Hello community,
here is the log from the commit of package yast2-security
checked in at Thu Sep 25 01:09:53 CEST 2008.
--------
--- yast2-security/yast2-security.changes 2008-09-15 16:36:59.000000000 +0200
+++ /mounts/work_src_done/STABLE/yast2-security/yast2-security.changes 2008-09-17 09:36:17.000000000 +0200
@@ -1,0 +2,8 @@
+Tue Sep 16 17:33:18 CEST 2008 - lslezak@suse.cz
+
+- check enabled services in runlevel 3 and 5, activate changes
+ in Security::Write() (bnc#425864)
+- testsuite update
+- 2.17.3
+
+-------------------------------------------------------------------
Old:
----
yast2-security-2.17.2.tar.bz2
New:
----
yast2-security-2.17.3.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ yast2-security.spec ++++++
--- /var/tmp/diff_new_pack.kl3088/_old 2008-09-25 01:09:48.000000000 +0200
+++ /var/tmp/diff_new_pack.kl3088/_new 2008-09-25 01:09:48.000000000 +0200
@@ -1,5 +1,5 @@
#
-# spec file for package yast2-security (Version 2.17.2)
+# spec file for package yast2-security (Version 2.17.3)
#
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@@ -19,16 +19,18 @@
Name: yast2-security
-Version: 2.17.2
+Version: 2.17.3
Release: 1
License: GPL v2 or later
Group: System/YaST
BuildRoot: %{_tmppath}/%{name}-%{version}-build
-Source0: yast2-security-2.17.2.tar.bz2
+Source0: yast2-security-2.17.3.tar.bz2
Prefix: /usr
BuildRequires: doxygen perl-XML-Writer pkg-config update-desktop-files yast2-devtools yast2-pam yast2-testsuite
# new Pam.ycp API
-Requires: yast2 yast2-pam >= 2.14.0
+Requires: yast2-pam >= 2.14.0
+# Service::EnabledServices()
+Requires: yast2 >= 2.17.25
Provides: y2c_sec yast2-config-security
Obsoletes: y2c_sec yast2-config-security
Provides: yast2-trans-security y2t_sec
@@ -47,7 +49,7 @@
Jiri Suchomel
%prep
-%setup -n yast2-security-2.17.2
+%setup -n yast2-security-2.17.3
%build
%{prefix}/bin/y2tool y2autoconf
@@ -81,6 +83,11 @@
/usr/share/YaST2/schema/autoyast/rnc/security.rnc
%doc %{prefix}/share/doc/packages/yast2-security
%changelog
+* Tue Sep 16 2008 lslezak@suse.cz
+- check enabled services in runlevel 3 and 5, activate changes
+ in Security::Write() (bnc#425864)
+- testsuite update
+- 2.17.3
* Mon Sep 15 2008 lslezak@suse.cz
- added new variables to the predefined security levels
- fixed build: updated the testsuite - added new variables
++++++ yast2-security-2.17.2.tar.bz2 -> yast2-security-2.17.3.tar.bz2 ++++++
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/yast2-security-2.17.2/configure new/yast2-security-2.17.3/configure
--- old/yast2-security-2.17.2/configure 2008-09-15 16:15:56.000000000 +0200
+++ new/yast2-security-2.17.3/configure 2008-09-17 09:29:49.000000000 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for yast2-security 2.17.2.
+# Generated by GNU Autoconf 2.61 for yast2-security 2.17.3.
#
# Report bugs to http://bugs.opensuse.org/.
#
@@ -574,8 +574,8 @@
# Identity of this package.
PACKAGE_NAME='yast2-security'
PACKAGE_TARNAME='yast2-security'
-PACKAGE_VERSION='2.17.2'
-PACKAGE_STRING='yast2-security 2.17.2'
+PACKAGE_VERSION='2.17.3'
+PACKAGE_STRING='yast2-security 2.17.3'
PACKAGE_BUGREPORT='http://bugs.opensuse.org/'
ac_unique_file="RPMNAME"
@@ -1197,7 +1197,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures yast2-security 2.17.2 to adapt to many kinds of systems.
