-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Partial cleanup and more tests for Security module
- Loading branch information
Showing
16 changed files
with
1,110 additions
and
179 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
# Helpers for stubbing several agent operations. | ||
# | ||
# Must be included in the configure section of RSpec. | ||
# | ||
# @example usage | ||
# RSpec.configure do |c| | ||
# c.include SCRStub | ||
# end | ||
# | ||
# describe "Keyboard" do | ||
# it "uses loadkeys" do | ||
# expect_to_execute(/loadkeys/) | ||
# Keyboard.Set | ||
# end | ||
# end | ||
# | ||
module SCRStub | ||
# Ensures that non-stubbed SCR calls still works as expected after including | ||
# the module in the testsuite | ||
# different methods of the module | ||
def self.included(testsuite) | ||
testsuite.before(:each) do | ||
allow(Yast::SCR).to receive(:Read).and_call_original | ||
allow(Yast::SCR).to receive(:Write).and_call_original | ||
allow(Yast::SCR).to receive(:Execute).and_call_original | ||
end | ||
end | ||
|
||
# Shortcut for generating Yast::Path objects | ||
# | ||
# @param route [String] textual representation of the path | ||
# @return [Yast::Path] the corresponding Path object | ||
def path(route) | ||
Yast::Path.new(route) | ||
end | ||
|
||
# Encapsulates subsequent SCR calls into a chroot. | ||
# | ||
# Raises an exception if something goes wrong. | ||
# | ||
# @param [#to_s] directory to use as '/' for SCR calls | ||
def set_root_path(directory) | ||
check_version = false | ||
@scr_handle = Yast::WFM.SCROpen("chroot=#{directory}:scr", check_version) | ||
raise "Error creating the chrooted scr instance" if @scr_handle < 0 | ||
Yast::WFM.SCRSetDefault(@scr_handle) | ||
end | ||
|
||
# Resets the SCR calls to default behaviour, closing the SCR instance open by | ||
# #set_root_path. | ||
# | ||
# Raises an exception if #set_root_path has not been called before (or if the | ||
# corresponding instance has already been closed) | ||
# | ||
# @see #set_root_path | ||
def reset_root_path | ||
default_handle = Yast::WFM.SCRGetDefault | ||
if default_handle != @scr_handle | ||
raise "Error closing the chrooted scr instance, it's not the current default one" | ||
end | ||
@scr_handle = nil | ||
Yast::WFM.SCRClose(default_handle) | ||
end | ||
|
||
# Matcher for executing commands using SCR.Execute and .target.bash | ||
# | ||
# @return [RSpec::Mocks::Matchers::Receive] | ||
def exec_bash(command) | ||
receive(:Execute).with(path(".target.bash"), command) | ||
end | ||
|
||
# Stub all calls to SCR.Write storing the value for future comparison | ||
def stub_scr_write | ||
@written_values = {} | ||
allow(Yast::SCR).to receive(:Write) do |*args| | ||
key = args[0].to_s.gsub(/[\"']/, "") | ||
@written_values[key] = args[1] | ||
end | ||
end | ||
|
||
# Value written by a stubbed call to SCR.Write | ||
# | ||
# @param key used in the call to SCR.Write | ||
def written_value_for(key) | ||
@written_values[key] | ||
end | ||
|
||
# Checks if SCR.Write was called for a given path | ||
# | ||
# @param path used in the call to SCR.Write | ||
def was_written?(path) | ||
@written_values.has_key?(path) | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,287 @@ | ||
# | ||
# /etc/login.defs - Configuration control definitions for the shadow package. | ||
# | ||
|
||
# | ||
# Delay in seconds before being allowed another attempt after a login failure | ||
# Note: When PAM is used, some modules may enfore a minimal delay (e.g. | ||
# pam_unix enforces a 2s delay) | ||
# | ||
FAIL_DELAY 3 | ||
|
||
# | ||
# Enable display of unknown usernames when login failures are recorded. | ||
# | ||
LOG_UNKFAIL_ENAB no | ||
|
||
# | ||
# Enable logging of successful logins | ||
# | ||
LOG_OK_LOGINS no | ||
|
||
# | ||
# Enable "syslog" logging of su activity - in addition to sulog file logging. | ||
# SYSLOG_SG_ENAB does the same for newgrp and sg. | ||
# | ||
SYSLOG_SU_ENAB yes | ||
SYSLOG_SG_ENAB yes | ||
|
||
# | ||
# If defined, either full pathname of a file containing device names or | ||
# a ":" delimited list of device names. Root logins will be allowed only | ||
# upon these devices. | ||
# | ||
CONSOLE /etc/securetty | ||
#CONSOLE console:tty01:tty02:tty03:tty04 | ||
|
||
# | ||
# If defined, all su activity is logged to this file. | ||
# | ||
#SULOG_FILE /var/log/sulog | ||
