Hello community, here is the log from the commit of package webyast-base.822 for openSUSE:12.2:Update checked in at 2012-09-06 09:50:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/webyast-base.822 (Old) and /work/SRC/openSUSE:12.2:Update/.webyast-base.822.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "webyast-base.822", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2012-08-23 02:41:28.555381587 +0200 +++ /work/SRC/openSUSE:12.2:Update/.webyast-base.822.new/webyast-base.changes 2012-09-06 09:50:58.000000000 +0200 @@ -0,0 +1,897 @@ +------------------------------------------------------------------- +Mon Aug 20 14:07:51 UTC 2012 - lslezak@suse.cz + +- webyast.css - added .clearfix rule (fixes broken layout in + patches) + +------------------------------------------------------------------- +Fri Aug 17 12:51:11 UTC 2012 - lslezak@suse.cz + +- online help initialization fix +- routing fixes/cleanup +- enabled caching for restdoc +- 0.3.19 + +------------------------------------------------------------------- +Thu Aug 16 10:51:53 UTC 2012 - lslezak@suse.cz + +- fixed displaying restdoc documentation (at /restdoc path) +- 0.3.18 + +------------------------------------------------------------------- +Tue Aug 14 11:13:06 UTC 2012 - lslezak@suse.cz + +- force SSL communication in production mode (use secure cookies + and use Strict-Transport-Security) +- added caching in online help (cache the downloaded page from + doc.opensuse.org, cache the result) +- 0.3.17 + +------------------------------------------------------------------- +Mon Aug 13 19:09:49 UTC 2012 - lslezak@suse.cz + +- removed rubygem-inifile dependency (inifile is needed for polkit1 + which is not present in SLES11, moreover inifile is not directly + needed) +- use rubygem-ruby-dbus also in SLES (will be part of ATK-1.3) + +------------------------------------------------------------------- +Fri Aug 10 07:29:29 UTC 2012 - lslezak@suse.cz + +- 0.3.16 + +------------------------------------------------------------------- +Thu Aug 9 12:35:47 UTC 2012 - lslezak@suse.cz + +- removed MSIE8 hacks (use gradients instead of PNGs in status eye) +- use HTTPS protocol instead of HTTP for reading online help + (decreases possibility of injecting malicious code to WebYaST + pages) + +------------------------------------------------------------------- +Wed Aug 8 13:27:02 UTC 2012 - lslezak@suse.cz + +- rcwebyast - print fingerprint of the generated certificate + +------------------------------------------------------------------- +Fri Aug 3 09:55:40 UTC 2012 - lslezak@suse.cz + +- correctly include IE CSS fixes +- better nginx/passenger config (include passenger_root.include + file instead of patching nginx config at every start) +- status eye - better look +- 0.3.15 + +------------------------------------------------------------------- +Thu Aug 2 16:04:14 UTC 2012 - lslezak@suse.cz + +- rcwebyast - added umask 0066 to avoid world readable log files +- supported browsers: IE9+ and FF10+ +- %post - make logs not world readable + +------------------------------------------------------------------- +Tue Jul 31 20:09:51 UTC 2012 - lslezak@suse.cz + +- Gemfile - removed versioned devise dependency +- Support rubygem-devise 2.x +- 0.3.14 + +------------------------------------------------------------------- +Wed Jul 25 06:58:47 UTC 2012 - lslezak@suse.cz + +- %post - do not start backround prefetch when running + 'rake db:migrate' (concurrent DB access can cause deadlock) + (this is a proper fix for bnc#767066) +- Ruby 1.9 fixes +- 0.3.13 + +------------------------------------------------------------------- +Wed Jul 18 09:32:04 UTC 2012 - lslezak@suse.cz + +- allow disabling Web UI or REST API in WebYast config file + (/etc/webyast/config.yml) +- added custom 404 error page + +------------------------------------------------------------------- +Tue Jul 17 08:24:22 UTC 2012 - lslezak@suse.cz + +- enabled HTTP Basic authentication (needed for REST API) + +------------------------------------------------------------------- +Wed Jul 4 09:27:30 UTC 2012 - lslezak@suse.cz + +- %post - reload DBus config only when the system bus socket is + present to avoid build hangs (bnc#767066) +- 0.3.12 + +------------------------------------------------------------------- +Wed Jul 4 06:34:29 UTC 2012 - lslezak@suse.cz + +- rcwebyast - prerequire $network service (bnc#764871) +- rcwebyast - print also FQDN URL (if available) +- 0.3.11 + +------------------------------------------------------------------- +Thu Jun 14 08:36:05 UTC 2012 - cfarrell@suse.com + +- license update: LGPL-2.1 and GPL-2.0 and Apache-2.0 + Contains components under GPL-2.0 and javascript components under + Apache-2.0 license + +------------------------------------------------------------------- +Wed Jun 13 12:14:54 UTC 2012 - lslezak@suse.cz + +- added versioned Provides/Obsoletes, use "try-restart" for + restarting SUSE Firewall + +------------------------------------------------------------------- +Wed Jun 6 14:36:56 UTC 2012 - lslezak@suse.cz + +- Provide/Obsolete webyast-base-ui-branding-default and + webyast-firstboot-ws packages (to remove them at update) +- 0.3.10 + +------------------------------------------------------------------- +Wed Jun 6 12:07:35 UTC 2012 - lslezak@suse.cz + +- update to delayed_job 3.0 +- 0.3.9 + +------------------------------------------------------------------- +Mon Jun 4 15:18:57 UTC 2012 - lslezak@suse.cz + +- reload firewall after modifying /etc/sysconfig/SuSEfirewall2 +- 0.3.8 + +------------------------------------------------------------------- +Fri Jun 1 14:10:34 UTC 2012 - lslezak@suse.cz + +- fixed update problems (fixed %pre and %post scripts in .spec + file) +- 0.3.7 + +------------------------------------------------------------------- +Wed May 30 08:14:40 UTC 2012 - lslezak@suse.cz + +- fixed control panel tests +- 0.3.6 + +------------------------------------------------------------------- +Fri May 25 13:28:08 UTC 2012 - lslezak@suse.cz + +- switched to Rails 3.2 +- removed usage of static_record_cache gem (incompatible with + Rails 3.2), the missing caching should not have big impact +- 0.3.5 + +------------------------------------------------------------------- +Fri May 25 11:10:23 UTC 2012 - lslezak@suse.cz + +- do not compress JS files - less build dependencies, + the compression ratio is small anyway +- 0.3.4 + +------------------------------------------------------------------- +Thu May 24 09:56:56 UTC 2012 - lslezak@suse.cz + +- ApplicationController - fixed rendering uncaught exceptions + in XML