+\`configure' configures yast2-security 2.17.3 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1268,7 +1268,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of yast2-security 2.17.2:";;
+ short | recursive ) echo "Configuration of yast2-security 2.17.3:";;
esac
cat <<\_ACEOF
@@ -1346,7 +1346,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-yast2-security configure 2.17.2
+yast2-security configure 2.17.3
generated by GNU Autoconf 2.61
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1360,7 +1360,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by yast2-security $as_me 2.17.2, which was
+It was created by yast2-security $as_me 2.17.3, which was
generated by GNU Autoconf 2.61. Invocation command line was
$ $0 $@
@@ -2181,7 +2181,7 @@
# Define the identity of the package.
PACKAGE='yast2-security'
- VERSION='2.17.2'
+ VERSION='2.17.3'
cat >>confdefs.h <<_ACEOF
@@ -2409,7 +2409,7 @@
-VERSION="2.17.2"
+VERSION="2.17.3"
RPMNAME="yast2-security"
MAINTAINER="Jiri Suchomel "
@@ -3304,7 +3304,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by yast2-security $as_me 2.17.2, which was
+This file was extended by yast2-security $as_me 2.17.3, which was
generated by GNU Autoconf 2.61. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -3347,7 +3347,7 @@
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-yast2-security config.status 2.17.2
+yast2-security config.status 2.17.3
configured by $0, generated by GNU Autoconf 2.61,
with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/yast2-security-2.17.2/configure.in new/yast2-security-2.17.3/configure.in
--- old/yast2-security-2.17.2/configure.in 2008-09-15 16:15:50.000000000 +0200
+++ new/yast2-security-2.17.3/configure.in 2008-09-17 09:29:44.000000000 +0200
@@ -3,7 +3,7 @@
dnl -- This file is generated by y2autoconf 2.17.3 - DO NOT EDIT! --
dnl (edit configure.in.in instead)
-AC_INIT(yast2-security, 2.17.2, http://bugs.opensuse.org/, yast2-security)
+AC_INIT(yast2-security, 2.17.3, http://bugs.opensuse.org/, yast2-security)
dnl Check for presence of file 'RPMNAME'
AC_CONFIG_SRCDIR([RPMNAME])
@@ -18,7 +18,7 @@
AM_INIT_AUTOMAKE(tar-ustar -Wno-portability)
dnl Important YaST2 variables
-VERSION="2.17.2"
+VERSION="2.17.3"
RPMNAME="yast2-security"
MAINTAINER="Jiri Suchomel "
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/yast2-security-2.17.2/src/complex.ycp new/yast2-security-2.17.3/src/complex.ycp
--- old/yast2-security-2.17.2/src/complex.ycp 2008-08-12 16:20:05.000000000 +0200
+++ new/yast2-security-2.17.3/src/complex.ycp 2008-09-16 19:01:22.000000000 +0200
@@ -4,7 +4,7 @@
* Summary: Complex dialogs definitions
* Authors: Michal Svec
*
- * $Id: complex.ycp 49963 2008-08-12 07:53:13Z lslezak $
+ * $Id: complex.ycp 51199 2008-09-16 17:01:23Z lslezak $
*/
{
@@ -123,6 +123,18 @@
else if(is(ret, string) || ret == `wizardTree) {
if (contains(tree_dialogs, ret))
{
+ // the current item has been selected, do not change to the same dialog
+ if (ret == "main")
+ {
+ // preselect the item if it has been unselected
+ if (Wizard::QueryTreeItem() != "main")
+ {
+ Wizard::SelectTreeItem("main");
+ }
+
+ continue;
+ }
+
// switch to another dialog
break;
}
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/yast2-security-2.17.2/src/dialogs.ycp new/yast2-security-2.17.3/src/dialogs.ycp
--- old/yast2-security-2.17.2/src/dialogs.ycp 2008-09-15 14:10:39.000000000 +0200