|
||
# | ||
# If defined, ":" delimited list of "message of the day" files to | ||
# be displayed upon login. | ||
# | ||
MOTD_FILE /etc/motd | ||
#MOTD_FILE /etc/motd:/usr/lib/news/news-motd | ||
|
||
# | ||
# If defined, file which maps tty line to TERM environment parameter. | ||
# Each line of the file is in a format something like "vt100 tty01". | ||
# | ||
#TTYTYPE_FILE /etc/ttytype | ||
|
||
# | ||
# If defined, file which inhibits all the usual chatter during the login | ||
# sequence. If a full pathname, then hushed mode will be enabled if the | ||
# user's name or shell are found in the file. If not a full pathname, then | ||
# hushed mode will be enabled if the file exists in the user's home directory. | ||
# | ||
#HUSHLOGIN_FILE .hushlogin | ||
HUSHLOGIN_FILE /etc/hushlogins | ||
|
||
# | ||
# *REQUIRED* The default PATH settings, for superuser and normal users. | ||
# | ||
# (they are minimal, add the rest in the shell startup files) | ||
ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin | ||
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin | ||
|
||
# | ||
# The default PATH settings for root (used by login): | ||
# | ||
ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin | ||
|
||
# | ||
# Terminal permissions | ||
# | ||
# TTYGROUP Login tty will be assigned this group ownership. | ||
# TTYPERM Login tty will be set to this permission. | ||
# | ||
# If you have a "write" program which is "setgid" to a special group | ||
# which owns the terminals, define TTYGROUP to the group number and | ||
# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign | ||
# TTYPERM to either 622 or 600. | ||
# | ||
TTYGROUP tty | ||
TTYPERM 0620 | ||
|
||
# | ||
# Login configuration initializations: | ||
# | ||
# ERASECHAR Terminal ERASE character ('\010' = backspace). | ||
# KILLCHAR Terminal KILL character ('\025' = CTRL/U). | ||
# | ||
# The ERASECHAR and KILLCHAR are used only on System V machines. | ||
# | ||
# Prefix these values with "0" to get octal, "0x" to get hexadecimal. | ||
# | ||
ERASECHAR 0177 | ||
KILLCHAR 025 | ||
|
||
# Default initial "umask" value used by login on non-PAM enabled systems. | ||
# Default "umask" value for pam_umask on PAM enabled systems. | ||
# UMASK is also used by useradd and newusers to set the mode of new home | ||
# directories. | ||
# 022 is the default value, but 027, or even 077, could be considered | ||
# better for privacy. There is no One True Answer here: each sysadmin | ||
# must make up her mind. | ||
UMASK 022 | ||
|
||
# | ||
# Password aging controls: | ||
# | ||
# PASS_MAX_DAYS Maximum number of days a password may be used. | ||
# PASS_MIN_DAYS Minimum number of days allowed between password changes. | ||
# PASS_WARN_AGE Number of days warning given before a password expires. | ||
# | ||
PASS_MAX_DAYS 99999 | ||
PASS_MIN_DAYS 0 | ||
PASS_WARN_AGE 7 | ||
|
||
# | ||
# Min/max values for automatic uid selection in useradd | ||
# | ||
# SYS_UID_MIN to SYS_UID_MAX inclusive is the range for | ||
# UIDs for dynamically allocated administrative and system accounts. | ||
# UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically | ||
# allocated user accounts. | ||
# | ||
UID_MIN 1000 | ||
UID_MAX 60000 | ||
# System accounts | ||
SYS_UID_MIN 100 | ||
SYS_UID_MAX 499 | ||
|
||
# | ||
# Min/max values for automatic gid selection in groupadd | ||
# | ||
# SYS_GID_MIN to SYS_GID_MAX inclusive is the range for | ||
# GIDs for dynamically allocated administrative and system groups. | ||
# GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically | ||
# allocated groups. | ||
# | ||
GID_MIN 1000 | ||
GID_MAX 60000 | ||
# System accounts | ||
SYS_GID_MIN 100 | ||
SYS_GID_MAX 499 | ||
|
||
# | ||
# Max number of login retries if password is bad | ||
# | ||
LOGIN_RETRIES 3 | ||
|
||
# | ||
# Max time in seconds for login | ||
# | ||
LOGIN_TIMEOUT 60 | ||
|
||
# | ||
# Which fields may be changed by regular users using chfn - use | ||
# any combination of letters "frwh" (full name, room number, work | ||
# phone, home phone). If not defined, no changes are allowed. | ||
# For backward compatibility, "yes" = "rwh" and "no" = "frwh". | ||
# | ||
CHFN_RESTRICT rwh | ||
|
||
