb/init-functions
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v be verbose in local rc status and clear it afterwards
# rc_status -v -r ditto and clear both the local and overall rc status
# rc_status -s display "skipped" and exit with status 3
# rc_status -u display "unused" and exit with status 3
# rc_failed set local and overall rc status to failed
# rc_failed <num> set local and overall rc status to <num>
# rc_reset clear both the local and overall rc status
# rc_exit exit appropriate to overall rc status
# rc_active checks whether a service is activated by symlinks
. /etc/rc.status
# Reset status of this service
rc_reset
# Return values acc. to LSB for all commands but status:
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - user had insufficient privileges
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running
# 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl)
#
# Note that starting an already running service, stopping
# or restarting a not-running service as well as the restart
# with force-reload (in case signaling is not supported) are
# considered a success.
case "$1" in
start)
echo -n "Starting yastws "
#generate deployment specific secret key (bnc#591345)
SECRET=`cd /srv/www/yastws/ && rake -s secret`
if [ -z $SECRET ]; then
echo -n "Can generate secret for session. Run 'cd /srv/www/yastws/ && rake -s secret' for details."
rc_failed
rc_status -v
rc_exit
fi
sed -i 's/9d11bfc98abcf9799082d9c34ec94dc1cc926f0f1bf4bea8c440b497d96b14c1f712c8784d0303ee7dd69e382c3e5e4d38d4c56d1b619eae7acaa6516cd733b1/'"$SECRET"/ /srv/www/yastws/config/environment.rb
# patch passenger config root if the current config is different (after updating passenger or on a different arch than the default)
grep -q "^[ \\t]*passenger_root[ \\t][ \\t]*`passenger-config --root`;" $NGINX_CONFIG ||
sed -i.bak "s#^\\([ \\t]*\\)passenger_root[ \\t].*\$#\\1passenger_root `passenger-config --root`;#" $NGINX_CONFIG
## Start daemon with startproc(8). If this fails
## the return value is set appropriately by startproc.
/sbin/startproc -p $PID_FILE $NGINX_BIN -c $NGINX_CONFIG
# Remember status and be verbose
rc_status -v
;;
stop)
echo -n "Shutting down yastws "
## Stop daemon with killproc(8) and if this fails
## killproc sets the return value according to LSB.
/sbin/killproc -TERM -p $PID_FILE $NGINX_BIN
# Remember status and be verbose
rc_status -v
;;
try-restart|condrestart)
## Do a restart only if the service was active before.
## Note: try-restart is now part of LSB (as of 1.9).
## RH has a similar command named condrestart.
if test "$1" = "condrestart"; then
echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
fi
$0 status
if test $? = 0; then
$0 restart
else
rc_reset # Not running is not a failure.
fi
# Remember status and be quiet
rc_status
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
$0 start
# Remember status and be quiet
rc_status
;;
force-reload)
## Signal the daemon to reload its config. Most daemons
## do this on signal 1 (SIGHUP).
## If it does not support it, restart the service if it
## is running.
echo -n "Reload service yastws "
## if it supports it:
/sbin/killproc -p $PID_FILE -HUP $NGINX_BIN
rc_status -v
## Otherwise:
#$0 try-restart
#rc_status
;;
reload)
## Like force-reload, but if daemon does not support
## signaling, do nothing (!)
# If it supports signaling:
echo -n "Reload service yastws "
/sbin/killproc -HUP -p $PID_FILE $NGINX_BIN
#touch /var/run/yastws.pid
rc_status -v
## Otherwise if it does not support reload:
#rc_failed 3
#rc_status -v
;;
status)
echo -n "Checking for service yastws "
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.
# Return value is slightly different for the status command:
# 0 - service up and running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running (unused)
# 4 - service status unknown :-(
# 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
# NOTE: checkproc returns LSB compliant status values.
/sbin/checkproc -p $PID_FILE $NGINX_BIN
# NOTE: rc_status knows that we called this init script with
# "status" option and adapts its messages accordingly.
rc_status -v
;;
probe)
## Optional: Probe for the necessity of a reload, print out the
## argument to this init script which is required for a reload.
## Note: probe is not (yet) part of LSB (as of 1.9)
test $NGINX_CONFIG /var/run/yastws.pid && echo reload
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
rc_exit
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org