+++ new/yast2-security-2.17.3/src/dialogs.ycp 2008-09-16 19:01:22.000000000 +0200
@@ -4,7 +4,7 @@
* Summary: Dialogs definitions
* Authors: Michal Svec
*
- * $Id: dialogs.ycp 51151 2008-09-15 12:10:39Z lslezak $
+ * $Id: dialogs.ycp 51199 2008-09-16 17:01:23Z lslezak $
*/
{
@@ -21,6 +21,9 @@
list tree_dialogs = [ "main", "overview", "password", "boot", "login", "users", "misc", `wizardTree ];
+const list<string> configurable_options = [ "PERMISSION_SECURITY", "RUNLEVEL3_MANDATORY_SERVICES",
+ "RUNLEVEL5_MANDATORY_SERVICES", "RUNLEVEL3_EXTRA_SERVICES", "RUNLEVEL5_EXTRA_SERVICES" ];
+
string SecurityStatus(string option)
{
@@ -31,7 +34,7 @@
y2milestone("Option: %1, value: %2", option, value);
// handle the special cases at first
- if (option == "PERMISSION_SECURITY")
+ if (contains(configurable_options, option))
{
ret = _("Configure");
}
@@ -71,9 +74,10 @@
"IP_TCP_SYNCOOKIES" : _("Enable TCP syncookies"),
"IP_FORWARD" : _("Disable IPv4 forwarding"),
"IPV6_FORWARD" : _("Disable IPv6 forwarding"),
- // TODO FIXME: implement the missing part
- "SYSTEM_SERVICES_ARE_ENABLED" : _("Enable basic system services"),
- "UNNECESSARY_SERVICES_ARE_ENABLED" : _("Enable extra system services")
+ "RUNLEVEL3_MANDATORY_SERVICES" : _("Enable basic system services in runlevel 3 (multiuser with network)"),
+ "RUNLEVEL5_MANDATORY_SERVICES" : _("Enable basic system services in runlevel 5 (multiuser with network and graphical login)"),
+ "RUNLEVEL3_EXTRA_SERVICES" : _("Enable extra services in runlevel 3"),
+ "RUNLEVEL5_EXTRA_SERVICES" : _("Enable extra services in runlevel 5"),
];
@@ -116,18 +120,15 @@
],
$[
"id" : "SYSLOG_ON_NO_ERROR",
- "activate" : "/etc/init.d/boot.clock start",
"is_secure" : (Security::Settings["SYSLOG_ON_NO_ERROR"]:"" == "yes"),
],
$[
"id" : "DHCPD_RUN_CHROOTED",
"is_secure" : (Security::Settings["DHCPD_RUN_CHROOTED"]:"" == "yes"),
- "activate" : "/etc/init.d/dhcpd restart",
],
$[
"id" : "DHCPD_RUN_AS",
"is_secure" : (Security::Settings["DHCPD_RUN_AS"]:"" == "dhcp"),
- "activate" : "/etc/init.d/dhcpd restart",
],
$[
"id" : "DISPLAYMANAGER_ROOT_LOGIN_REMOTE",
@@ -140,8 +141,6 @@
$[
"id" : "SMTPD_LISTEN_REMOTE",
"is_secure" : (Security::Settings["SMTPD_LISTEN_REMOTE"]:"" == "no"),
- // FIXME
- "activate" : "SuSEconfig AND (/etc/init.d/sendmail OR /etc/init.d/postfix) restart"
],
$[
"id" : "DISABLE_RESTART_ON_UPDATE",
@@ -154,17 +153,30 @@
$[
"id" : "IP_TCP_SYNCOOKIES",
"is_secure" : (Security::Settings["IP_TCP_SYNCOOKIES"]:"" == "yes"),
- "activate": "/etc/init.d/boot.ipconfig start"
],
$[
"id" : "IP_FORWARD",
"is_secure" : (Security::Settings["IP_FORWARD"]:"" == "no"),
- "activate": "/etc/init.d/boot.ipconfig start"
],
$[
"id" : "IPV6_FORWARD",
"is_secure" : (Security::Settings["IPV6_FORWARD"]:"" == "no"),
- "activate": "/etc/init.d/boot.ipconfig start"
+ ],
+ $[
+ "id" : "RUNLEVEL3_MANDATORY_SERVICES",
+ "is_secure" : (Security::Settings["RUNLEVEL3_MANDATORY_SERVICES"]:"" == "secure"),
+ ],
+ $[
+ "id" : "RUNLEVEL5_MANDATORY_SERVICES",
+ "is_secure" : (Security::Settings["RUNLEVEL5_MANDATORY_SERVICES"]:"" == "secure"),
+ ],
+ $[
+ "id" : "RUNLEVEL3_EXTRA_SERVICES",
+ "is_secure" : (Security::Settings["RUNLEVEL3_EXTRA_SERVICES"]:"" == "secure"),
+ ],
+ $[
+ "id" : "RUNLEVEL5_EXTRA_SERVICES",
+ "is_secure" : (Security::Settings["RUNLEVEL5_EXTRA_SERVICES"]:"" == "secure"),
],
];
@@ -180,7 +192,7 @@
SecurityStatus(id),
setting["is_secure"]:false ?
