From 0fdc9e9ce0be731c2235571077b032c36b4b06d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Imobach=20Gonz=C3=A1lez=20Sosa?= Date: Mon, 12 Apr 2021 16:10:33 +0100 Subject: [PATCH 1/7] The ShadowConfig module relies on LoginDefs instead --- library/general/src/modules/ShadowConfig.rb | 7 ++--- .../general/test/login_defs_config_test.rb | 26 +++++++++---------- 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/library/general/src/modules/ShadowConfig.rb b/library/general/src/modules/ShadowConfig.rb index 2118ed36a..5122b2544 100644 --- a/library/general/src/modules/ShadowConfig.rb +++ b/library/general/src/modules/ShadowConfig.rb @@ -18,13 +18,14 @@ # find current contact information at www.suse.com. require "yast" -require "cfa/shadow_config" +require "cfa/login_defs" module Yast # This class allows to access the API to handle login.defs attributes from Perl # + # In SLE 15 SP2, it relies on CFA::LoginDefs instead of CFA::ShadowConfig like later versions. + # # @see CFA::LoginDefs - # @see CFA::ShadowConfig class ShadowConfigClass < Module include Logger @@ -101,7 +102,7 @@ def check_attribute(attr) def config return @config if @config - @config = CFA::ShadowConfig.new + @config = CFA::LoginDefs.new @config.load @config end diff --git a/library/general/test/login_defs_config_test.rb b/library/general/test/login_defs_config_test.rb index a3f7f183b..866196bba 100644 --- a/library/general/test/login_defs_config_test.rb +++ b/library/general/test/login_defs_config_test.rb @@ -23,15 +23,21 @@ describe Yast::ShadowConfig do subject { Yast::ShadowConfig } - let(:config_path) { File.join(GENERAL_DATA_PATH, "login.defs", "vendor") } - before { subject.main } + let(:login_defs) { CFA::LoginDefs.new } - around do |example| - change_scr_root(config_path, &example) + before do + allow(CFA::LoginDefs).to receive(:new) + .and_return(login_defs) + subject.reset + subject.main end describe "#fetch" do + before do + allow(login_defs).to receive(:encrypt_method).and_return("SHA512") + end + context "when the value is defined" do it "returns the value for the given attribute" do expect(subject.fetch(:encrypt_method)).to eq("SHA512") @@ -51,7 +57,7 @@ it "sets the attribute to the given value" do expect { subject.set(:encrypt_method, "SHA256") } .to change { subject.fetch(:encrypt_method) } - .from("SHA512").to("SHA256") + .to("SHA256") end end @@ -64,16 +70,8 @@ end describe "#write" do - let(:shadow_config) { CFA::ShadowConfig.new } - - before do - allow(CFA::ShadowConfig).to receive(:new) - .and_return(shadow_config) - subject.reset - end - it "saves the changes" do - expect(shadow_config).to receive(:save) + expect(login_defs).to receive(:save) subject.write end end From 22e990a16e0c28f94998e0b2674e2518940d78d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Imobach=20Gonz=C3=A1lez=20Sosa?= Date: Mon, 12 Apr 2021 16:11:04 +0100 Subject: [PATCH 2/7] Add a default value for file_path in LoginDefs.new --- library/general/src/lib/cfa/login_defs.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/library/general/src/lib/cfa/login_defs.rb b/library/general/src/lib/cfa/login_defs.rb index 5edc56b9b..c1966bffe 100644 --- a/library/general/src/lib/cfa/login_defs.rb +++ b/library/general/src/lib/cfa/login_defs.rb @@ -65,6 +65,8 @@ class LoginDefs < BaseModel :userdel_precmd ].freeze + DEFAULT_PATH = "/etc/login.defs".freeze + class << self # Returns the list of known attributes # @@ -80,7 +82,7 @@ def known_attributes # @param file_handler [#read,#write] something able to read/write a string (like File) # @param file_path [String] File path # @return [LoginDefs] File with the already loaded content - def load(file_path:, file_handler: Yast::TargetFile) + def load(file_path: DEFAULT_PATH, file_handler: Yast::TargetFile) new(file_path: file_path, file_handler: file_handler).tap(&:load) end end @@ -98,7 +100,7 @@ def load(file_path:, file_handler: Yast::TargetFile) # @param file_path [String] File path # # @see CFA::BaseModel#initialize - def initialize(file_path:, file_handler: Yast::TargetFile) + def initialize(file_path: DEFAULT_PATH, file_handler: Yast::TargetFile) super(AugeasParser.new("login_defs.lns"), file_path, file_handler: file_handler) end From bf2dde30339664b0c17653550ded062fe243a43e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Imobach=20Gonz=C3=A1lez=20Sosa?