summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThierry Vignaud <tvignaud@mandriva.org>2003-02-04 07:33:45 +0000
committerThierry Vignaud <tvignaud@mandriva.org>2003-02-04 07:33:45 +0000
commit111ce9f21f987c315c4fee080605bb07febb0224 (patch)
treecfa42c430e6e4c130f8c8a7902a6d177f22b5afe
parent7acd01380008db037f4dc67616d09855d82e55b8 (diff)
downloaddrakx-111ce9f21f987c315c4fee080605bb07febb0224.tar
drakx-111ce9f21f987c315c4fee080605bb07febb0224.tar.gz
drakx-111ce9f21f987c315c4fee080605bb07febb0224.tar.bz2
drakx-111ce9f21f987c315c4fee080605bb07febb0224.tar.xz
drakx-111ce9f21f987c315c4fee080605bb07febb0224.zip
- fix get_check_default() and get_function_default() description
- fix "check states were not saved if their value did not change (thus reverting it to default on disk)" - fix emebedding (no transcience when embedded) - fix "value get chop()-ed until it disapear and is reset to default" - log which security level is set and not only the switch killing latest remanent parts of christian "yeah baby, i'm piggy" work: - functions and checks listing : o rename get_functions() as list_functions() and get_default_checks() as list_checks(); this is both more homogenous and enable one to separate them from the get_(check|function)_(value|default) function group o regroup them o over simplify list_functions(): leave functions listing to msec (aka /usr/share/msec/level.<LEVEL>, assuming share/msec.py is always up to date, just don't care reparsing python code (this is plain stupid); if we cannot rely on msec, on who could we :-) ? o this allow to simplify msec gui so that we do not exclude stuff already excluded - remove config_check(), config_funtion(): replace them by: o set_check() and set_function() to store new values in data structure o apply_checks() and apply_functions() to save these new values, thus writing config files once and not twice the functions & checks count
-rw-r--r--perl-install/security/msec.pm115
-rwxr-xr-xperl-install/standalone/draksec44
2 files changed, 80 insertions, 79 deletions
diff --git a/perl-install/security/msec.pm b/perl-install/security/msec.pm
index d02e16610..7991b913f 100644
--- a/perl-install/security/msec.pm
+++ b/perl-install/security/msec.pm
@@ -12,9 +12,6 @@ my $check_file = "$::prefix/etc/security/msec/security.conf";
my $curr_sec_file = "$::prefix/var/lib/msec/security.conf";
my $options_file = "$::prefix/etc/security/msec/level.local";
-# ***********************************************
-# PRIVATE FUNCTIONS
-# ***********************************************
my $num_level;
@@ -50,7 +47,6 @@ sub load_defaults {
# get_XXX_default(function) -
# return the default of the function|check passed in argument.
-# If no default is set, return "default".
sub get_check_default {
my ($msec, $check) = @_;
@@ -77,9 +73,9 @@ sub load_values {
do { print "BACKTRACE:\n", backtrace(), "\n"; die 'wrong category' } unless $separator;
map {
my ($opt, $val) = split /$separator/;
- $val =~ s/[()]//g;
- chop $opt if $separator eq '\('; # $opt =~ s/ //g if $separator eq '\(';
chop $val;
+ $val =~ s/[()]//g;
+ chop $opt if $separator eq '\('; # $opt =~ s/ //g if $separator eq '\(';
$opt => $val;
} cat_($item_file);
}
@@ -103,15 +99,19 @@ sub get_check_value {
-# ***********************************************
-# FUNCTIONS (level.local) RELATED
-# ***********************************************
+#-------------------------------------------------------------
+# get list of functions
+
+# list_(functions|checks) -
+# return a list of functions|checks handled by level.local|security.conf
+
+sub list_checks {
+ my ($msec) = @_;
+ map { if_(!member($_, qw(MAIL_WARN MAIL_USER)), $_) } keys %{$msec->{checks}{default}};
+}
-# get_functions() -
-# return a list of functions handled by level.local (see
-# man mseclib for more info).
