From 111ce9f21f987c315c4fee080605bb07febb0224 Mon Sep 17 00:00:00 2001 From: Thierry Vignaud Date: Tue, 4 Feb 2003 07:33:45 +0000 Subject: - fix get_check_default() and get_function_default() description - fix "check states were not saved if their value did not change (thus reverting it to default on disk)" - fix emebedding (no transcience when embedded) - fix "value get chop()-ed until it disapear and is reset to default" - log which security level is set and not only the switch killing latest remanent parts of christian "yeah baby, i'm piggy" work: - functions and checks listing : o rename get_functions() as list_functions() and get_default_checks() as list_checks(); this is both more homogenous and enable one to separate them from the get_(check|function)_(value|default) function group o regroup them o over simplify list_functions(): leave functions listing to msec (aka /usr/share/msec/level., assuming share/msec.py is always up to date, just don't care reparsing python code (this is plain stupid); if we cannot rely on msec, on who could we :-) ? o this allow to simplify msec gui so that we do not exclude stuff already excluded - remove config_check(), config_funtion(): replace them by: o set_check() and set_function() to store new values in data structure o apply_checks() and apply_functions() to save these new values, thus writing config files once and not twice the functions & checks count --- perl-install/security/msec.pm | 115 +++++++++++++++++++++------------------- perl-install/standalone/draksec | 44 ++++++++------- 2 files changed, 80 insertions(+), 79 deletions(-) (limited to 'perl-install') diff --git a/perl-install/security/msec.pm b/perl-install/security/msec.pm index d02e16610..7991b913f 100644 --- a/perl-install/security/msec.pm +++ b/perl-install/security/msec.pm @@ -12,9 +12,6 @@ my $check_file = "$::prefix/etc/security/msec/security.conf"; my $curr_sec_file = "$::prefix/var/lib/msec/security.conf"; my $options_file = "$::prefix/etc/security/msec/level.local"; -# *********************************************** -# PRIVATE FUNCTIONS -# *********************************************** my $num_level; @@ -50,7 +47,6 @@ sub load_defaults { # get_XXX_default(function) - # return the default of the function|check passed in argument. -# If no default is set, return "default". sub get_check_default { my ($msec, $check) = @_; @@ -77,9 +73,9 @@ sub load_values { do { print "BACKTRACE:\n", backtrace(), "\n"; die 'wrong category' } unless $separator; map { my ($opt, $val) = split /$separator/; - $val =~ s/[()]//g; - chop $opt if $separator eq '\('; # $opt =~ s/ //g if $separator eq '\('; chop $val; + $val =~ s/[()]//g; + chop $opt if $separator eq '\('; # $opt =~ s/ //g if $separator eq '\('; $opt => $val; } cat_($item_file); } @@ -103,15 +99,19 @@ sub get_check_value { -# *********************************************** -# FUNCTIONS (level.local) RELATED -# *********************************************** +#------------------------------------------------------------- +# get list of functions + +# list_(functions|checks) - +# return a list of functions|checks handled by level.local|security.conf + +sub list_checks { + my ($msec) = @_; + map { if_(!member($_, qw(MAIL_WARN MAIL_USER)), $_) } keys %{$msec->{checks}{default}}; +} -# get_functions() - -# return a list of functions handled by level.local (see -# man mseclib for more info). -sub get_functions { - my (undef, $category) = @_; +sub list_functions { + my ($msec, $category) = @_; my @functions; ## TODO handle 3 last functions here so they can be removed from this list @@ -129,55 +129,58 @@ sub get_functions { enable_sulogin password_aging password_history password_length set_root_umask set_shell_history_size set_shell_timeout set_user_umask)]); - my $file = "$::prefix/usr/share/msec/mseclib.py"; - my $function; - - # read mseclib.py to get each function's name and if it's - # not in the ignore list, add it to the returned list. - foreach (cat_($file)) { - if (/^def/) { - (undef, $function) = split / /; - ($function, undef) = split(/\(/, $function); - if (!member($function, @ignore_list) && member($function, @{$options{$category}})) { - push(@functions, $function) - } - } - } - - @functions; + # get all function names; filter out those which are in the ignore + # list, return what lefts. + map { if_(!member($_, @ignore_list) && member($_, @{$options{$category}}), $_) } keys %{$msec->{functions}{default}}; } -# config_function(function, value) - -# Apply the configuration to 'prefix'/etc/security/msec/level.local -sub config_function { - my (undef, $function, $value) = @_; - substInFile { s/^$function.*\n// } $options_file; - append_to_file($options_file, "$function ($value)") if $value ne 'default'; -} +#------------------------------------------------------------- +# set back checks|functions values -# *********************************************** -# PERIODIC CHECKS (security.conf) RELATED -# *********************************************** +sub set_function { + my ($msec, $function, $value) = @_; + $msec->{functions}{value}{$function} = $value; +} -# get_default_checks() - -# return a list of periodic checks handled by security.conf -sub get_default_checks { - my ($msec) = @_; - keys %{$msec->{checks}{default}}; +sub set_check { + my ($msec, $check, $value) = @_; + $msec->{checks}{value}{$check} = $value; } +#------------------------------------------------------------- +# apply configuration + +# config_(check|function)(check|function, value) - +# Apply the configuration to 'prefix'/etc/security/msec/security.conf||/etc/security/msec/level.local -# config_check(check, value) -# Apply the configuration to "$::prefix"/etc/security/msec/security.conf -sub config_check { - my (undef, $check, $value) = @_; - if ($value eq 'default') { - substInFile { s/^$check.