From 111ce9f21f987c315c4fee080605bb07febb0224 Mon Sep 17 00:00:00 2001
From: Thierry Vignaud <tvignaud@mandriva.org>
Date: Tue, 4 Feb 2003 07:33:45 +0000
Subject: - fix get_check_default() and get_function_default() description -
 fix "check states were not saved if their value did not change (thus  
 reverting it to default on disk)" - fix emebedding (no transcience when
 embedded) - fix "value get chop()-ed until it disapear and is reset to
 default" - log which security level is set and not only the switch

killing latest remanent parts of christian "yeah baby, i'm piggy"
work:

- functions and checks listing :
  o rename get_functions() as list_functions() and
    get_default_checks() as list_checks();   this is both
    more homogenous and enable one to separate them from the
    get_(check|function)_(value|default) function group
  o regroup them
  o over simplify list_functions(): leave functions listing to msec
    (aka /usr/share/msec/level.<LEVEL>, assuming share/msec.py is
    always up to date, just don't care reparsing python code (this is
    plain stupid);  if we cannot rely on msec, on who could we :-) ?
  o this allow to simplify msec gui so that we do not exclude stuff
    already excluded
- remove config_check(), config_funtion(): replace them by:
  o set_check() and set_function() to store new values in data
    structure
  o apply_checks() and apply_functions() to save these new values,
    thus writing config files once and not twice the functions &
    checks count
---
 perl-install/security/msec.pm | 115 ++++++++++++++++++++++--------------------
 1 file changed, 59 insertions(+), 56 deletions(-)

(limited to 'perl-install/security/msec.pm')

diff --git a/perl-install/security/msec.pm b/perl-install/security/msec.pm
index d02e16610..7991b913f 100644
--- a/perl-install/security/msec.pm
+++ b/perl-install/security/msec.pm
@@ -12,9 +12,6 @@ my $check_file    = "$::prefix/etc/security/msec/security.conf";
 my $curr_sec_file = "$::prefix/var/lib/msec/security.conf";
 my $options_file  = "$::prefix/etc/security/msec/level.local";
 
-# ***********************************************
-#              PRIVATE FUNCTIONS
-# ***********************************************
 
 my $num_level;
 
@@ -50,7 +47,6 @@ sub load_defaults {
 
 # get_XXX_default(function) -
 #   return the default of the function|check passed in argument.
-#   If no default is set, return "default".
 
 sub get_check_default {
     my ($msec, $check) = @_;
@@ -77,9 +73,9 @@ sub load_values {
     do { print "BACKTRACE:\n", backtrace(), "\n"; die 'wrong category' } unless $separator;
     map {
         my ($opt, $val) = split /$separator/;
-        $val =~ s/[()]//g;
-        chop $opt if $separator eq '\(';   # $opt =~ s/ //g if $separator eq '\(';
         chop $val;
+        $val =~ s/[()]//g;
+        chop $opt if $separator eq '\(';  # $opt =~ s/ //g if $separator eq '\(';
         $opt => $val;
     } cat_($item_file);
 }
@@ -103,15 +99,19 @@ sub get_check_value {
 
 
 
-# ***********************************************
-#         FUNCTIONS (level.local) RELATED
-# ***********************************************
+#-------------------------------------------------------------
+# get list of functions
+
+# list_(functions|checks) -
+#   return a list of functions|checks handled by level.local|security.conf
+
+sub list_checks {
+    my ($msec) = @_;
+    map { if_(!member($_, qw(MAIL_WARN MAIL_USER)), $_) } keys %{$msec->{checks}{default}};
+}
 
-# get_functions() -
-#   return a list of functions handled by level.local (see
-#   man mseclib for more info).
-sub get_functions {
-    my (undef, $category) = @_;
+sub list_functions {
+    my ($msec, $category) = @_;
     my @functions;
 