format +- 0.3.3 + +------------------------------------------------------------------- +Fri May 18 09:58:45 UTC 2012 - lslezak@suse.cz + +- added "help_text" view helper for displaying inline help texts +- 0.3.2 + +------------------------------------------------------------------- +Tue Apr 17 11:03:51 UTC 2012 - schubi@suse.com + +- updated copyrights + +------------------------------------------------------------------- +Thu Dec 1 08:46:09 UTC 2011 - jsrain@suse.cz + +- updated polkit permission granting to work well during appliance + build +- 0.3.1 ++++ 700 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.2:Update/.webyast-base.822.new/webyast-base.changes New: ---- config.yml config.yml.new control_panel.yml grantwebyastrights nginx.conf org.opensuse.yast.permissions.policy rcwebyast webyast webyast-base.changes webyast-base.spec webyast.lr.conf webyast.permissions.conf webyast.permissions.service.service webyastPermissionsService.rb www.tar.bz2 yast_user_roles ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ webyast-base.spec ++++++ # # spec file for package webyast-base # # Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: webyast-base Version: 0.3.19 Release: 0 Provides: yast2-webservice = %{version} Obsoletes: yast2-webservice < %{version} Provides: webyast-language-ws = 0.1.0 Obsoletes: webyast-language-ws <= 0.1.0 Obsoletes: webyast-base-ui < %{version} Obsoletes: webyast-base-ws < %{version} Obsoletes: webyast-firstboot-ws < %{version} Obsoletes: yast2-webclient < %{version} Obsoletes: yast2-webservice < %{version} Provides: webyast-base-ui = %{version} Provides: webyast-base-ws = %{version} Provides: webyast-firstboot-ws = %{version} Provides: yast2-webclient = %{version} Provides: yast2-webservice = %{version} %if 0%{?suse_version} == 0 || %suse_version > 1110 # 11.2 or newer %if 0%{?suse_version} > 1120 # since 11.3, they are in a separate subpackage Requires: sysvinit-tools %else # Require startproc respecting -p, bnc#559534#c44 Requires: sysvinit > 2.86-215.2 %endif Requires: yast2-core >= 2.18.10 %else # 11.1 or SLES11 Requires: sysvinit > 2.86-195.3.1 Requires: yast2-core >= 2.17.30.1 %endif Requires: check-create-certificate Requires: nginx >= 1.0 Requires: rubygem-nokogiri Requires: rubygem-passenger-nginx Requires: rubygem-ruby-dbus Requires: sqlite3 Requires: syslog-ng Requires: yast2-dbus-server Requires: rubygem-webyast-rake-tasks >= 0.2 Requires: webyast-base-branding PreReq: rubygem-bundler # 634404 Recommends: logrotate %if 0%{?suse_version} == 0 || %suse_version > 1110 PreReq: polkit, rubygem-polkit1 %else # <11.1 or SLES11 PreReq: PolicyKit, rubygem-polkit %endif PreReq: rubygem-rake, rubygem-sqlite3 PreReq: rubygem-rails-3_2 >= 3.2.3 PreReq: rubygem-fast_gettext, rubygem-gettext_i18n_rails Url: http://en.opensuse.org/Portal:WebYaST Summary: WebYaST - base components License: LGPL-2.1 and GPL-2.0 and Apache-2.0 Group: Productivity/Networking/Web/Utilities Source: www.tar.bz2 Source1: webyastPermissionsService.rb Source2: webyast.permissions.conf Source3: webyast.permissions.service.service Source4: org.opensuse.yast.permissions.policy Source5: grantwebyastrights Source6: yast_user_roles Source9: rcwebyast Source10: webyast Source11: webyast.lr.conf Source12: nginx.conf Source13: control_panel.yml Source14: config.yml Source15: config.yml.new BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: pkg-config BuildRequires: ruby BuildRequires: rubygem-mocha # if we run the tests during build, we need most of Requires here too, # except for deployment specific stuff BuildRequires: dbus-1 BuildRequires: rubygem-rails-3_2 BuildRequires: rubygem-ruby-dbus BuildRequires: rubygem-sqlite3 BuildRequires: rubygem-webyast-rake-tasks >= 0.2 BuildRequires: sqlite3 %if 0%{?suse_version} == 0 || %suse_version > 1110 BuildRequires: polkit BuildRequires: rubygem-polkit1 %else # <11.1 or SLES11 BuildRequires: PolicyKit BuildRequires: rubygem-polkit %endif # the testsuite is run during build BuildRequires: nginx >= 1.0 BuildRequires: rubygem-builder-3_0 BuildRequires: rubygem-bundler BuildRequires: rubygem-cancan BuildRequires: rubygem-delayed_job-3_0 BuildRequires: rubygem-delayed_job_active_record BuildRequires: rubygem-devise BuildRequires: rubygem-devise-i18n BuildRequires: rubygem-devise_unix2_chkpwd_authenticatable BuildRequires: rubygem-haml BuildRequires: rubygem-mocha BuildRequires: rubygem-nokogiri BuildRequires: rubygem-test-unit BuildRequires: rubygem-gettext BuildRequires: rubygem-ruby_parser BuildRequires: rubygem-factory_girl BuildRequires: rubygem-factory_girl_rails BuildRequires: rubygem-mocha Requires: rubygem-builder-3_0 Requires: rubygem-fast_gettext Requires: rubygem-gettext_i18n_rails Requires: rubygem-haml Requires: rubygem-rails-i18n Requires: rubygem-sqlite3 Requires: rubygem-cancan Requires: rubygem-delayed_job-3_0 Requires: rubygem-delayed_job_active_record Requires: rubygem-devise Requires: rubygem-devise-i18n Requires: rubygem-devise_unix2_chkpwd_authenticatable # This is for Hudson (build service) to setup the build env correctly %if 0 BuildRequires: rubygem-rcov >= 0.9.3.2 BuildRequires: rubygem-test-unit %endif # we do not necessarily need any UI in case of WebYaST Provides: yast2_ui Provides: yast2_ui_pkg # rpmlint warns about file duplicates, this should take care but # doesn't build (?!) #%if 0%{?suse_version} > 1020 #BuildRequires: fdupes #%endif BuildArch: noarch %package testsuite Requires: webyast-base = %{version} Summary: Testsuite for webyast-base package Group: Productivity/Networking/Web/Utilities # %define pkg_home /var/lib/%{webyast_user} # Requires: rubygem-factory_girl Requires: rubygem-factory_girl_rails Requires: rubygem-mocha Requires: tidy %description WebYaST - Core components for UI and REST based interface to system manipulation. Authors: -------- Duncan Mac-Vicar Prett <dmacvicar@suse.de> Klaus Kaempf <kkaempf@suse.de> Bjoern Geuken <bgeuken@suse.de> Stefan Schubert <schubi@suse.de> %description testsuite Testsuite for core WebYaST package. %package branding-default Provides: webyast-base-branding = %{version} Requires: %{name} = %{version} Conflicts: otherproviders(webyast-base-branding) Supplements: packageand(webyast-base:branding-default) Provides: webyast-base-ui-branding-default Obsoletes: webyast-base-ui-branding-default Summary: Branding package for webyast-base package Group: Productivity/Networking/Web/Utilities %description branding-default This package contains css, icons and images for webyast-base package. %prep %setup -q -n www %build %if %suse_version <= 1110 export