*\n// } $check_file; - } else { - setVarsInSh($check_file, { $check => $value }); - } +sub apply_functions { + my ($msec) = @_; + my @list = ($msec->list_functions('system'), $msec->list_functions('network')); + substInFile { + foreach my $function (@list) { s/^$function.*\n// } + if (eof) { + print "\n", join("\n", map { + my $value = $msec->get_function_value($_); + if_($value ne 'default', "$_ ($value)"); + } @list); + } + } $options_file; +} + +sub apply_checks { + my ($msec) = @_; + my @list = $msec->list_checks; + substInFile { + foreach my $check (@list) { s/^$check.*\n// } + if (eof) { + print "\n", join("\n", map { + my $value = $msec->get_check_value($_); + if_($value ne 'default', $_ . '=' . $value); + } @list), "\n"; + } + } $check_file; } sub new { @@ -185,8 +188,8 @@ sub new { my $thing = {}; $thing->{checks}{default} = { load_defaults('checks') }; $thing->{functions}{default} = { load_defaults('functions') }; - $thing->{functions}{value} = { load_values('functions') }; - $thing->{checks}{value} = { load_values('checks') }; + $thing->{functions}{value} = { load_values('functions') }; + $thing->{checks}{value} = { load_values('checks') }; bless $thing, $type; } diff --git a/perl-install/standalone/draksec b/perl-install/standalone/draksec index 234284513..57a2d8136 100755 --- a/perl-install/standalone/draksec +++ b/perl-install/standalone/draksec @@ -40,7 +40,7 @@ my $w; # factorize this with rpmdrake and harddrake2 sub wait_msg { - my $mainw = ugtk2->new('wait', ( modal => 1, transient => $w->{rwindow})); + my $mainw = ugtk2->new('wait', (modal => 1, if_(!$::isEmbedded, transient => $w->{rwindow}))); my $label = new Gtk2::Label($_[0]); $mainw->{window}->add($label); $mainw->{window}->show_all; @@ -178,7 +178,7 @@ foreach ([ 'network', N("Network Options") ], [ 'system', N("System Options") ]) $entry->set_text($msec->get_function_value($i)); set_help_tip($entry, $default, $i); [ new Gtk2::Label($i), $values{$i} ]; - } sort $msec->get_functions($domain))))), + } sort $msec->list_functions($domain))))), new Gtk2::Label($label)); $options_values{$domain} = \%values; } @@ -190,16 +190,14 @@ $notebook->append_page(gtkshow(create_scrolled_window(gtkpack_(new Gtk2::VBox(0, 0, new Gtk2::Label($help_msg), 1, create_packtable($common_opts, map { - unless (member(qw(MAIL_WARN MAIL_USER), $_)) { - my $i = $_; - $security_checks_value{$i} = new_editable_combo(); - my $entry = $security_checks_value{$i}->entry; - set_help_tip($entry, $msec->get_check_default($i), $i); - $security_checks_value{$i}->set_popdown_strings(qw(yes no default)); - $entry->set_text($msec->get_check_value($i)); - [ gtkshow(new Gtk2::Label(translate($i))), $security_checks_value{$i} ]; - } else { undef } - } sort $msec->get_default_checks)))), + my $i = $_; + $security_checks_value{$i} = new_editable_combo(); + my $entry = $security_checks_value{$i}->entry; + set_help_tip($entry, $msec->get_check_default($i), $i); + $security_checks_value{$i}->set_popdown_strings(qw(yes no default)); + $entry->set_text($msec->get_check_value($i)); + [ gtkshow(new Gtk2::Label(translate($i))), $security_checks_value{$i} ]; + } sort $msec->list_checks)))), new Gtk2::Label(N("Periodic Checks"))); @@ -215,34 +213,34 @@ my $bok = gtksignal_connect(new Gtk2::Button(N("Ok")), if ($seclevel_value ne security::level::get_string()) { $w = wait_msg(N("Please wait, setting security level...")); - log::explanations("Setting security level"); + log::explanations("Setting security level to $seclevel_value"); security::level::set($seclevel_value); remove_wait_msg($w); } $w = wait_msg(N("Please wait, setting security options...")); log::explanations("Setting security administrator option"); - $msec->config_check('MAIL_WARN', $secadmin_check_value == 1 ? 'yes' : 'no'); + $msec->set_check('MAIL_WARN', $secadmin_check_value == 1 ? 'yes' : 'no'); if ($secadmin_value ne $msec->get_check_value('MAIL_USER') && $secadmin_check_value) { log::explanations("Setting security administrator contact"); - $msec->config_check('MAIL_USER', $secadmin_value); + $msec->set_check('MAIL_USER', $secadmin_value); } log::explanations("Setting security periodic checks"); foreach my $key (keys %security_checks_value) { - if ($security_checks_value{$key}->entry->get_text() ne $msec->get_check_value($key)) { - $msec->config_check($key, $security_checks_value{$key}->entry->get_text()); - } + $msec->set_check($key, $security_checks_value{$key}->entry->get_text()); } + $msec->apply_checks; foreach my $domain (keys %options_values) { log::explanations("Setting msec functions related to $domain"); - foreach my $key (keys %{$options_values{$domain}}) { - my $opt = $options_values{$domain}{$key}; - $msec->config_function($key, $opt =~ /Combo/ ? $opt->entry->get_text() : $opt->get_text()); - } - } + foreach my $key (keys %{$options_values{$domain}}) { + my $opt = $options_values{$domain}{$key}; + $msec->set_function($key, $opt =~ /Combo/ ? $opt->entry->get_text() : $opt->get_text()); + } + } + $msec->apply_functions; log::explanations("Applying msec changes"); run_program::rooted($::prefix, "/usr/sbin/msec"); -- cgit v1.2.1