"<SUP><FONT COLOR=green SIZE=20>✔</FONT></SUP>" : "<FONT COLOR=red SIZE=20><SUP>✘</SUP></FONT>",
- haskey(help_mapping, id) ? sformat("%2</A>", id, _("Help")) : ""
+ haskey(help_mapping, id) ? sformat("%2</A> ", id, _("Help")) : ""
);
}
);
@@ -204,6 +216,22 @@
"PERMISSION_SECURITY" : "misc"
];
+// mapping for "Configure" links
+// config name -> yast client
+map link_client_mapping = $[
+ "RUNLEVEL3_MANDATORY_SERVICES" : "runlevel",
+ "RUNLEVEL5_MANDATORY_SERVICES" : "runlevel",
+ "RUNLEVEL3_EXTRA_SERVICES" : "runlevel",
+ "RUNLEVEL5_EXTRA_SERVICES" : "runlevel",
+];
+
+map link_update_mapping = $[
+ "RUNLEVEL3_MANDATORY_SERVICES" : ``(Security::ReadServiceSettings()),
+ "RUNLEVEL5_MANDATORY_SERVICES" : ``(Security::ReadServiceSettings()),
+ "RUNLEVEL3_EXTRA_SERVICES" : ``(Security::ReadServiceSettings()),
+ "RUNLEVEL5_EXTRA_SERVICES" : ``(Security::ReadServiceSettings()),
+];
+
void DisplayHelpPopup(string help_id)
{
string help = help_mapping[help_id]:"";
@@ -214,6 +242,39 @@
help = help + HELPS["unknown_status"]:"";
}
+ // add extra help to service related options
+ if (help_id == "RUNLEVEL3_MANDATORY_SERVICES" || help_id == "RUNLEVEL5_MANDATORY_SERVICES")
+ {
+ list<string> missing = (help_id == "RUNLEVEL3_MANDATORY_SERVICES") ? Security::MissingMandatoryServices(3)
+ : Security::MissingMandatoryServices(5);
+
+ if (missing != nil && missing != [])
+ {
+ string srvs = mergestring(missing, "<BR>");
+ help = help + sformat(_("<P>These basic system services are not running:<BR><B>%1</B></P>"), srvs);
+ }
+ else
+ {
+ help = help + _("<P>All basic services are enabled.</P>");
+ }
+ }
+ else if (help_id == "RUNLEVEL3_EXTRA_SERVICES" || help_id == "RUNLEVEL5_EXTRA_SERVICES")
+ {
+ list<string> extra = (help_id == "RUNLEVEL3_EXTRA_SERVICES") ? Security::ExtraServices(3)
+ : Security::ExtraServices(5);
+
+ if (extra != nil && extra != [])
+ {
+ string srvs = mergestring(extra, "<BR>");
+ help = help + sformat(_("<P>These extra services are running:<BR><B>%1</B></P>"), srvs);
+ help = help + _("<P>Check the list of services and disable all unused services.</P>");
+ }
+ else
+ {
+ help = help + _("<P>Only basic system services are enabled.</P>");
+ }
+ }
+
if (help != nil && help != "")
{
Popup::LongText(label_mapping[help_id]:_("Description"), `RichText(help), 70, 15);
@@ -247,6 +308,18 @@
else continue;
}
else if(ret == `back || ret == `next || contains(tree_dialogs, ret)) {
+ // the current item has been selected, do not change to the same dialog
+ if (ret == "overview")
+ {
+ // preselect the item if it has been unselected
+ if (Wizard::QueryTreeItem() != "overview")
+ {
+ Wizard::SelectTreeItem("overview");
+ }
+
+ continue;
+ }
+
break;
}
// user clicked a link in the richtext