= Date: Mon, 12 Apr 2021 16:11:47 +0100 Subject: [PATCH 3/7] Bump version and update changes file --- package/yast2.changes | 7 +++++++ package/yast2.spec | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/package/yast2.changes b/package/yast2.changes index 3c89743af..e4ca2c3d3 100644 --- a/package/yast2.changes +++ b/package/yast2.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Apr 12 15:12:41 UTC 2021 - Imobach Gonzalez Sosa + +- The ShadowConfig module only considers the /etc/login.defs + file (bsc#1184131). +- 4.2.93 + ------------------------------------------------------------------- Wed Feb 10 07:51:10 UTC 2021 - Imobach Gonzalez Sosa diff --git a/package/yast2.spec b/package/yast2.spec index bab913eec..e5ea9cbf7 100644 --- a/package/yast2.spec +++ b/package/yast2.spec @@ -17,7 +17,7 @@ Name: yast2 -Version: 4.2.92 +Version: 4.2.93 Release: 0 Summary: YaST2 Main Package From 9f6e233780ace5d3fa7c86900a2a7296d2b48238 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Imobach=20Gonz=C3=A1lez=20Sosa?= Date: Mon, 12 Apr 2021 21:24:53 +0100 Subject: [PATCH 4/7] Fix ShadowConfig test name --- .../test/{login_defs_config_test.rb => shadow_config_test.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename library/general/test/{login_defs_config_test.rb => shadow_config_test.rb} (100%) diff --git a/library/general/test/login_defs_config_test.rb b/library/general/test/shadow_config_test.rb similarity index 100% rename from library/general/test/login_defs_config_test.rb rename to library/general/test/shadow_config_test.rb From d8c3992794ffed8c05a4d041bff2e2ae84287677 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Imobach=20Gonz=C3=A1lez=20Sosa?= Date: Mon, 12 Apr 2021 22:01:55 +0100 Subject: [PATCH 5/7] Clean-up ShadowConfig --- library/general/src/lib/cfa/shadow_config.rb | 44 --- .../general/test/cfa/shadow_config_test.rb | 164 ---------- .../data/login.defs/custom/etc/login.defs | 1 - .../custom/etc/login.defs.d/70-yast.defs | 1 - .../custom/etc/login.defs.d/99-local.defs | 2 - .../data/login.defs/custom/usr/etc/login.defs | 298 ----------------- .../usr/etc/login.defs.d/encrypt_method.defs | 0 .../vendor/etc/login.defs.d/99-local.defs | 0 .../data/login.defs/vendor/usr/etc/login.defs | 300 ------------------ .../usr/etc/login.defs.d/encrypt_method.defs | 0 10 files changed, 810 deletions(-) delete mode 100644 library/general/src/lib/cfa/shadow_config.rb delete mode 100644 library/general/test/cfa/shadow_config_test.rb delete mode 100644 library/general/test/data/login.defs/custom/etc/login.defs delete mode 100644 library/general/test/data/login.defs/custom/etc/login.defs.d/70-yast.defs delete mode 100644 library/general/test/data/login.defs/custom/etc/login.defs.d/99-local.defs delete mode 100644 library/general/test/data/login.defs/custom/usr/etc/login.defs delete mode 100644 library/general/test/data/login.defs/custom/usr/etc/login.defs.d/encrypt_method.defs delete mode 100644 library/general/test/data/login.defs/vendor/etc/login.defs.d/99-local.defs delete mode 100644 library/general/test/data/login.defs/vendor/usr/etc/login.defs delete mode 100644 library/general/test/data/login.defs/vendor/usr/etc/login.defs.d/encrypt_method.defs diff --git a/library/general/src/lib/cfa/shadow_config.rb b/library/general/src/lib/cfa/shadow_config.rb deleted file mode 100644 index 