summaryrefslogtreecommitdiffstats
path: root/perl-install
diff options
context:
space:
mode:
Diffstat (limited to 'perl-install')
-rw-r--r--perl-install/printer.pm62
-rw-r--r--perl-install/printerdrake.pm65
2 files changed, 126 insertions, 1 deletions
diff --git a/perl-install/printer.pm b/perl-install/printer.pm
index 09391ee77..eb0122dc0 100644
--- a/perl-install/printer.pm
+++ b/perl-install/printer.pm
@@ -188,6 +188,68 @@ sub network_status {
return 1;
}
+sub get_security_level {
+ # Get security level by reading /etc/profile (only after install).
+ # This is a preliminary solution until msec puts the security level
+ # definition into the correct file.
+ $file = "/etc/profile";
+ if (-f $file) {
+ local *F;
+ open F, "< $file" || return 0;
+ while (<F>) {
+ if ($_ =~ /^\s*SECURE_LEVEL=([0-5])\s*$/) {
+ close F;
+ return $1;
+ }
+ }
+ close F;
+ }
+ return 0;
+}
+
+
+sub spooler_in_security_level {
+ # Was the current spooler already added to the current security level?
+ my ($spooler, $level) = @_;
+ my $sp;
+ if (($spooler eq "lpr") || ($spooler eq "lprng")) {
+ $sp = "lpd";
+ } else {
+ $sp = $spooler;
+ }
+ $file = "$prefix/etc/security/msec/server.$level";
+ if (-f $file) {
+ local *F;
+ open F, "< $file" || return 0;
+ while (<F>) {
+ if ($_ =~ /^\s*$sp\s*$/) {
+ close F;
+ return 1;
+ }
+ }
+ close F;
+ }
+ return 0;
+}
+
+sub add_spooler_to_security_level {
+ my ($spooler, $level) = @_;
+ my $sp;
+ if (($spooler eq "lpr") || ($spooler eq "lprng")) {
+ $sp = "lpd";
+ } else {
+ $sp = $spooler;
+ }
+ $file = "$prefix/etc/security/msec/server.$level";
+ if (-f $file) {
+ local *F;
+ open F, ">> $file" || return 0;
+ print F "$sp\n";
+ close F;
+ }
+ return 1;
+}
+
sub files_exist {
my @files = @_;
for (@files) {
diff --git a/perl-install/printerdrake.pm b/perl-install/printerdrake.pm
index 602919ac7..d19790a87 100644
--- a/perl-install/printerdrake.pm
+++ b/perl-install/printerdrake.pm
@@ -1465,6 +1465,64 @@ can set up local printers usable from your local machine. How do
1;
}
+sub security_check {
+ # Check the security mode and when in "high" or "paranoid" mode ask the
+ # user whether he really wants to configure printing.
+ my ($printer, $in, $spooler) = @_;
+ $in->set_help('securityCheck') if $::isInstall;
+
+ # Get security level
+ my $security = undef;
+ if ($::isInstall) {
+ $security = $in->{'security'};
+ } else {
+ $security = printer::get_security_level();
+ }
+
+ # Exit silently if the spooler is PDQ
+ if ($spooler eq "pdq") {return 1;}
+
+ # Exit silently in medium or lower security levels
+ if ((!$security) || ($security < 4)) {return 1;}
+
+ # Exit silently if the current spooler is already activated for the current
+ # security level
+ if (printer::spooler_in_security_level($spooler, $security)) {return 1;}
+
+ # Tell user in which security mode he is and ask him whether he really
+ # wants to activate the spooler in the given security mode. Stop the
+ # operation of installing the spooler if he disagrees.
+ my $securitystr = ($security == 4 ? _("high") : _("paranoid"));
+ if ($in->ask_yesorno(_("Installing a printing system in the %s security level", $securitystr),
+ _("You are about to install the printing system %s on
+a system running in the %s security level.
+
+This printing system runs a daemon (background process)
+which waits for print jobs and handles them. This daemon
+is also accessable by remote machines through the network
+and so it is a possible point for attacks. Therefore only
+a few selected daemons are started by default in this
+security level.
+
+Do you reeally want to configure printing on this
+machine?",
+ $printer::shortspooler_inv{$spooler},
+ $securitystr))) {
+ print "##### secyes\n";
+ printer::add_spooler_to_security_level($spooler, $security);
+ my $service;
+ if (($spooler eq "lpr") || ($spooler eq "lprng")) {
+ $service = "lpd";
+ } else {
+ $service = $spooler;
+ }
+ printer::start_service_on_boot($service);
+ return 1;
+ } else {
+ return 0;
+ }
+}
+
sub start_spooler_on_boot {
# Checks whether the spooler will be started at boot time and if not,
# ask the user whether he wants to start the spooler at boot time.
@@ -1481,7 +1539,7 @@ system is a potential point for attacks.
Do you want to have the automatic starting of the printing
system turned on again?",
- $printer::shortspooler_inv{$printer->{SPOOLER}})), 1) {
+ $printer::shortspooler_inv{$printer->{SPOOLER}}))) {
printer::start_service_on_boot($service);
}
}
@@ -1492,6 +1550,11 @@ sub install_spooler {
# installs the default spooler and start its daemon
my ($printer, $in) = @_;
if (!$::testing) {
+ # If the user refuses to install the spooler in high or paranoid
+ # security level, exit.
+ if (!security_check($printer, $in, $printer->{SPOOLER})) {
+ return 0;
+ }
if ($printer->{SPOOLER} eq "cups") {
{
my $w = $in->wait_message('', _("Checking installed software..."));