-sub get_functions {
- my (undef, $category) = @_;
+sub list_functions {
+ my ($msec, $category) = @_;
my @functions;
## TODO handle 3 last functions here so they can be removed from this list
@@ -129,55 +129,58 @@ sub get_functions {
enable_sulogin password_aging password_history password_length set_root_umask
set_shell_history_size set_shell_timeout set_user_umask)]);
- my $file = "$::prefix/usr/share/msec/mseclib.py";
- my $function;
-
- # read mseclib.py to get each function's name and if it's
- # not in the ignore list, add it to the returned list.
- foreach (cat_($file)) {
- if (/^def/) {
- (undef, $function) = split / /;
- ($function, undef) = split(/\(/, $function);
- if (!member($function, @ignore_list) && member($function, @{$options{$category}})) {
- push(@functions, $function)
- }
- }
- }
-
- @functions;
+ # get all function names; filter out those which are in the ignore
+ # list, return what lefts.
+ map { if_(!member($_, @ignore_list) && member($_, @{$options{$category}}), $_) } keys %{$msec->{functions}{default}};
}
-# config_function(function, value) -
-# Apply the configuration to 'prefix'/etc/security/msec/level.local
-sub config_function {
- my (undef, $function, $value) = @_;
- substInFile { s/^$function.*\n// } $options_file;
- append_to_file($options_file, "$function ($value)") if $value ne 'default';
-}
+#-------------------------------------------------------------
+# set back checks|functions values
-# ***********************************************
-# PERIODIC CHECKS (security.conf) RELATED
-# ***********************************************
+sub set_function {
+ my ($msec, $function, $value) = @_;
+ $msec->{functions}{value}{$function} = $value;
+}
-# get_default_checks() -
-# return a list of periodic checks handled by security.conf
-sub get_default_checks {
- my ($msec) = @_;
- keys %{$msec->{checks}{default}};
+sub set_check {
+ my ($msec, $check, $value) = @_;
+ $msec->{checks}{value}{$check} = $value;
}
+#-------------------------------------------------------------
+# apply configuration
+
+# config_(check|function)(check|function, value) -
+# Apply the configuration to 'prefix'/etc/security/msec/security.conf||/etc/security/msec/level.local
-# config_check(check, value)
-# Apply the configuration to "$::prefix"/etc/security/msec/security.conf
-sub config_check {
- my (undef, $check, $value) = @_;
- if ($value eq 'default') {
- substInFile { s/^$check.*\n// } $check_file;
- } else {
- setVarsInSh($check_file, { $check => $value });
- }
+sub apply_functions {
+ my ($msec) = @_;
+ my @list = ($msec->list_functions('system'), $msec->list_functions('network'));
+ substInFile {
+ foreach my $function (@list) { s/^$function.*\n// }
+ if (eof) {
+ print "\n", join("\n", map {
+ my $value = $msec->get_function_value($_);
+ if_($value ne 'default', "$_ ($value)");
+ } @list);
+ }
+ } $options_file;
+}
+
+sub apply_checks {
+ my ($msec) = @_;
+ my @list = $msec->list_checks;
+ substInFile {
+ foreach my $check (@list) { s/^$check.*\n// }
+ if (eof) {
+ print "\n", join("\n", map {
+ my $value = $msec->get_check_value($_);
+ if_($value ne 'default', $_ . '=' . $value);
+ } @list), "\n";
+ }
+ } $check_file;
}
sub new {
@@ -185,8 +188,8 @@ sub new {
my $thing = {};
$thing->{checks}{default} = { load_defaults('checks') };
$thing->{functions}{default} = { load_defaults('functions') };
- $thing->{functions}{value} = { load_values('functions') };
- $thing->{checks}{value} = { load_values('checks') };
+ $thing->{functions}{value} = { load_values('functions') };
+ $thing->{checks}{value} = { load_values('checks') };
bless $thing, $type;
}
diff --git a/perl-install/standalone/draksec b/perl-install/standalone/draksec
index 234284513..57a2d8136 100755
--- a/perl-install/standalone/draksec