830cf8b4b..000000000 --- a/library/general/src/lib/cfa/shadow_config.rb +++ /dev/null @@ -1,44 +0,0 @@ -# Copyright (c) [2019] SUSE LLC -# -# All Rights Reserved. -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of version 2 of the GNU General Public License as published -# by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for -# more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, contact SUSE LLC. -# -# To contact SUSE LLC about this file by physical or electronic mail, you may -# find current contact information at www.suse.com. - -require "yast" -require "cfa/login_defs" -require "cfa/multi_file_config" - -Yast.import "FileUtils" - -module CFA - # This class allows to interact with the shadow suite configuration files (login.defs) - # - # @example Reading a configuration parameter - # config = ShadowConfig.new - # config.load - # config.encrypt_method #=> "SHA512" - # - # @example Setting a value - # config = ShadowConfig.new - # config.load - # config.fail_delay = "5" - # config.save - class ShadowConfig < MultiFileConfig - self.file_name = "login.defs" - self.yast_file_name = "70-yast.defs" - self.file_class = LoginDefs - end -end diff --git a/library/general/test/cfa/shadow_config_test.rb b/library/general/test/cfa/shadow_config_test.rb deleted file mode 100644 index e147281bb..000000000 --- a/library/general/test/cfa/shadow_config_test.rb +++ /dev/null @@ -1,164 +0,0 @@ -# Copyright (c) [2019] SUSE LLC -# -# All Rights Reserved. -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of version 2 of the GNU General Public License as published -# by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for -# more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, contact SUSE LLC. -# -# To contact SUSE LLC about this file by physical or electronic mail, you may -# find current contact information at www.suse.com. - -require_relative "../test_helper" -require "cfa/shadow_config" - -describe CFA::ShadowConfig do - subject(:config) { described_class.new } - let(:scenario) { "custom" } - - around do |example| - change_scr_root(File.join(GENERAL_DATA_PATH, "login.defs", scenario), &example) - end - - describe "#load" do - context "when /etc/login.defs exists" do - let(:scenario) { "custom" } - - before do - allow(CFA::LoginDefs).to receive(:new).and_call_original - end - - it "does not read /usr/etc/login.defs file" do - expect(CFA::LoginDefs).to_not receive(:new) - .with(file_path: "/usr/etc/login.defs") - config.load - end - - it "does not read /usr/etc/login.defs.d directory" do - expect(CFA::LoginDefs).to_not receive(:new) - .with(file_path: "/usr/etc/login.defs.d/encrypt_method.conf") - config.load - end - - it "reads /etc/login.defs file" do - expect(CFA::LoginDefs).to receive(:new) - .with(file_path: "/etc/login.defs") - .and_call_original - config.load - end - - it "reads /etc/login.defs.d directory" do - expect(CFA::LoginDefs).to receive(:new) - .with(file_path: "/etc/login.defs.d/99-local.defs") - .and_call_original - config.load - end - end - - context "when /etc/login.defs does not exist" do - let(:scenario) { "vendor" } - - before do - allow(CFA::LoginDefs).to receive(:new).and_call_original - end - - it "reads vendor files" do - expect(CFA::LoginDefs).to receive(:new) - .with(file_path: "/usr/etc/login.defs") - .and_call_original - config.load - end - - it "reads /usr/etc/login.defs.d directory" do - expect(CFA::LoginDefs).to receive(:new) - .with(file_path: "/usr/etc/login.defs.d/encrypt_method.defs") - .and_call_original - config.load - end - - it "reads /etc/login.defs.d directory" do - expect(CFA::LoginDefs).to receive(:new) - .with(file_path: "/etc/login.defs.d/99-local.defs") - .and_call_original - config.load - end - - it "reads the YaST configuration file" do - expect(CFA::LoginDefs).to receive(:new) - .with(file_path: "/etc/login.defs.d/70-yast.defs") - .and_call_original - config.load - end - end - end - - describe "#save" do - let(:yast_config_file) { CFA::LoginDefs.new(file_path: "/etc/login.defs.d/70-yast.defs") } - - before do - allow(CFA::LoginDefs).to receive(:new).and_call_original - allow(CFA::LoginDefs).to receive(:new) - .with(file_path: "/etc/login.defs.d/70-yast.defs") - .and_return(yast_config_file) - allow(yast_config_file).to receive(:save) - end - - it "writes changes to /etc/login.defs.d/70-yast.defs" do - expect(yast_config_file).to receive(:save) - config.save - end - - context "when no conflicts are detected" do - it "does not log anything" do - expect(config.log).to_not receive(:warn) - config.save - end - end - - context "when a conflict is detected" do - before do - allow(config).to receive(:conflicts).and_return([:fail_delay, :useradd_cmd]) - end - - it "logs conflicting attributes" do - expect(config.log).to receive(:warn).with(/overridden: fail_delay, useradd_cmd/) - config.save - end - end - end - - describe "#conflicts" do - before { config.load } - - it "returns override YaST settings" do - expect(config.conflicts).to eq([:useradd_cmd]) - end - end - - describe "#encrypt_method" do - before { config.load } - - it "returns the highest precedence value" do - expect(config.encrypt_method).to eq("SHA256") - end - end - - describe "#fail_delay=" do - let(:scenario) { "custom" } - - before { config.load } - - it "sets the encryption method" do - expect { config.fail_delay = "5" }.to change { config.fail_delay } - .from("3").to("5") - end - end -end diff --git a/library/general/test/data/login.defs/custom/etc/login.defs b/library/general/test/data/login.defs/custom/etc/login.defs deleted file mode 100644 index 2c7fa87e5..000000000 --- a/library/general/test/data/login.defs/custom/etc/login.defs +++ /dev/null @@ -1 +0,0 @@ -FAIL_DELAY 3 \ No newline at end of file diff --git a/library/general/test/data/login.defs/custom/etc/login.defs.d/70-yast.defs b/library/general/test/data/login.defs/custom/etc/login.defs.d/70-yast.defs deleted file mode 100644 index 585447956..000000000 --- a/library/general/test/data/login.defs/custom/etc/login.defs.d/70-yast.defs +++ /dev/null @@ -1 +0,0 @@ -USERADD_CMD /usr/sbin/useradd.local \ No newline at end of file diff --git a/library/general/test/data/login.defs/custom/etc/login.defs.d/99-local.defs b/library/general/test/data/login.defs/custom/etc/login.defs.d/99-local.defs deleted file mode 100644 index 0b782865a..000000000 --- a/library/general/test/data/login.defs/custom/etc/login.defs.d/99-local.defs +++ /dev/null @@ -1,2 +0,0 @@ -ENCRYPT_METHOD SHA256 -USERADD_CMD /usr/local/sbin/useradd.local \ No newline at end of file diff --git a/library/general/test/data/login.defs/custom/usr/etc/login.defs b/library/general/test/data/login.defs/custom/usr/etc/login.defs deleted file mode 100644 index 4576f4ddf..000000000 --- a/library/general/test/data/login.defs/custom/usr/etc/login.defs +++ /dev/null @@ -1,298 +0,0 @@ -# -# /etc/login.defs - Configuration control definitions for the shadow package. -# Some variables are used by login(1), su(1) and runuser(1) from util-linux -# package as well pam pam_unix(8) from pam package. -# -# For more, see login.defs(5). Please note that SUSE supports only variables -# listed here! Not listed variables from login.defs(5) have no effect. -# - -# -# Delay in seconds before being allowed another attempt after a login failure -# Note: When PAM is used, some modules may enforce a minimum delay (e.g. -# pam_unix(8) enforces a 2s delay) -# -FAIL_DELAY 3 - -# -# Enable display of unknown usernames when login(1) failures are recorded. -# -LOG_UNKFAIL_ENAB no - -# -# Enable "syslog" logging of newgrp(1) and sg(1) activity. -# -SYSLOG_SG_ENAB yes - -# -# If defined, either full pathname of a file containing device names or -# a ":" delimited list