@@ -275,6 +348,26 @@
y2milestone("Switching to dialog %1", new_dialog);
return new_dialog;
}
+ else if (haskey(link_client_mapping, ret))
+ {
+ string client = link_client_mapping[ret]:"";
+
+ if (client != "")
+ {
+ y2milestone("Calling Yast client %1", client);
+ any client_ret = WFM::CallFunction(client, []);
+ y2milestone("Client returned %1", client_ret);
+
+ if (client_ret == `next || client_ret == `ok || client_ret == `finish)
+ {
+ // update the current value
+ if (haskey(link_update_mapping, ret))
+ {
+ eval(link_update_mapping[ret]:nil);
+ }
+ }
+ }
+ }
else
{
y2error("Unknown action for link %1", ret);
@@ -347,6 +440,18 @@
else continue;
}
else if(ret == `back || ret == `next || contains(tree_dialogs, ret)) {
+ // the current item has been selected, do not change to the same dialog
+ if (ret == "boot")
+ {
+ // preselect the item if it has been unselected
+ if (Wizard::QueryTreeItem() != "boot")
+ {
+ Wizard::SelectTreeItem("boot");
+ }
+
+ continue;
+ }
+
break;
}
else {
@@ -411,6 +516,18 @@
break;
}
else if(ret == `next || contains(tree_dialogs, ret)) {
+ // the current item has been selected, do not change to the same dialog
+ if (ret == "misc")
+ {
+ // preselect the item if it has been unselected
+ if (Wizard::QueryTreeItem() != "misc")
+ {
+ Wizard::SelectTreeItem("misc");
+ }
+
+ continue;
+ }
+
/* check_* */
break;
}
@@ -493,6 +610,18 @@
break;
}
else if(ret == `next || contains(tree_dialogs, ret)) {
+ // the current item has been selected, do not change to the same dialog
+ if (ret == "password")
+ {
+ // preselect the item if it has been unselected
+ if (Wizard::QueryTreeItem() != "password")
+ {
+ Wizard::SelectTreeItem("password");
+ }
+
+ continue;
+ }
+
/* check_* */
if(checkMinMax("PASS_MIN_DAYS","PASS_MAX_DAYS") != true) {
/* Popup text */
@@ -582,6 +711,18 @@
break;
}
else if(ret == `next || contains(tree_dialogs, ret)) {
+ // the current item has been selected, do not change to the same dialog
+ if (ret == "login")
+ {
+ // preselect the item if it has been unselected
+ if (Wizard::QueryTreeItem() != "login")
+ {
+ Wizard::SelectTreeItem("login");
+ }
+
+ continue;
+ }
+
/* check_* */
break;
}
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/yast2-security-2.17.2/src/helps.ycp new/yast2-security-2.17.3/src/helps.ycp
--- old/yast2-security-2.17.2/src/helps.ycp 2008-09-15 14:10:39.000000000 +0200
+++ new/yast2-security-2.17.3/src/helps.ycp 2008-09-16 17:34:38.000000000 +0200
@@ -4,7 +4,7 @@
* Summary: Helps definition
* Authors: Michal Svec
*
- * $Id: helps.ycp 51151 2008-09-15 12:10:39Z lslezak $
+ * $Id: helps.ycp 51197 2008-09-16 15:34:40Z lslezak $
*
* This file contains all helps for the security module screens.
* They are in one huge map called HELPS.