WEBYAST_POLICYKIT='true' %endif # build *.mo files (redirect sterr to /dev/null as it contains tons of warnings about obsoleted (commented) msgids) LANG=en rake gettext:pack 2> /dev/null # gettext:pack for some reason creates empty db/development.sqlite3 file rm -rf db/development.sqlite3 # precompile assets rake assets:precompile # split manifest file rake assets:split_manifest rm -rf public/assets/manifest.yml # cleanup rm -rf tmp rm -rf log # remove Gemfile.lock created by the above rake calls rm Gemfile.lock %check %if %suse_version <= 1110 export WEBYAST_POLICYKIT='true' %endif # run the testsuite RAILS_ENV=test rake db:migrate rake tmp:create RAILS_ENV=test $RPM_BUILD_ROOT%{webyast_dir}/test/dbus-launch-simple rake test #--------------------------------------------------------------- %install %if %suse_version <= 1110 export WEBYAST_POLICYKIT='true' %endif # # Install all web and frontend parts. # mkdir -p $RPM_BUILD_ROOT%{webyast_dir}/log/ cp -a * $RPM_BUILD_ROOT%{webyast_dir}/ rm -f $RPM_BUILD_ROOT%{webyast_dir}/log/* rm -rf $RPM_BUILD_ROOT/%{webyast_dir}/po rm -f $RPM_BUILD_ROOT%{webyast_dir}/COPYING # install production mode Gemfile rake -s gemfile:production > $RPM_BUILD_ROOT%{webyast_dir}/Gemfile # install test mode Gemfile rake -s gemfile:test > $RPM_BUILD_ROOT%{webyast_dir}/Gemfile.test # install assets mode Gemfile rake -s gemfile:assets > $RPM_BUILD_ROOT%{webyast_dir}/Gemfile.assets # remove .gitkeep files find $RPM_BUILD_ROOT%{webyast_dir} -name .gitkeep -delete # remove *.po files (compiled *.mo files are sufficient) find $RPM_BUILD_ROOT%{webyast_dir}/locale -name '*.po' -delete %{__install} -d -m 0755 \ %{buildroot}%{pkg_home}/sockets/ \ %{buildroot}%{pkg_home}/cache/ \ %{buildroot}%{_sbindir} \ %{buildroot}%{_var}/log/%{webyast_user} # # init script # %{__install} -D -m 0755 -T %SOURCE9 \ %{buildroot}%{_sysconfdir}/init.d/%{webyast_service} %{__ln_s} -f %{_sysconfdir}/init.d/%{webyast_service} %{buildroot}%{_sbindir}/rc%{webyast_service} # # configure nginx web service mkdir -p $RPM_BUILD_ROOT/etc/nginx/certs # configure nginx web service mkdir -p $RPM_BUILD_ROOT/etc/webyast/ install -m 0644 %SOURCE12 $RPM_BUILD_ROOT/etc/webyast/ # create symlinks to nginx config files ln -s /etc/nginx/fastcgi.conf $RPM_BUILD_ROOT/etc/webyast ln -s /etc/nginx/fastcgi_params $RPM_BUILD_ROOT/etc/webyast ln -s /etc/nginx/koi-utf $RPM_BUILD_ROOT/etc/webyast ln -s /etc/nginx/koi-win $RPM_BUILD_ROOT/etc/webyast ln -s /etc/nginx/mime.types $RPM_BUILD_ROOT/etc/webyast ln -s /etc/nginx/scgi_params $RPM_BUILD_ROOT/etc/webyast ln -s /etc/nginx/uwsgi_params $RPM_BUILD_ROOT/etc/webyast ln -s /etc/nginx/win-utf $RPM_BUILD_ROOT/etc/webyast # Policies mkdir -p $RPM_BUILD_ROOT/usr/share/%{webyast_polkit_dir} install -m 0644 %SOURCE4 $RPM_BUILD_ROOT/usr/share/%{webyast_polkit_dir} install -m 0644 %SOURCE6 $RPM_BUILD_ROOT/etc/ install -m 0555 %SOURCE5 $RPM_BUILD_ROOT/usr/sbin/ # firewall service definition, bnc#545627 mkdir -p $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services install -m 0644 %SOURCE10 $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services # logrotate configuration bnc#634404 mkdir $RPM_BUILD_ROOT/etc/logrotate.d install -m 0644 %SOURCE11 $RPM_BUILD_ROOT/etc/logrotate.d # create webyast dirs (config, var and data) mkdir -p $RPM_BUILD_ROOT/etc/webyast mkdir -p $RPM_BUILD_ROOT/var/lib/webyast mkdir -p $RPM_BUILD_ROOT/usr/share/webyast # create empty tmp directory mkdir -p $RPM_BUILD_ROOT%{webyast_dir}/tmp mkdir -p $RPM_BUILD_ROOT%{webyast_dir}/tmp/cache mkdir -p $RPM_BUILD_ROOT%{webyast_dir}/tmp/pids mkdir -p $RPM_BUILD_ROOT%{webyast_dir}/tmp/sessions mkdir -p $RPM_BUILD_ROOT%{webyast_dir}/tmp/sockets # install YAML config file mkdir -p $RPM_BUILD_ROOT/etc/webyast/ cp %SOURCE13 $RPM_BUILD_ROOT/etc/webyast/ %if %suse_version <= 1110 cp %SOURCE14 $RPM_BUILD_ROOT/etc/webyast/ %else cp %SOURCE15 $RPM_BUILD_ROOT/etc/webyast/config.yml %endif # install permissions service mkdir -p $RPM_BUILD_ROOT/usr/sbin/ install -m 0500 %SOURCE1 $RPM_BUILD_ROOT/usr/sbin/ mkdir -p $RPM_BUILD_ROOT/etc/dbus-1/system.d/ install -m 0644 %SOURCE2 $RPM_BUILD_ROOT/etc/dbus-1/system.d/ mkdir -p $RPM_BUILD_ROOT/usr/share/dbus-1/system-services/ install -m 0444 %SOURCE3 $RPM_BUILD_ROOT/usr/share/dbus-1/system-services/ #create dummy update-script mkdir -p %buildroot/var/adm/update-scripts touch %buildroot/var/adm/update-scripts/%name-%version-%release-1 # for basesystem setup (firstboot) mkdir -p $RPM_BUILD_ROOT%{webyast_vardir}/basesystem #--------------------------------------------------------------- %clean rm -rf $RPM_BUILD_ROOT #--------------------------------------------------------------- %pre # # e.g. adding user # /usr/sbin/groupadd -r %{webyast_user} &>/dev/null ||: /usr/sbin/useradd -g %{webyast_user} -s /bin/false -r -c "User for WebYaST" -d %{pkg_home} %{webyast_user} &>/dev/null ||: # services will not be restarted correctly if # the package name will changed while the update # So the service will be restarted by an update-script # which will be called AFTER the installation if /bin/rpm -q webyast-base-ui > /dev/null ; then echo "renaming webyast-base-ui to webyast-base" if /sbin/chkconfig -l yastwc 2> /dev/null | grep " 3:on " >/dev/null ; then echo "webyast is inserted into the runlevel" echo "#!/bin/sh" > %name-%version-%release-1 echo "/sbin/chkconfig -a webyast" >> %name-%version-%release-1 echo "/usr/sbin/rcwebyast restart" >> %name-%version-%release-1 else if /usr/sbin/rcyastwc status > /dev/null ; then echo "webyast is running" echo "#!/bin/sh" > %name-%version-%release-1 echo "/usr/sbin/rcwebyast restart" >> %name-%version-%release-1 fi fi fi #We are switching from lighttpd to nginx. So lighttpd has to be killed #at first if rpm -q --requires %{name}|grep lighttpd > /dev/null ; then if /usr/sbin/rcyastws status > /dev/null ; then echo "yastws is running under lighttpd -> switching to nginx" /usr/sbin/rcyastws stop > /dev/null # check if the restart file already exists if [ ! -f %name-%version-%release-1 ] ; then echo "#!