+++ b/perl-install/standalone/draksec
@@ -40,7 +40,7 @@ my $w;
# factorize this with rpmdrake and harddrake2
sub wait_msg {
- my $mainw = ugtk2->new('wait', ( modal => 1, transient => $w->{rwindow}));
+ my $mainw = ugtk2->new('wait', (modal => 1, if_(!$::isEmbedded, transient => $w->{rwindow})));
my $label = new Gtk2::Label($_[0]);
$mainw->{window}->add($label);
$mainw->{window}->show_all;
@@ -178,7 +178,7 @@ foreach ([ 'network', N("Network Options") ], [ 'system', N("System Options") ])
$entry->set_text($msec->get_function_value($i));
set_help_tip($entry, $default, $i);
[ new Gtk2::Label($i), $values{$i} ];
- } sort $msec->get_functions($domain))))),
+ } sort $msec->list_functions($domain))))),
new Gtk2::Label($label));
$options_values{$domain} = \%values;
}
@@ -190,16 +190,14 @@ $notebook->append_page(gtkshow(create_scrolled_window(gtkpack_(new Gtk2::VBox(0,
0, new Gtk2::Label($help_msg),
1, create_packtable($common_opts,
map {
- unless (member(qw(MAIL_WARN MAIL_USER), $_)) {
- my $i = $_;
- $security_checks_value{$i} = new_editable_combo();
- my $entry = $security_checks_value{$i}->entry;
- set_help_tip($entry, $msec->get_check_default($i), $i);
- $security_checks_value{$i}->set_popdown_strings(qw(yes no default));
- $entry->set_text($msec->get_check_value($i));
- [ gtkshow(new Gtk2::Label(translate($i))), $security_checks_value{$i} ];
- } else { undef }
- } sort $msec->get_default_checks)))),
+ my $i = $_;
+ $security_checks_value{$i} = new_editable_combo();
+ my $entry = $security_checks_value{$i}->entry;
+ set_help_tip($entry, $msec->get_check_default($i), $i);
+ $security_checks_value{$i}->set_popdown_strings(qw(yes no default));
+ $entry->set_text($msec->get_check_value($i));
+ [ gtkshow(new Gtk2::Label(translate($i))), $security_checks_value{$i} ];
+ } sort $msec->list_checks)))),
new Gtk2::Label(N("Periodic Checks")));
@@ -215,34 +213,34 @@ my $bok = gtksignal_connect(new Gtk2::Button(N("Ok")),
if ($seclevel_value ne security::level::get_string()) {
$w = wait_msg(N("Please wait, setting security level..."));
- log::explanations("Setting security level");
+ log::explanations("Setting security level to $seclevel_value");
security::level::set($seclevel_value);
remove_wait_msg($w);
}
$w = wait_msg(N("Please wait, setting security options..."));
log::explanations("Setting security administrator option");
- $msec->config_check('MAIL_WARN', $secadmin_check_value == 1 ? 'yes' : 'no');
+ $msec->set_check('MAIL_WARN', $secadmin_check_value == 1 ? 'yes' : 'no');
if ($secadmin_value ne $msec->get_check_value('MAIL_USER') && $secadmin_check_value) {
log::explanations("Setting security administrator contact");
- $msec->config_check('MAIL_USER', $secadmin_value);
+ $msec->set_check('MAIL_USER', $secadmin_value);
}
log::explanations("Setting security periodic checks");
foreach my $key (keys %security_checks_value) {
- if ($security_checks_value{$key}->entry->get_text() ne $msec->get_check_value($key)) {
- $msec->config_check($key, $security_checks_value{$key}->entry->get_text());
- }
+ $msec->set_check($key, $security_checks_value{$key}->entry->get_text());
}
+ $msec->apply_checks;
foreach my $domain (keys %options_values) {
log::explanations("Setting msec functions related to $domain");
- foreach my $key (keys %{$options_values{$domain}}) {
- my $opt = $options_values{$domain}{$key};
- $msec->config_function($key, $opt =~ /Combo/ ? $opt->entry->get_text() : $opt->get_text());
- }
- }
+ foreach my $key (keys %{$options_values{$domain}}) {
+ my $opt = $options_values{$domain}{$key};
+ $msec->set_function($key, $opt =~ /Combo/ ? $opt->entry->get_text() : $opt->get_text());
+ }
+ }
+ $msec->apply_functions;
log::explanations("Applying msec changes");
run_program::rooted($::prefix, "/usr/sbin/msec");