@@ -294,6 +294,10 @@
is rather easy if you set this option.</p>") +
_("This setting applies for regular users."),
+ "RUNLEVEL3_MANDATORY_SERVICES" : _("<P>Basic system services must be enabled to provide system consistency and to run the security related services.</P>"),
+ "RUNLEVEL5_MANDATORY_SERVICES" : _("<P>Basic system services must be enabled to provide system consistency and to run the security related services.</P>"),
+ "RUNLEVEL3_EXTRA_SERVICES" : _("<P>Every running service is a potential target of a security attack. Therefore it is recommended to turn off all services which are not used by the system.</P>"),
+ "RUNLEVEL5_EXTRA_SERVICES" : _("<P>Every running service is a potential target of a security attack. Therefore it is recommended to turn off all services which are not used by the system.</P>"),
];
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/yast2-security-2.17.2/src/Security.ycp new/yast2-security-2.17.3/src/Security.ycp
--- old/yast2-security-2.17.2/src/Security.ycp 2008-09-15 14:11:47.000000000 +0200
+++ new/yast2-security-2.17.3/src/Security.ycp 2008-09-16 18:27:10.000000000 +0200
@@ -4,7 +4,7 @@
* Summary: Data for the security configuration
* Authors: Michal Svec
*
- * $Id: Security.ycp 51152 2008-09-15 12:11:48Z lslezak $
+ * $Id: Security.ycp 51198 2008-09-16 16:27:11Z lslezak $
*/
{
@@ -15,14 +15,15 @@
import "Pam";
import "PamSettings";
import "Progress";
+import "Service";
include "security/levels.ycp";
-// sevices to check - these must be running
-list<string> mandatory_services = ["ntp", "syslog", "auditd", "random", "consolekit", "kbd", "sendmail", "postfix", "cron"];
+// services to check - these must be running
+global const list<string> mandatory_services = ["ntp", "syslog", "auditd", "random", "consolekit", "kbd", "cron"];
// sevices to check - these can be ignored (if they are running it's OK)
-list<string> ignored_services = [
+global const list<string> optional_services = [
"acpid", "dbus", "ealysyslog", "fbset", "framebufferset", "isdn", "microcode.ctl", "random",
"consolekit", "haldaemon", "network", "syslog", "auditd", "splash_early", "alsasound",
"irq_balancer", "kbd", "powersaved", "splash", "sshd", "earlyxdm", "hotkey-setup", "atd", "nscd",
@@ -32,6 +33,78 @@
// All other services should be turned off
+// return list of missing mandatory services in a runlevel
+global list<string> MissingMandatoryServices(integer runlevel)
+{
+ y2milestone("Checking mandatory services in runlevel %1", runlevel);
+
+ list<string> ret = [];
+ list<string> enabled_services = Service::EnabledServices(runlevel);
+
+ if (enabled_services == nil)
+ {
+ return nil;
+ }
+
+ foreach(string service, mandatory_services,
+ {
+ boolean enabled = contains(enabled_services, service);
+ y2milestone("Mandatory service %1 is enabled: %2", service, enabled);
+
+ if (!enabled)
+ {
+ ret = add(ret, service);
+ }
+ }
+ );
+
+ // handle postfix and sendmail specifically - only one of them can be installed in a system
+ boolean mailer_enabled = contains(enabled_services, "postfix")
+ || contains(enabled_services, "sendmail");
+
+ y2milestone("A mailer daemon is enabled: %1", mailer_enabled);
+
+ if (!mailer_enabled)
+ {
+ ret = add(ret, "postfix");
+ ret = add(ret, "sendmail");
+ }
+
+ y2milestone("Missing mandatory services in runlevel %1: %2", runlevel, ret);
+
+ return ret;
+}
+
+global list<string> ExtraServices(integer runlevel)
+{
+ y2milestone("Searching for extra services in runlevel %1", runlevel);
+
+ list<string> extra_services = [];
+ list<string> enabled_services = Service::EnabledServices(runlevel);
+
+ if (enabled_services == nil)
+ {
+ return nil;
+ }
+
+ foreach(string service, enabled_services,
+ {
+ // the extra service is not mandatory and it's not optional
+ boolean extra = !contains(mandatory_services, service) && !contains(optional_services, service);
+
+ if (extra)
+ {
+ y2milestone("Found extra service: %1", service);
+ extra_services = add(extra_services, service);
+ }
+ }
+ );
+
+ y2milestone("All extra services: %1", extra_services);
+
+ return extra_services;
+}
+
/**
* All security settings
*/
@@ -77,8 +150,15 @@
"DISPLAYMANAGER_ROOT_LOGIN_REMOTE" : "no",
"DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN" : "no",
"SMTPD_LISTEN_REMOTE" : "no",
+ "RUNLEVEL3_MANDATORY_SERVICES" : "yes",
+ "RUNLEVEL5_MANDATORY_SERVICES" : "yes",
+ "RUNLEVEL3_EXTRA_SERVICES" : "no",
+ "RUNLEVEL5_EXTRA_SERVICES" : "no",
];
+// the original settings
+map Settings_bak = Settings;
+
/**
* Security settings locations
*/
@@ -141,6 +221,10 @@
* - CONSOLE_SHUTDOWN (/etc/inittab)
* - PASSWD_ENCRYPTION (/etc/pam?)