/bin/sh" > %name-%version-%release-1 echo "/usr/sbin/rcwebyast restart" >> %name-%version-%release-1 fi fi fi if [ -f %name-%version-%release-1 ] ; then install -D -m 755 %name-%version-%release-1 /var/adm/update-scripts rm %name-%version-%release-1 echo "Please check the service runlevels and restart WebYaST service with \"rcwebyast restart\" if the update has not been called with zypper,yast or packagekit" fi exit 0 #--------------------------------------------------------------- %post %fillup_and_insserv %{webyast_service} # #granting permissions for webyast # /usr/sbin/grantwebyastrights --user %{webyast_user} --action grant --policy org.opensuse.yast.module-manager.import > /dev/null ||: # # granting all permissions for root # /usr/sbin/grantwebyastrights --user root --action grant > /dev/null ||: # # create database # cd %{webyast_dir} # force refreshing the Gemfile.lock rm -f Gemfile.lock #migrate database %if %suse_version <= 1110 export WEBYAST_POLICYKIT='true' %endif DISABLE_DATA_PREFETCH=true RAILS_ENV=production rake db:migrate chown -R %{webyast_user}: db chown -R %{webyast_user}: log chmod -R o-r log echo "Database is ready" # try-reload D-Bus config (bnc#635826) # check if the system bus socket is present to avoid errors/hangs during RPM build (bnc#767066) if [ -S /var/run/dbus/system_bus_socket ]; then echo "Reloading DBus configuration..." dbus-send --print-reply --system --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig >/dev/null ||: fi # update firewall config if [ -f /etc/sysconfig/SuSEfirewall2 ]; then if grep -q webyast-ui /etc/sysconfig/SuSEfirewall2; then echo "Updating firewall config..." sed -i "s/\(^[ \t]*FW_CONFIGURATIONS_.*[ \t]*=[ \t]*\".*[ \t]*\)webyast-ui\(.*$\)/\1webyast\2/" /etc/sysconfig/SuSEfirewall2 # reload the changes echo "Restarting firewall..." /sbin/rcSuSEfirewall2 try-restart fi fi #--------------------------------------------------------------- %preun %stop_on_removal %{webyast_service} #--------------------------------------------------------------- %postun %restart_on_update %{webyast_service} %{insserv_cleanup} #--------------------------------------------------------------- # restart webyast on nginx update (bnc#559534) %triggerin -- nginx %restart_on_update %{webyast_service} %post branding-default %webyast_update_assets %postun branding-default %webyast_update_assets #--------------------------------------------------------------- %files %defattr(-,root,root) #this /etc/webyast is for nginx conf for webyast %dir /etc/webyast %config /etc/webyast/config.yml %dir %{webyast_dir} %attr(-,root,root) %{_datadir}/%{webyast_polkit_dir} %attr(-,%{webyast_user},%{webyast_user}) %dir %{pkg_home} %attr(-,%{webyast_user},%{webyast_user}) %dir %{pkg_home}/sockets %attr(-,%{webyast_user},%{webyast_user}) %dir %{pkg_home}/cache %attr(-,%{webyast_user},%{webyast_user}) %dir %{_var}/log/%{webyast_user} #logrotate configuration file %config(noreplace) /etc/logrotate.d/webyast.lr.conf %dir %{_datadir}/webyast %dir %attr(-,%{webyast_user},root) /var/lib/webyast %dir %{webyast_dir}/db %{webyast_dir}/locale %{webyast_dir}/app %{webyast_dir}/db/migrate %ghost %{webyast_dir}/db/schema.rb %{webyast_dir}/doc %{webyast_dir}/lib %dir %{webyast_dir}/public %{webyast_dir}/public/*.html %{webyast_dir}/public/dispatch.* %{webyast_dir}/public/apache.htaccess %{webyast_dir}/public/favicon.ico %{webyast_dir}/Gemfile %{webyast_dir}/Gemfile.assets %{webyast_dir}/Rakefile %{webyast_dir}/config.ru %{webyast_dir}/script %dir %{webyast_dir}/config %{webyast_dir}/config/boot.rb %{webyast_dir}/config/database.yml %{webyast_dir}/config/environments %{webyast_dir}/config/initializers %{webyast_dir}/config/routes.rb %{webyast_dir}/config/application.rb #also users can run granting script, as permissions is handled by polkit right for granting permissions %attr(555,root,root) /usr/sbin/grantwebyastrights %attr(755,root,root) %{webyast_dir}/start.sh %attr(500,root,root) /usr/sbin/webyastPermissionsService.rb %attr(444,root,root) /usr/share/dbus-1/system-services/webyast.permissions.service.service %attr(644,root,root) %config /etc/dbus-1/system.d/webyast.permissions.conf %doc %{webyast_dir}/README %attr(-,%{webyast_user},%{webyast_user}) %{webyast_dir}/log %attr(-,%{webyast_user},%{webyast_user}) %{webyast_dir}/tmp %dir %{webyast_vardir} %attr(-,%{webyast_user},%{webyast_user}) %dir %{webyast_vardir}/basesystem %dir /etc/nginx/certs #this /etc/webyast is for webyast configuration files %dir /etc/webyast/ %config /etc/webyast/control_panel.yml %config /etc/webyast/config.yml #nginx stuff %config /etc/webyast/nginx.conf %config /etc/webyast/fastcgi.conf %config /etc/webyast/fastcgi_params %config /etc/webyast/koi-utf %config /etc/webyast/koi-win %config /etc/webyast/mime.types %config /etc/webyast/scgi_params %config /etc/webyast/uwsgi_params %config /etc/webyast/win-utf %config /etc/sysconfig/SuSEfirewall2.d/services/webyast %config /usr/share/%{webyast_polkit_dir}/org.opensuse.yast.permissions.policy %config %{webyast_dir}/config/environment.rb %config(noreplace) /etc/yast_user_roles %config %{_sysconfdir}/init.d/%{webyast_service} %{_sbindir}/rc%{webyast_service} %doc COPYING ### include JS assets %exclude %{webyast_dir}/app/assets/icons %exclude %{webyast_dir}/app/assets/images %exclude %{webyast_dir}/app/assets/stylesheets %{webyast_dir}/app/assets/javascripts %{webyast_dir}/public/assets/*.js %{webyast_dir}/public/assets/*.js.gz %{webyast_dir}/public/assets/manifest.yml.base %exclude %{webyast_dir}/test %ghost %attr(755,root,root) /var/adm/update-scripts/%name-%version-%release-1 %files testsuite %defattr(-,root,root) %{webyast_dir}/test %{webyast_dir}/Gemfile.test %files branding-default %defattr(-,root,root) ### include css, icons and images %{webyast_dir}/app/assets %{webyast_dir}/public/assets # exclude files belonging to the base %exclude %{webyast_dir}/app/assets/javascripts/* %exclude %{webyast_dir}/public/assets/*.js %exclude %{webyast_dir}/public/assets/*.js.gz %exclude %{webyast_dir}/public/assets/manifest.yml.base #--------------------------------------------------------------- %changelog ++++++ config.yml ++++++ # This is a general config file for WebYaST # # The file needs to be located under /etc/webyast/ --- # Using the new # default: false polkit1: false # Enable/disable XML REST API # default: false rest_api_enabled: false # Enable/disable Web UI # default: true web_ui_enabled: true ++++++ config.yml.new ++++++ # This is a general config file for WebYaST # # The file needs to be located under /etc/webyast/ --- # Enable/disable XML REST API # default: false rest_api_enabled: false # Enable/disable Web UI # default: true web_ui_enabled: true ++++++ control_panel.yml ++++++ # This is a config file for WebYaST control center # # The file needs to be located under /etc/webyast/ or /etc/webyast/vendor/ # (the 'vendor' directory has higher priority). --- # timeout before automatic reloading of patches status (in seconds) # value 0 disables automatic reload # default: 28800 seconds = 8 hours patch_status_timeout: 28800 # timeout before automatic reloading of patches status (in seconds) # value 0 disables automatic reload # default: 300 seconds = 5 minutes system_status_timeout: 300 # display patches status in the status header # default: true display_patch_status: true # display system status in the status header # default: true display_system_status: true # label shown at the top of each page appliance_label: _("My Appliance") ++++++ grantwebyastrights ++++++ #!