# | ||
# If set to MD5 , MD5-based algorithm will be used for encrypting password | ||
# If set to SHA256, SHA256-based algorithm will be used for encrypting password | ||
# If set to SHA512, SHA512-based algorithm will be used for encrypting password | ||
# If set to DES, DES-based algorithm will be used for encrypting password (default) | ||
# Overrides the MD5_CRYPT_ENAB option | ||
# | ||
# Note: If you use PAM, it is recommended to use a value consistent with | ||
# the PAM modules configuration. | ||
# | ||
ENCRYPT_METHOD SHA512 | ||
ENCRYPT_METHOD_NIS DES | ||
|
||
# | ||
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. | ||
# | ||
# Define the number of SHA rounds. | ||
# With a lot of rounds, it is more difficult to brute forcing the password. | ||
# But note also that it more CPU resources will be needed to authenticate | ||
# users. | ||
# | ||
# If not specified, the libc will choose the default number of rounds (5000). | ||
# The values must be inside the 1000-999999999 range. | ||
# If only one of the MIN or MAX values is set, then this value will be used. | ||
# If MIN > MAX, the highest value will be used. | ||
# | ||
# SHA_CRYPT_MIN_ROUNDS 5000 | ||
# SHA_CRYPT_MAX_ROUNDS 5000 | ||
|
||
# | ||
# List of groups to add to the user's supplementary group set | ||
# when logging in on the console (as determined by the CONSOLE | ||
# setting). Default is none. | ||
# | ||
# Use with caution - it is possible for users to gain permanent | ||
# access to these groups, even when not logged in on the console. | ||
# How to do it is left as an exercise for the reader... | ||
# | ||
#CONSOLE_GROUPS floppy:audio:cdrom | ||
|
||
# | ||
# Should login be allowed if we can't cd to the home directory? | ||
# Default in no. | ||
# | ||
DEFAULT_HOME yes | ||
|
||
# | ||
# If defined, this command is run when removing a user. | ||
# It should remove any at/cron/print jobs etc. owned by | ||
# the user to be removed (passed as the first argument). | ||
# | ||
# See USERDEL_PRECMD/POSTCMD below. | ||
# | ||
#USERDEL_CMD /usr/sbin/userdel_local | ||
|
||
# | ||
# Enable setting of the umask group bits to be the same as owner bits | ||
# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is | ||
# the same as gid, and username is the same as the primary group name. | ||
# | ||
# This also enables userdel to remove user groups if no members exist. | ||
# | ||
USERGROUPS_ENAB no | ||
|
||
# | ||
# If set to a non-nul number, the shadow utilities will make sure that | ||
# groups never have more than this number of users on one line. | ||
# This permit to support split groups (groups split into multiple lines, | ||
# with the same group ID, to avoid limitation of the line length in the | ||
# group file). | ||
# | ||
# 0 is the default value and disables this feature. | ||
# | ||
#MAX_MEMBERS_PER_GROUP 0 | ||
|
||
# | ||
# If useradd should create home directories for users by default (non | ||
# system users only) | ||
# This option is overridden with the -M or -m flags on the useradd command | ||
# line. | ||
# | ||
CREATE_HOME no | ||
|
||
# | ||
# User/group names must match the following regex expression. | ||
# The default is [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?, | ||
# but be aware that the result could depend on the locale settings. | ||
# | ||
#CHARACTER_CLASS [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\? | ||
CHARACTER_CLASS [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]\? | ||
|
||
# | ||
# If defined, this command is run when adding a group. | ||
# It should rebuild any NIS database etc. to add the | ||
# new created group. | ||
# | ||
GROUPADD_CMD /usr/sbin/groupadd.local | ||
|
||
# | ||
# If defined, this command is run when adding a user. | ||
# It should rebuild any NIS database etc. to add the | ||
# new created account. | ||
# | ||
USERADD_CMD /usr/sbin/useradd.local | ||
|
||
# | ||
# If defined, this command is run before removing a user. | ||
# It should remove any at/cron/print jobs etc. owned by | ||
# the user to be removed. | ||
# | ||
USERDEL_PRECMD /usr/sbin/userdel-pre.local | ||
|
||
# | ||
# If defined, this command is run after removing a user. | ||
# It should rebuild any NIS database etc. to remove the | ||
# account from it. | ||
# | ||
USERDEL_POSTCMD /usr/sbin/userdel-post.local | ||
|
Oops, something went wrong.