     ## TODO handle 3 last functions here so they can be removed from this list
@@ -129,55 +129,58 @@ sub get_functions {
                          enable_sulogin password_aging password_history password_length set_root_umask
                          set_shell_history_size set_shell_timeout set_user_umask)]);
 
-    my $file = "$::prefix/usr/share/msec/mseclib.py";
-    my $function;
-
-    # read mseclib.py to get each function's name and if it's
-    # not in the ignore list, add it to the returned list.
-    foreach (cat_($file)) {
-        if (/^def/) {
-            (undef, $function) = split / /;
-            ($function, undef) = split(/\(/, $function);
-            if (!member($function, @ignore_list) && member($function, @{$options{$category}})) {
-                push(@functions, $function)
-            }
-        }
-    }
-
-    @functions;
+    # get all function names; filter out those which are in the ignore
+    # list, return what lefts.
+    map { if_(!member($_, @ignore_list) && member($_, @{$options{$category}}), $_) } keys %{$msec->{functions}{default}};
 }
 
-# config_function(function, value) -
-#   Apply the configuration to 'prefix'/etc/security/msec/level.local
-sub config_function {
-    my (undef, $function, $value) = @_;
 
-    substInFile { s/^$function.*\n// } $options_file;
-    append_to_file($options_file, "$function ($value)") if $value ne 'default';
-}
+#-------------------------------------------------------------
+# set back checks|functions values
 
-# ***********************************************
-#     PERIODIC CHECKS (security.conf) RELATED
-# ***********************************************
+sub set_function {
+    my ($msec, $function, $value) = @_;
+    $msec->{functions}{value}{$function} = $value;
+}
 
-# get_default_checks() -
-#   return a list of periodic checks handled by security.conf
-sub get_default_checks {
-    my ($msec) = @_;
-    keys %{$msec->{checks}{default}};
+sub set_check {
+    my ($msec, $check, $value) = @_;
+    $msec->{checks}{value}{$check} = $value;
 }
 
 
+#-------------------------------------------------------------
+# apply configuration
+
+# config_(check|function)(check|function, value) -
+#   Apply the configuration to 'prefix'/etc/security/msec/security.conf||/etc/security/msec/level.local
 
-# config_check(check, value)
-#   Apply the configuration to "$::prefix"/etc/security/msec/security.conf
-sub config_check {
-    my (undef, $check, $value) = @_;
-    if ($value eq 'default') {
-	   substInFile { s/^$check.*\n// } $check_file;
-    } else {
-	   setVarsInSh($check_file, { $check => $value });
-    }
+sub apply_functions {
+    my ($msec) = @_;
+    my @list = ($msec->list_functions('system'), $msec->list_functions('network'));
+    substInFile {
+        foreach my $function (@list) { s/^$function.*\n// }
+        if (eof) {
+            print "\n", join("\n", map { 
+                my $value = $msec->get_function_value($_);
+                if_($value ne 'default', "$_ ($value)");
+            } @list);
+        }
+    } $options_file;
+}
+
+sub apply_checks {
+    my ($msec) = @_;
+    my @list =  $msec->list_checks;
+    substInFile {
+        foreach my $check (@list) { s/^$check.*\n// }
+        if (eof) {
+            print "\n", join("\n", map { 
+                my $value = $msec->get_check_value($_);
+                if_($value ne 'default', $_ . '=' . $value);
+            } @list), "\n";
+        }
+    } $check_file;
 }
 
 sub new { 
@@ -185,8 +188,8 @@ sub new {
     my $thing = {};
     $thing->{checks}{default}    = { load_defaults('checks') };
     $thing->{functions}{default} = { load_defaults('functions') };
-    $thing->{functions}{value} = { load_values('functions') };
-    $thing->{checks}{value}    = { load_values('checks') };
+    $thing->{functions}{value}   = { load_values('functions') };
+    $thing->{checks}{value}      = { load_values('checks') };
     bless $thing, $type;
 }
 
-- 
cgit v1.2.1