/usr/bin/env ruby # #-- # Webyast framework # # Copyright (C) 2009, 2010 Novell, Inc. # This library is free software; you can redistribute it and/or modify # it only under the terms of version 2.1 of the GNU Lesser General Public # License as published by the Free Software Foundation. # # This library is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA #++ # # grantwebyastrights # # show, grant and revoke policies for WebYaST # # run: grantwebyastrights # require 'fileutils' require 'getoptlong' require 'rubygems' require 'yaml' #checking which policykit is used WEBYAST_CONFIG_FILE = "/etc/webyast/config.yml" @polkit1 = true if File.exist?(WEBYAST_CONFIG_FILE) values = YAML::load(File.open(WEBYAST_CONFIG_FILE, 'r').read) @polkit1 = false if values["polkit1"] == false end STDOUT.puts "Using old PolicyKit" unless @polkit1 if @polkit1 require 'polkit1' end $debug = 0 POLKIT_SECTION = "55-webyast.d" def usage why STDERR.puts why STDERR.puts "" STDERR.puts "Usage: grantwebyastrights --user <user> --action (show|grant|revoke) [--policy <policy>]" STDERR.puts "NOTE: This program should be run by user root" STDERR.puts "" STDERR.puts "" unless @polkit1 STDERR.puts "This call grant/revoke ALL permissions for the YaST Webservice." STDERR.puts "In order to grant/revoke single rights use:" STDERR.puts "polkit-auth --user <user> (--grant|-revoke) <policyname>" STDERR.puts "" STDERR.puts "In order to show all possible permissions use:" STDERR.puts "polkit-action" else STDERR.puts "In order to show all possible permissions use:" STDERR.puts "pkaction" end exit 1 end options = GetoptLong.new( [ "--user", GetoptLong::REQUIRED_ARGUMENT ], [ "--debug", GetoptLong::OPTIONAL_ARGUMENT ], [ "--policy", GetoptLong::OPTIONAL_ARGUMENT ], [ "--action", GetoptLong::REQUIRED_ARGUMENT ] ) user = nil action = nil single_policy = nil begin options.each do |opt, arg| case opt when "--user"; user = arg when "--action"; action = arg when "--policy"; single_policy = arg when "--debug"; $debug += 1 end end rescue GetoptLong::InvalidOption => o usage "Invalid option #{o}" end $debug = nil if $debug == 0 usage "excessive arguments" unless ARGV.empty? usage "user parameter missing" unless user usage "action parameter (show|grant|revoke) missing" unless action SuseString = "org.opensuse.yast" def webyast_perm?(perm) return (perm.include? SuseString) && (not perm.include? ".scr") end def granted_perms(user) if @polkit1 perms = webyast_perms perms.reject! { |perm| PolKit1::polkit1_check(perm, user) == :no } else perms = `polkit-auth --user '#{user}' --explicit` #do NOT raise if an error happens here cause while the package installation this call returns always an error # raise "polkit-auth failed with ret code #{$?.exitstatus}. Output: #{perms}" unless $?.exitstatus.zero? perms = perms.split "\n" perms.reject! { |perm| not webyast_perm?(perm) } end return perms end def webyast_perms if @polkit1 perms = `pkaction` else perms = `polkit-action` raise "polkit-action failed with ret code #{$?.exitstatus}. Output: #{perms}" unless $?.exitstatus.zero? end perms = perms.split "\n" perms.reject! { |perm| not webyast_perm?(perm) } return perms end begin case action when "grant" then unless single_policy == nil STDOUT.puts "granting: #{single_policy}" if @polkit1 PolKit1::polkit1_write(POLKIT_SECTION, single_policy, true, user) else out = `polkit-auth --user '#{user}' --grant '#{single_policy}'` #do NOT raise if an error happens here cause while the package installation this call can return an error for already existing #permissions ( It is not possible to check this before) #raise "Granting permissions failed with ret code #{$?.exitstatus}. Output: #{out}" unless $?.exitstatus.zero? end else granted = granted_perms user non_granted = webyast_perms.reject{ |perm| granted.include? perm } non_granted.each do |policy| STDOUT.puts "granting: #{policy}" if @polkit1 PolKit1::polkit1_write(POLKIT_SECTION, policy, true, user) else out = `polkit-auth --user '#{user}' --grant '#{policy}'` #do NOT raise if an error happens here cause while the package installation this call can return an error for already existing #permissions ( It is not possible to check this before) #raise "Granting permissions failed with ret code #{$?.exitstatus}. Output: #{out}" unless $?.exitstatus.zero? end end end when "show" unless single_policy == nil STDOUT.puts single_policy if granted_perms(user).include?(single_policy) else STDOUT.puts granted_perms(user).join("\n") end when "revoke" unless single_policy == nil STDOUT.puts "revoking: #{single_policy}" if @polkit1 PolKit1::polkit1_write(POLKIT_SECTION, single_policy, false, user) else out = `polkit-auth --user '#{user}' --revoke '#{single_policy}'` raise "Revoking permissions failed with ret code #{$?.exitstatus}. Output: #{out}" unless $?.exitstatus.zero? end else granted = granted_perms user granted.each do |policy| STDOUT.puts "revoking: #{policy}" if @polkit1 PolKit1::polkit1_write(POLKIT_SECTION, policy, false, user) else out = `polkit-auth --user '#{user}' --revoke '#{policy}'` raise "Revoking permissions failed with ret code #{$?.exitstatus}. Output: #{out}" unless $?.exitstatus.zero? end end end end rescue Exception => e STDERR.puts e.message Process.exit! 1 end ++++++ nginx.conf ++++++ user webyast webyast; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; error_log /srv/www/webyast/log/error.log info; pid /var/run/webyast.pid; events { worker_connections 1024; } http { # read passenger_root option from external file (in rubygem-passenger-nginx package) include /etc/nginx/conf.d/passenger_root.include; passenger_ruby /usr/bin/ruby; passenger_pool_idle_time 300; passenger_min_instances 0; passenger_default_user webyast; passenger_user webyast; passenger_max_pool_size 1; passenger_max_instances_per_app 1; passenger_spawn_method conservative; client_body_temp_path /srv/www/webyast/tmp/tmp_webyast 1 2; fastcgi_temp_path /srv/www/webyast/tmp/fastcgi_webyast 1 2; proxy_temp_path /srv/www/webyast/tmp/proxy_webyast 1 2; include mime.types; default_type application/octet-stream; access_log /srv/www/webyast/log/access.log; passenger_log_level 0; passenger_debug_log_file /srv/www/webyast/log/passenger.log; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; gzip on; gzip_static on; gzip_buffers 16 8k; gzip_comp_level 9; gzip_http_version 1.0; gzip_proxied any; gzip_min_length 0; gzip_types text/plain text/css image/x-icon image/png image/gif image/jpeg application/x-javascript text/javascript; gzip_vary on; server { listen 4984; underscores_in_headers on; server_name localhost; root /srv/www/webyast/public; passenger_enabled on; rails_framework_spawner_idle_time 300; rails_app_spawner_idle_time 300; ssl on; ssl_certificate /etc/nginx/certs/webyast.pem; ssl_certificate_key /etc/nginx/certs/webyast.key; ssl_session_timeout 5m; ssl_protocols TLSv1; ssl_ciphers ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH; ssl_prefer_server_ciphers on; # redirect HTTP requests to HTTPS # Error 497 is internal code for Error 400 "The plain HTTP request was sent to HTTPS port" error_page 497 https://$host:4984$request_uri; location ~* \.