* - GROUP_ENCRYPTION FIXME cannot be set
+ * - RUNLEVEL3_MANDATORY_SERVICES
+ * - RUNLEVEL5_MANDATORY_SERVICES
+ * - RUNLEVEL3_EXTRA_SERVICES
+ * - RUNLEVEL5_EXTRA_SERVICES
*/
/**
@@ -221,6 +305,14 @@
return modified;
}
+global void ReadServiceSettings()
+{
+ Settings["RUNLEVEL3_MANDATORY_SERVICES"] = MissingMandatoryServices(3) == [] ? "secure" : "insecure";
+ Settings["RUNLEVEL5_MANDATORY_SERVICES"] = MissingMandatoryServices(5) == [] ? "secure" : "insecure";
+ Settings["RUNLEVEL3_EXTRA_SERVICES"] = ExtraServices(3) == [] ? "secure" : "insecure";
+ Settings["RUNLEVEL5_EXTRA_SERVICES"] = ExtraServices(5) == [] ? "secure" : "insecure";
+}
+
/**
* Read all security settings
* @return true on success
@@ -311,6 +403,9 @@
if(Abort()) return false;
Progress::NextStage();
+ /* Read runlevel setting */
+ ReadServiceSettings();
+
/* pam stuff */
map pwcheck = Pam::Query ("pwcheck");
list<string> pam_check_settings = pwcheck["password"]:[];
@@ -366,9 +461,24 @@
sleep(sl);
if(Abort()) return false;
modified = false;
+
+ // remeber the read values
+ Settings_bak = Settings;
return true;
}
+
+map activation_mapping = $[
+ "SYSLOG_ON_NO_ERROR" : "/etc/init.d/boot.clock start",
+ "DHCPD_RUN_CHROOTED" : "/etc/init.d/dhcpd restart",
+ "DHCPD_RUN_AS" : "/etc/init.d/dhcpd restart",
+ // restart sendmail or postfix - whatever is installed
+ "SMTPD_LISTEN_REMOTE" : "(test -e /etc/init.d/sendmail && /sbin/SuSEconfig --module sendmail && /etc/init.d/sendmail restart) || (test -e /etc/init.d/postfix && /sbin/SuSEconfig --module postfix && /etc/init.d/postfix restart)",
+ "IP_TCP_SYNCOOKIES" : "/etc/init.d/boot.ipconfig start",
+ "IP_FORWARD" : "/etc/init.d/boot.ipconfig start",
+ "IPV6_FORWARD" : "/etc/init.d/boot.ipconfig start",
+];
+
/**
* Write all security settings
* @return true on success
@@ -508,6 +618,22 @@
if(Abort()) return false;
Progress::NextStage();
+ // activate the changes
+ foreach(string setting, string action, activation_mapping,
+ {
+ if (Settings[setting]:"" != Settings_bak[setting]:"")
+ {
+ y2milestone("Option %1 has been modified, activating the change: %2", setting, action);
+
+ integer res = (integer)SCR::Execute(.target.bash, action);
+ if (res != 0)
+ {
+ y2error("Activation failed");
+ }
+ }
+ }
+ );
+
if(Abort()) return false;
modified = false;
return true;
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/yast2-security-2.17.2/src/users.ycp new/yast2-security-2.17.3/src/users.ycp
--- old/yast2-security-2.17.2/src/users.ycp 2008-08-12 16:20:05.000000000 +0200
+++ new/yast2-security-2.17.3/src/users.ycp 2008-09-16 19:01:22.000000000 +0200
@@ -4,7 +4,7 @@
* Summary: Users dialogs definitions
* Authors: Michal Svec
*
- * $Id: users.ycp 49973 2008-08-12 10:03:39Z lslezak $
