Skip to content

Commit

Permalink
Removed cryptconfig support
Browse files Browse the repository at this point in the history
  • Loading branch information
@jsrain
jsrain committed Nov 8, 2017
1 parent 83908e8 commit 2da234f
Show file tree
Hide file tree
Showing 18 changed files with 13 additions and 957 deletions.
6 changes: 6 additions & 0 deletions package/yast2-users.changes
View file
@@ -1,3 +1,9 @@
-------------------------------------------------------------------
Wed Nov 8 12:16:47 UTC 2017 - jsrain@suse.cz

- Remove the support for encrypting home directory (fate#323541)
- 4.0.0

-------------------------------------------------------------------
Tue Sep 5 14:47:25 UTC 2017 - igonzalezsosa@suse.com

Expand Down
2 changes: 1 addition & 1 deletion package/yast2-users.spec
View file
Expand Up @@ -17,7 +17,7 @@


Name: yast2-users
Version: 3.2.12
Version: 4.0.0
Release: 0

BuildRoot: %{_tmppath}/%{name}-%{version}-build
Expand Down
139 changes: 1 addition & 138 deletions src/include/users/dialogs.rb
View file
Expand Up @@ -202,11 +202,6 @@ def EditUserDialog(what)
)
mode = Ops.get_string(user, "home_mode", default_mode)
default_crypted_size = 100
crypted_home_size = GetInt(Ops.get(user, "crypted_home_size"), 0)
org_crypted_home_size = GetInt(
Ops.get(user, ["org_user", "crypted_home_size"]),
0
)
password = Ops.get_string(user, "userPassword")
org_username = Ops.get_string(user, "org_uid", username)
uid = GetInt(Ops.get(user, "uidNumber"), nil)
Expand Down Expand Up @@ -252,9 +247,6 @@ def EditUserDialog(what)
chown_home = Ops.get_boolean(user, "chown_home", true)
no_skel = Ops.get_boolean(user, "no_skeleton", false)
do_not_edit = user_type == "nis"
crypted_home_enabled = UsersRoutines.CryptedHomesEnabled &&
(user_type == "ldap" && Ldap.file_server ||
user_type == "local" || user_type == "system")

complex_layout = installation && Users.StartDialog("user_add")
groups = Ops.get_map(user, "grouplist", {})
Expand Down Expand Up @@ -295,7 +287,6 @@ def EditUserDialog(what)
end
home = Ops.get_string(user, "homeDirectory", home)
org_home = Ops.get_string(user, "org_homeDirectory", org_home)
crypted_home_size = GetInt(Ops.get(user, "crypted_home_size"), 0)
mode = Ops.get_string(user, "home_mode", default_mode)
password = Ops.get_string(user, "userPassword", password)
org_username = Ops.get_string(user, "org_uid", org_username)
Expand Down Expand Up @@ -684,33 +675,6 @@ def EditUserDialog(what)
Left(CheckBox(Id(:skel), _("E&mpty Home"), no_skel))
)
)
crypted_home_term = crypted_home_enabled ?
HBox(
VBox(
Label(""),
HBox(
HSpacing(),
Left(
CheckBox(
Id(:crypted_home),
Opt(:notify),
# check box label
_("&Use Encrypted Home Directory"),
Ops.greater_than(crypted_home_size, 0)
)
)
)
), # for max value, see bug 244631 :-)
# IntField label
IntField(
Id(:dirsize),
_("&Directory Size in MB"),
10,
2147483647,
crypted_home_size
)
) :
HBox()

HBox(
HSpacing(1),
Expand Down Expand Up @@ -740,7 +704,7 @@ def EditUserDialog(what)
)
),
Top(
VBox(HBox(home_w, browse), new_user_term, crypted_home_term)
VBox(HBox(home_w, browse), new_user_term)
),
additional_data,
Top(edit_shell),
Expand Down Expand Up @@ -1420,28 +1384,6 @@ def EditUserDialog(what)
UI.ChangeWidget(Id(:home), :Value, dir)
end
end
if current == :details && ret == :crypted_home
checked = Convert.to_boolean(
UI.QueryWidget(Id(:crypted_home), :Value)
)
if !checked && UserLogged(org_username)
# error popup
Report.Error(
_(
"The home directory for this user cannot be decrypted,\n" +
"because the user is currently logged in.\n" +
"Log the user out first."
)
)
UI.ChangeWidget(Id(:crypted_home), :Value, true)
next
end
if checked &&
Convert.to_integer(UI.QueryWidget(Id(:dirsize), :Value)) == 10
UI.ChangeWidget(Id(:dirsize), :Value, default_crypted_size)
end
UI.ChangeWidget(Id(:dirsize), :Enabled, checked)
end