(png|gif|jpg|jpeg|css|js|swf|ico)(\?[0-9]+)?$ { passenger_enabled on; access_log off; expires max; add_header Cache-Control public; } } } ++++++ rcwebyast ++++++ #!/bin/sh # # Copyright (C) 1995--2007 Marcus Rückert, SUSE / Novell Inc. # # This library is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or (at # your option) any later version. # # This library is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, # USA. # # /etc/init.d/webyast # and its symbolic link # /(usr/)sbin/rcwebyast # # # LSB compatible service control script; see http://www.linuxbase.org/spec/ # # Note: This template uses functions rc_XXX defined in /etc/rc.status on # UnitedLinux/SUSE/Novell based Linux distributions. If you want to base your # script on this template and ensure that it works on non UL based LSB # compliant Linux distributions, you either have to provide the rc.status # functions from UL or change the script to work without them. # See skeleton.compat for a template that works with other distros as well. # ### BEGIN INIT INFO # Provides: webyast # Required-Start: $syslog $remote_fs $network # Should-Start: $time ypbind sendmail # Required-Stop: $syslog $remote_fs $network # Should-Stop: $time ypbind sendmail # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: webyast # Description: Start webyast ### END INIT INFO # # Any extensions to the keywords given above should be preceeded by # X-VendorTag- (X-UnitedLinux- X-SuSE- for us) according to LSB. # # Notes on Required-Start/Should-Start: # * There are two different issues that are solved by Required-Start # and Should-Start # (a) Hard dependencies: This is used by the runlevel editor to determine # which services absolutely need to be started to make the start of # this service make sense. Example: nfsserver should have # Required-Start: $portmap # Also, required services are started before the dependent ones. # The runlevel editor will warn about such missing hard dependencies # and suggest enabling. During system startup, you may expect an error, # if the dependency is not fulfilled. # (b) Specifying the init script ordering, not real (hard) dependencies. # This is needed by insserv to determine which service should be # started first (and at a later stage what services can be started # in parallel). The tag Should-Start: is used for this. # It tells, that if a service is available, it should be started # before. If not, never mind. # * When specifying hard dependencies or ordering requirements, you can # use names of services (contents of their Provides: section) # or pseudo names starting with a $. The following ones are available # according to LSB (1.1): # $local_fs all local file systems are mounted # (most services should need this!) # $remote_fs all remote file systems are mounted # (note that /usr may be remote, so # many services should Require this!) # $syslog system logging facility up # $network low level networking (eth card, ...) # $named hostname resolution available # $netdaemons all network daemons are running # The $netdaemons pseudo service has been removed in LSB 1.2. # For now, we still offer it for backward compatibility. # These are new (LSB 1.2): # $time the system time has been set correctly # $portmap SunRPC portmapping service available # UnitedLinux extensions: # $ALL indicates that a script should be inserted # at the end # * The services specified in the stop tags # (Required-Stop/Should-Stop) # specify which services need to be still running when this service # is shut down. Often the entries there are just copies or a subset # from the respective start tag. # * Should-Start/Stop are now part of LSB as of 2.0, # formerly SUSE/Unitedlinux used X-UnitedLinux-Should-Start/-Stop. # insserv does support both variants. # * X-UnitedLinux-Default-Enabled: yes/no is used at installation time # (%fillup_and_insserv macro in %post of many RPMs) to specify whether # a startup script should default to be enabled after installation. # It's not used by insserv. # # Note on runlevels: # 0 - halt/poweroff 6 - reboot # 1 - single user 2 - multiuser without network exported # 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm) # # Note on script names: # http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html # A registry has been set up to manage the init script namespace. # http://www.lanana.org/ # Please use the names already registered or register one or use a # vendor prefix. # Check for missing binaries (stale symlinks should not happen) # Note: Special treatment of stop for LSB conformance NGINX_BIN=/usr/sbin/nginx test -x $NGINX_BIN || { echo "$NGINX_BIN not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } # Check for existence of needed config file and read it NGINX_CONFIG=/etc/webyast/nginx.conf test -r $NGINX_CONFIG || { echo "$NGINX_CONFIG not existing"; if [ "$1" = "stop" ]; then exit 0; else exit 6; fi; } PID_FILE=/var/run/webyast.pid CERTIFICATEFILE=/etc/nginx/certs/webyast.pem CERTKEYFILE=/etc/nginx/certs/webyast.key COMBINEDCERTFILE=/etc/nginx/certs/webyast-combined.pem GEMFILE_LOCK=/srv/www/webyast/Gemfile.lock # Source LSB init functions # providing start_daemon, killproc, pidofproc, # log_success_msg, log_failure_msg and log_warning_msg. # This is currently not used by UnitedLinux based distributions and # not needed for init scripts for UnitedLinux only. If it is used, # the functions from rc.status should not be sourced or used. #. /lib/lsb/init-functions # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v be verbose in local rc status and clear it afterwards # rc_status -v -r ditto and clear both the local