+ * $Id: users.ycp 51199 2008-09-16 17:01:23Z lslezak $
*/
{
@@ -72,6 +72,18 @@
}
/* next */
else if(ret == `next || contains(tree_dialogs, ret)) {
+ // the current item has been selected, do not change to the same dialog
+ if (ret == "users")
+ {
+ // preselect the item if it has been unselected
+ if (Wizard::QueryTreeItem() != "users")
+ {
+ Wizard::SelectTreeItem("users");
+ }
+
+ continue;
+ }
+
if(checkMinMax("UID_MIN","UID_MAX") != true) {
/* Popup text */
Popup::Error(_("The minimum user ID cannot be larger than the maximum."));
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/yast2-security-2.17.2/testsuite/tests/Write.out new/yast2-security-2.17.3/testsuite/tests/Write.out
--- old/yast2-security-2.17.2/testsuite/tests/Write.out 2008-09-15 15:57:56.000000000 +0200
+++ new/yast2-security-2.17.3/testsuite/tests/Write.out 2008-09-17 09:08:30.000000000 +0200
@@ -89,4 +89,11 @@
Execute .target.bash "/sbin/SuSEconfig --module kdm3" 0
Execute .target.bash "/sbin/SuSEconfig --module permissions" 0
Execute .target.bash "/sbin/SuSEconfig --module profiles" 0
+Execute .target.bash "/etc/init.d/dhcpd restart" 0
+Execute .target.bash "/etc/init.d/dhcpd restart" 0
+Execute .target.bash "/etc/init.d/boot.ipconfig start" 0
+Execute .target.bash "/etc/init.d/boot.ipconfig start" 0
+Execute .target.bash "/etc/init.d/boot.ipconfig start" 0
+Execute .target.bash "(test -e /etc/init.d/sendmail && /sbin/SuSEconfig --module sendmail && /etc/init.d/sendmail restart) || (test -e /etc/init.d/postfix && /sbin/SuSEconfig --module postfix && /etc/init.d/postfix restart)" 0
+Execute .target.bash "/etc/init.d/boot.clock start" 0
Return true
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/yast2-security-2.17.2/testsuite/tests/Write.ycp new/yast2-security-2.17.3/testsuite/tests/Write.ycp
--- old/yast2-security-2.17.2/testsuite/tests/Write.ycp 2008-09-15 16:15:47.000000000 +0200
+++ new/yast2-security-2.17.3/testsuite/tests/Write.ycp 2008-09-17 09:29:33.000000000 +0200
@@ -7,7 +7,7 @@
* Authors:
* Michal Svec
*
- * $Id: Write.ycp 51159 2008-09-15 14:15:47Z lslezak $
+ * $Id: Write.ycp 51200 2008-09-17 07:29:33Z lslezak $
*
* testedfiles: Security.ycp PamSettings.ycp Pam.ycp
*/
@@ -57,6 +57,8 @@
"SYSTOHC" : "r12",
"SYSLOG_ON_NO_ERROR" : "r15",
"SMTPD_LISTEN_REMOTE" : "r18",
+ "DHCPD_RUN_CHROOTED" : "r19",
+ "DHCPD_RUN_AS" : "r20",
];
map E = $[
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/yast2-security-2.17.2/VERSION new/yast2-security-2.17.3/VERSION
--- old/yast2-security-2.17.2/VERSION 2008-09-15 16:15:27.000000000 +0200
+++ new/yast2-security-2.17.3/VERSION 2008-09-17 09:23:08.000000000 +0200
@@ -1 +1 @@
-2.17.2
+2.17.3
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org