# going from Details dialog
if current == :details && (ret == :next || tab)
Expand Down Expand Up @@ -1569,29 +1511,6 @@ def EditUserDialog(what)
end
end

if crypted_home_enabled
home_size = Convert.to_integer(UI.QueryWidget(Id(:dirsize), :Value))
if Convert.to_boolean(UI.QueryWidget(Id(:crypted_home), :Value))
if home_size == 0
# error popup
Popup.Error(_("Enter the size for the home directory."))
focus_tab.call(current, :dirsize)
next
end
if !Package.Install("cryptconfig")
# error popup
Popup.Error(Message.FailedToInstallPackages + _("
Directory cannot be encrypted."))
UI.ChangeWidget(Id(:crypted_home), :Value, false)
next
end
crypted_home_size = home_size
else
crypted_home_size = 0
end
end


error_map = Users.CheckShellUI(new_shell, ui_map)
if error_map != {}
if !Popup.YesNo(Ops.get_string(error_map, "question", ""))
Expand Down Expand Up @@ -1660,7 +1579,6 @@ def EditUserDialog(what)
Ops.set(user, "addit_data", addit_data)
Ops.set(user, "no_skeleton", no_skel)
Ops.set(user, "home_mode", mode)
Ops.set(user, "crypted_home_size", crypted_home_size)
end

if current == :passwordsettings && (ret == :next || tab)
Expand Down Expand Up @@ -1898,14 +1816,6 @@ def EditUserDialog(what)
end
UI.ChangeWidget(Id(:shell), :Value, shell)

if UI.WidgetExists(Id(:crypted_home))
UI.ChangeWidget(
Id(:dirsize),
:Enabled,
Convert.to_boolean(UI.QueryWidget(Id(:crypted_home), :Value))
)
end

current = ret
end
if ret == :passwordsettings
Expand Down Expand Up @@ -1934,53 +1844,6 @@ def EditUserDialog(what)
ret = :notnext
next
end
if crypted_home_enabled && action == "edited" &&
Ops.get(user, "current_text_userpassword") == nil &&
(crypted_home_size != org_crypted_home_size ||
Ops.greater_than(crypted_home_size, 0) &&
(org_username != username || org_home != home ||
Ops.get_boolean(
# only password was changed
user,
"encrypted",
false
) == false))
img_file = Builtins.sformat("%1.img", home)
key_file = Builtins.sformat("%1.key", home)
# ask to take existing orphaned image by user
# without current directory encrypted (bnc#425745)
if org_crypted_home_size == 0 && FileUtils.Exists(img_file) &&
FileUtils.Exists(key_file) &&
UsersRoutines.CryptedImageOwner(img_file) == "" &&
UsersRoutines.CryptedImageOwner(key_file) == "" &&
ask_take_image.call(img_file, key_file)
Ops.set(user, "take_existing_image", img_file)
end


# do not ask when enabling for first time and password was already entered
# do not ask when taking existing image, pw not needed for that FIXME really?
if (Ops.get_boolean(user, "encrypted", false) == false ||
Ops.get(user, "text_userpassword") != nil ||
Ops.get_string(user, "take_existing_image", "") != "") &&
org_crypted_home_size == 0
Ops.set(
user,
"current_text_userpassword",
Ops.get(user, "text_userpassword") != nil ?
Ops.get(user, "text_userpassword") :
Ops.get_string(user, "userPassword", "")
)
else
old_pw = AskForOldPassword()
if old_pw != nil
Ops.set(user, "current_text_userpassword", old_pw)
else
ret = :notnext
next
end
end
end

# --------------------------------- save the settings
if Builtins.haskey(user, "check_error")
Expand Down
25 changes: 0 additions & 25 deletions src/include/users/helps.rb
View file
Expand Up @@ -455,31 +455,6 @@ def EditUserDetailsDialogHelp(user_type, what)
)
end

if user_type == "system" || user_type == "local" ||
user_type == "ldap" && Ldap.file_server
if UsersRoutines.CryptedHomesEnabled
# help text for directory encryption
helptext = Ops.add(
helptext,
_(
"<p>To encrypt the user's home directory, enable <b>Use Encrypted Home\n" +
"Directory</b> and set the directory size. Encrypting a user's home directory\n" +
"does not provide strong security from other users. If this machine is shared\n" +
"among multiple users, it may be possible for a user to compromise system\n" +
"security by obtaining another user's key and gaining access to the encrypted data. If strong security is required, the system should not be physically shared.</p>"
)
)
else
# help text for directory encryption
helptext = Ops.add(
helptext,
_(
"<p>Home directories cannot be encrypted if a fingerprint reader device is used. To encrypt the user's home directory, disable fingerprint configuration first.</p>"
)
)
end
end

if user_type == "ldap"
helptext = Ops.add(
helptext,
Expand Down
67 changes: 1 addition & 66 deletions src/modules/Users.pm
View file
Expand Up @@ -2177,13 +2177,6 @@ sub EditUser {
$user_in_work{"chown_home"} = YaST::YCP::Boolean (1);
}

# check if user is using crypted directory
$user_in_work{"crypted_home_size"} = 0;
my $dir = UsersRoutines->CryptedImagePath ($username);
if ($dir && FileUtils->Exists ($dir)) {
$user_in_work{"crypted_home_size"} = UsersRoutines->FileSizeInMB ($dir);
}