and overall rc status # rc_status -s display "skipped" and exit with status 3 # rc_status -u display "unused" and exit with status 3 # rc_failed set local and overall rc status to failed # rc_failed <num> set local and overall rc status to <num> # rc_reset clear both the local and overall rc status # rc_exit exit appropriate to overall rc status # rc_active checks whether a service is activated by symlinks . /etc/rc.status # Reset status of this service rc_reset # Return values acc. to LSB for all commands but status: # 0 - success # 1 - generic or unspecified error # 2 - invalid or excess argument(s) # 3 - unimplemented feature (e.g. "reload") # 4 - user had insufficient privileges # 5 - program is not installed # 6 - program is not configured # 7 - program is not running # 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl) # # Note that starting an already running service, stopping # or restarting a not-running service as well as the restart # with force-reload (in case signaling is not supported) are # considered a success. # set default file permissions to -rw------ # (log files should not be readable by all) umask 0066 case "$1" in start) if [ ! -e $COMBINEDCERTFILE ] then echo "No certificate found. Creating one now." if ! /usr/sbin/check-create-certificate -c -C $CERTIFICATEFILE -K $CERTKEYFILE -B $COMBINEDCERTFILE -D webyast -O WebYaST -U WebYaST >/srv/www/webyast/log/check-create-certificate.log 2>&1 then echo -n "Can not create certificate. Please see /srv/www/webyast/log/check-create-certificate.log for details." rc_failed rc_status -v rc_exit fi chown nginx:nginx $CERTIFICATEFILE $CERTKEYFILE $COMBINEDCERTFILE echo -n "Created certificate: " openssl x509 -in $CERTIFICATEFILE -fingerprint -noout fi echo -n "Starting webyast " # refresh the Gemfile.lock content before starting the server # (outdated file can cause problems after upgrading needed rubygems) rm -f $GEMFILE_LOCK #generate deployment specific secret key (bnc#591345) SECRET=`cd /srv/www/webyast/ && rake -s secret` # make the lock file readable for all chmod a+r $GEMFILE_LOCK if [ -z $SECRET ]; then echo -n "Cannot generate secret for session. Run 'cd /srv/www/webyast/ && rake -s secret' for details." rc_failed rc_status -v rc_exit fi sed -i 's/9d11bfc98abcf9799082d9c34ec94dc1cc926f0f1bf4bea8c440b497d96b14c1f712c8784d0303ee7dd69e382c3e5e4d38d4c56d1b619eae7acaa6516cd733b1/'"$SECRET"/ /srv/www/webyast/config/environment.rb ## Start daemon with startproc(8). If this fails ## the return value is set appropriately by startproc. /sbin/startproc -p $PID_FILE $NGINX_BIN -c $NGINX_CONFIG # Remember status and be verbose rc_status -v # print the URL of the server if test "$?" -eq 0; then IFC=`LC_ALL=C route | grep "^default" | tr -s " " | cut -d " " -f 8` IP=`LC_ALL=C ifconfig $IFC | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1` PORT=`LC_ALL=C grep "listen" $NGINX_CONFIG|cut -d ";" -f 1|tr -s " "|cut -d " " -f 3` HNAME=`hostname -f 2> /dev/null` if [ -n "$HNAME" ]; then HNAME=" (https://$HNAME:$PORT/)" fi if [ -n "$IP" ]; then echo -e "\t${done}WebYaST is running at https://$IP:$PORT/${HNAME}${norm}\n" else echo -e "\t${warn}WebYaST could not determine the IP address for $IFC${norm}\n" fi fi ;; stop) echo -n "Shutting down webyast " ## Stop daemon with killproc(8) and if this fails ## killproc sets the return value according to LSB. /sbin/killproc -TERM -p $PID_FILE $NGINX_BIN # Remember status and be verbose rc_status -v ;; try-restart|condrestart) ## Do a restart only if the service was active before. ## Note: try-restart is now part of LSB (as of 1.9). ## RH has a similar command named condrestart. if test "$1" = "condrestart"; then echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" fi $0 status if test $? = 0; then $0 restart else rc_reset # Not running is not a failure. fi # Remember status and be quiet rc_status ;; restart) ## Stop the service and regardless of whether it was ## running or not, start it again. $0 stop $0 start # Remember status and be quiet rc_status ;; force-reload) ## Signal the daemon to reload its config. Most daemons ## do this on signal 1 (SIGHUP). ## If it does not support it, restart the service if it ## is running. echo -n "Reload service webyast " ## if it supports it: /sbin/killproc -p $PID_FILE -HUP $NGINX_BIN rc_status -v ## Otherwise: #$0 try-restart #rc_status ;; reload) ## Like force-reload, but if daemon does not support ## signaling, do nothing (!) # If it supports signaling: echo -n "Reload service webyast " /sbin/killproc -HUP -p $PID_FILE $NGINX_BIN #touch /var/run/webyast.pid rc_status -v ## Otherwise if it does not support reload: #rc_failed 3 #rc_status -v ;; status) echo -n "Checking for service webyast " ## Check status with checkproc(8), if process is running ## checkproc will return with exit status 0. # Return value is slightly different for the status command: # 0 - service up and running # 1 - service dead, but /var/run/ pid file exists # 2 - service dead, but /var/lock/ lock file exists # 3 - service not running (unused) # 4 - service status unknown :-( # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) # NOTE: checkproc returns LSB compliant status values. /sbin/checkproc -p $PID_FILE $NGINX_BIN # NOTE: rc_status knows that we called this init script with # "status" option and adapts its messages accordingly. rc_status -v ;; probe) ## Optional: Probe for the necessity of a reload, print out the ## argument to this init script which is required for a reload. ## Note: probe is not (yet) part of LSB (as of 1.9) test $NGINX_CONFIG /var/run/webyast.pid && echo reload ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit ++++++ webyast ++++++ # SuSEfirewall2 service definition ## Name: WebYaST ## Description: The backend and frontend of WebYaST, http://en.opensuse.org/WebYaST # space separated list of allowed TCP ports TCP="4984" ++++++ webyast.lr.conf ++++++ /srv/www/webyast/log/production.log /srv/www/webyast/log/development.log /srv/www/webyast/log/access.log /srv/www/webyast/log/error.log /srv/www/webyast/log/permission_service.log /srv/www/webyast/log/passenger.log { compress dateext maxage 365 rotate 99 size=+4096k notifempty missingok create 600 webyast webyast postrotate /etc/init.d/webyast reload endscript } ++++++ webyast.permissions.conf ++++++ <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> <busconfig> <policy user="root"> <allow own="webyast.permissions.service" /> <allow send_destination="webyast.permissions.service" /> </policy> <!-- anyone can call service as it is protected by policyKit --> <policy context="default"> <allow send_destination="webyast.permissions.service" /> </policy> </busconfig> ++++++ webyast.permissions.service.service ++++++ # DBus service activation config [D-BUS Service] Name=webyast.permissions.service Exec=/usr/sbin/webyastPermissionsService.rb User=root ++++++ webyastPermissionsService.rb ++++++ #!/usr/bin/env ruby #-- # Webyast framework # # Copyright (C) 2009, 2010 Novell, Inc. # This library is free software; you can redistribute it and/or modify # it only under the terms of version 2.1 of the GNU Lesser General Public # License as published by the Free Software Foundation. # # This library is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA #++ require 'rubygems' require 'dbus' require 'etc' require 'yaml' #checking which policykit is used WEBYAST_CONFIG_FILE = "/etc/webyast/config.yml" polkit1_enabled = true if File.exist?(WEBYAST_CONFIG_FILE) values = YAML::load(File.open(WEBYAST_CONFIG_FILE, 'r').read) polkit1_enabled = false if values["polkit1"] == false end if polkit1_enabled require 'polkit1' else require 'polkit' end # Choose the bus (could also be DBus::session_bus, which is not suitable for a system service) bus = DBus::system_bus # Define the service name service = bus.request_service("webyast.permissions.service") class WebyastPermissionsService < DBus::Object attr_accessor :polkit1 def initialize(polkit1_enabled, options={}) @polkit1 = polkit1_enabled super options end # overriding DBus::Object#dispatch # It is needed because dispatch sent just parameters and without sender it is # imposible to check permissions of sender. So to avoid it add as last # parameter sender id. def dispatch(msg) msg.params << msg.sender super(msg) end def log(msg) f = File.new("/srv/www/webyast/log/permission_service.log","a",0600) f.write(msg+"\n") f.close end # Create an interface. dbus_interface "webyast.permissions.Interface" do dbus_method :grant, "out result:as, in permissions:as, in user:s" do |permissions,user,sender| result = execute(:grant, permissions, user,sender) log "Grant permissions #{permissions.inspect} for user #{user} with result #{result.inspect} " + (@polkit1 ? "(Polkit1)" : "(PolicyKit)") [result] end dbus_method :revoke, "out result:as, in permissions:as, in user:s" do |permissions,user,sender| result = execute(:revoke, permissions, user,sender) log "Revoke permissions #{permissions.inspect} for user #{user} with result #{result.inspect} " + (@polkit1 ? "(Polkit1)" : "(PolicyKit)") [result] end dbus_method :check, "out result:as, in permissions:as, in user:s" do |permissions,user,sender| result = execute(:check, permissions, user,sender) log "check permissions #{permissions.inspect} for user #{user} with result #{result.inspect} " + (@polkit1 ? "(Polkit1)" : "(PolicyKit)") [result] end end USER_REGEX=/\A[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]?\Z/ USER_WITH_DOMAIN_REGEX=/\A[a-zA-Z0-9][a-zA-Z0-9\-.]*\\[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]?\Z/ POLKIT_SECTION = "55-webyast.d" def execute (command, permissions, user, sender) #TODO polkit check, user escaping, perm whitespacing return ["NOPERM"] unless check_polkit sender, command return ["USER_INVALID"] if invalid_user_name? user result = [] permissions.each do |p| #whitespace check for valid permission string to avoid attack unless p.match(/^[a-zA-Z][a-zA-Z0-9.-]*$/) result << "permissions have a wrong format" else case command when :grant then begin if @polkit1 PolKit1::polkit1_write(POLKIT_SECTION, p, true, user) result << "true" else #whitespace check for valid permission string to avoid attack if p.match(/^[a-zA-Z][a-zA-Z0-9.-]*$/) result << `polkit-auth --user '#{user}' --grant '#{p}' 2>&1` # RORSCAN_ITL else result << "perm #{p} is INVALID" # XXX tom: better don't include invalif perms here, we do not know what the calling function is doing with it, like displaying it via the browser, passing it to the shell etc. end end rescue Exception => e result << e.message end when :revoke then begin if @polkit1 PolKit1::polkit1_write(POLKIT_SECTION, p, false, user) result << "true" else #whitespace check for valid permission string to avoid attack if p.match(/^[a-zA-Z][a-zA-Z0-9.-]*$/) result << `polkit-auth --user '#{user}' --revoke '#{p}' 2>&1` # RORSCAN_ITL else result << "perm #{p} is INVALID" # XXX tom: better don't include invalif perms here, we do not know what the calling function is doing with it, like displaying it via the browser, passing it to the shell etc. end end rescue Exception => e result << e.message end when :check then if @polkit1 if PolKit1::polkit1_check(p, user) == :yes result << "yes" else result << "no" end else uid = DBus::SystemBus.instance.proxy.GetConnectionUnixUser(sender)[0] user = Etc.getpwuid(uid).name if PolKit.polkit_check(p, user) == :yes result << "yes" else result << "no" end end else end end end return result end PERMISSION_WRITE="org.opensuse.yast.permissions.write" PERMISSION_READ="org.opensuse.yast.permissions.read" def check_polkit(sender, command) uid = DBus::SystemBus.instance.proxy.GetConnectionUnixUser(sender)[0] user = Etc.getpwuid(uid).name begin case command when :grant then if @polkit1 return PolKit1.polkit1_check(PERMISSION_WRITE, user) == :yes else return PolKit.polkit_check(PERMISSION_WRITE, user) == :yes end when :revoke then if @polkit1 return PolKit1.polkit1_check(PERMISSION_WRITE, user) == :yes else return PolKit.polkit_check(PERMISSION_WRITE, user) == :yes end when :check then if @polkit1 return PolKit1.polkit1_check(PERMISSION_READ, user) == :yes else return PolKit.polkit_check(PERMISSION_READ, user) == :yes end else return false end rescue Exception => e log "PolKit returns an error: #{e.inspect}" return false end end def invalid_user_name? user active_directory_enabled = `/usr/sbin/pam-config -q --winbind 2>/dev/null | wc -w`.to_i > 0 # RORSCAN_ITL return false if user.match(USER_REGEX) return false if active_directory_enabled && user.match(USER_WITH_DOMAIN_REGEX) return true end end # Set the object path obj = WebyastPermissionsService.new(polkit1_enabled, "/webyast/permissions/Interface") # Export it! service.export(obj) # Now listen to incoming requests main = DBus::Main.new main << bus main.run ++++++ yast_user_roles ++++++ # # file : /etc/yast_user_roles # # This file describes roles of a user accounts for the WebYaST # "user accounts": System account which is accessable e.g. via PAM. # "roles" : Describes user accounts for which policies have # been generated # # Format: <user> <role 1>,<role 2>,...<role n> #-- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org