# save first map for later checks of modification (in Commit)
my %org_user = %user_in_work;
$user_in_work{"org_user"} = \%org_user;
Expand Down Expand Up @@ -3432,39 +3425,9 @@ sub UserReallyModified {
$ret = 1;
}
}
# TODO should be caught in the previous tests?
if (!$ret &&
defined $org_user{"crypted_home_size"} &&
defined $user{"crypted_home_size"})
{
$ret = ($org_user{"crypted_home_size"} ne $user{"crypted_home_size"});
}
return $ret;
}

# take the map of user and check if his crypted directory settings were modified
# return boolean
sub CryptedHomeModified {

my $self = shift;
my $user = shift;

my $username = $user->{"uid"} || "";
my $org_username = $user->{"org_user"}{"uid"} || $username;
my $home = $user->{"homeDirectory"} || "";
my $org_home = $user->{"org_user"}{"homeDirectory"} || $home;
my $home_size = $user->{"crypted_home_size"} || 0;
my $org_size = $user->{"org_user"}{"crypted_home_size"} || 0;
my $pw = $user->{"current_text_userpassword"};
my $new_pw = $user->{"text_userpassword"};

return 0 if ($home_size == 0 && $org_size == 0); # nothing to do
return 0 if (!defined $pw && !defined $new_pw); # no change without password provided :-(
return 0 if ($home eq $org_home && $username eq $org_username && $home_size == $org_size &&
(($pw || "") eq ($new_pw || "")));
return 1;
}


# Substitute the values of LDAP atributes, predefined in LDAP user configuration
BEGIN { $TYPEINFO{SubstituteUserValues} = ["function", "void"] }
Expand Down Expand Up @@ -4313,9 +4276,6 @@ sub Write {
# Write LDAP users and groups
if ($use_gui) { Progress->NextStage (); }

# this hash stores users, for which directory needs to be crypted (feature 301787)
my %users_with_crypted_dir = ();

if ($ldap_modified) {
my $error_msg = "";

Expand All @@ -4335,9 +4295,6 @@ sub Write {
# only remember for which users we need to call cryptconfig
foreach my $username (keys %{$modified_users{"ldap"}}) {
my %user = %{$modified_users{"ldap"}{$username}};
if (defined $user{"crypted_home_size"} && $self->CryptedHomeModified (\%user)) {
$users_with_crypted_dir{$username} = \%user;
}
}
$error_msg = UsersLDAP->WriteUsers ($modified_users{"ldap"});
if ($error_msg ne "") {
Expand Down Expand Up @@ -4492,9 +4449,6 @@ sub Write {
my $chown_home = $user{"chown_home"};
$chown_home = 1 if (!defined $chown_home);
my $skel = $useradd_defaults{"skel"};
if (defined $user{"crypted_home_size"} && $self->CryptedHomeModified (\%user)) {
$users_with_crypted_dir{$username} = \%user;
}
if ($user_mod eq "imported" || $user_mod eq "added") {

y2usernote ("User '$username' created");
Expand Down Expand Up @@ -4562,9 +4516,7 @@ sub Write {
UsersRoutines->CreateHome ($skel, $home);
}
# do not change root's ownership of home directories
if ((!defined $user{"crypted_home_size"} ||
$user{"crypted_home_size"} eq 0) &&
bool ($chown_home))
if (bool ($chown_home))
{
UsersRoutines->ChownHome ($uid, $gid, $home);
}
Expand All @@ -4576,15 +4528,6 @@ sub Write {

if (Mode->autoinst() || Mode->autoupgrade() || Mode->config()) { WriteAuthorizedKeys(); }

if (%users_with_crypted_dir) {
unless (Package->Install ("cryptconfig"))
{
# error message
Report->Error(Message->FailedToInstallPackages () + __("
Encryption support is not installed, home directories will NOT be encrypted."))
}
}

# Write passwords
if ($use_gui) { Progress->NextStage (); }

Expand Down Expand Up @@ -4719,14 +4662,6 @@ Encryption support is not installed, home directories will NOT be encrypted."))
}
}

if (!FileUtils->Exists (UsersRoutines->CryptconfigPath ())) {
%users_with_crypted_dir = ();
}
foreach my $username (keys %users_with_crypted_dir) {
UsersRoutines->CryptHome ($users_with_crypted_dir{$username});
}
%users_with_crypted_dir = ();

# complete adding users
if ($users_modified && @useradd_postcommands > 0) {
foreach my $command (@useradd_postcommands) {
Expand Down
4 changes: 1 addition & 3 deletions src/modules/UsersLDAP.pm
View file
Expand Up @@ -1454,9 +1454,7 @@ sub WriteUsers {
if ($create_home) {
UsersRoutines->MoveHome ($org_home, $home);
}
if ($chown_home &&
(!defined $user->{"crypted_home_size"} ||
$user->{"crypted_home_size"} eq 0))
if ($chown_home)
{
UsersRoutines->ChownHome ($uid, $gid, $home);
}
Expand Down

0 comments on commit 2da234f

Please sign in to comment.