of device names. Root logins will be allowed only -# from these devices. -# -CONSOLE /etc/securetty -#CONSOLE console:tty01:tty02:tty03:tty04 - -# -# Limit the highest user ID number for which the lastlog entries should -# be updated. -# -# No LASTLOG_UID_MAX means that there is no user ID limit for writing -# lastlog entries. -# -#LASTLOG_UID_MAX - -# -# If defined, all su(1) activity is logged to this file. -# -#SULOG_FILE /var/log/sulog - -# -# If defined, ":" delimited list of "message of the day" files to -# be displayed upon login. -# -#MOTD_FILE /etc/motd:/usr/share/misc/motd - -# -# If defined, file which maps tty line to TERM environment parameter. -# Each line of the file is in a format similar to "vt100 tty01". -# -#TTYTYPE_FILE /etc/ttytype - -# -# If defined, file which inhibits all the usual chatter during the login -# sequence. If a full pathname, then hushed mode will be enabled if the -# user's name or shell are found in the file. If not a full pathname, then -# hushed mode will be enabled if the file exists in the user's home directory. -# -#HUSHLOGIN_FILE .hushlogin -HUSHLOGIN_FILE /etc/hushlogins - -# If this variable is set to "yes", hostname will be suppressed in the -# login: prompt. -#LOGIN_PLAIN_PROMPT no - -# -# *REQUIRED* The default PATH settings, for superuser and normal users. -# -# (they are minimal, add the rest in the shell startup files) -# -# ENV_PATH: The default PATH settings for non-root. -# -# ENV_ROOTPATH: The default PATH settings for root -# (used by login, su and runuser). -# -# ENV_SUPATH is an ENV_ROOTPATH override for su and runuser -# (and falback for login). -# -ENV_PATH /usr/local/bin:/bin:/usr/bin -ENV_ROOTPATH /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin -#ENV_SUPATH /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin - -# If this variable is set to "yes" (default is "no"), su will always set -# path. every su call will overwrite the PATH variable. -# -# Per default, only "su -" will set a new PATH. -# -# The recommended value is "yes". The default "no" behavior could have -# a security implication in applications that use commands without path. -# -ALWAYS_SET_PATH yes - -# -# Terminal permissions -# -# TTYGROUP Login tty will be assigned this group ownership. -# TTYPERM Login tty will be set to this permission. -# -# If you have a write(1) program which is "setgid" to a special group -# which owns the terminals, define TTYGROUP as the number of such group -# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and -# set TTYPERM to either 622 or 600. -# -TTYGROUP tty -TTYPERM 0620 - -# Default initial "umask" value used by login(1) on non-PAM enabled systems. -# Default "umask" value for pam_umask(8) on PAM enabled systems. -# UMASK is also used by useradd(8) and newusers(8) to set the mode for new -# home directories. -# 022 is the default value, but 027, or even 077, could be considered -# for increased privacy. There is no One True Answer here: each sysadmin -# must make up their mind. -UMASK 022 - -# -# Password aging controls: -# -# PASS_MAX_DAYS Maximum number of days a password may be used. -# PASS_MIN_DAYS Minimum number of days allowed between password changes. -# PASS_WARN_AGE Number of days warning given before a password expires. -# -PASS_MAX_DAYS 99999 -PASS_MIN_DAYS 0 -PASS_WARN_AGE 7 - -# -# Min/max values for automatic uid selection in useradd(8) -# -# SYS_UID_MIN to SYS_UID_MAX inclusive is the range for -# UIDs for dynamically allocated administrative and system accounts. -# UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically -# allocated user accounts. -# -UID_MIN 1000 -UID_MAX 60000 -# System accounts -SYS_UID_MIN 100 -SYS_UID_MAX 499 -# Extra per user uids -SUB_UID_MIN 100000 -SUB_UID_MAX 600100000 -SUB_UID_COUNT 65536 - -# -# Min/max values for automatic gid selection in groupadd(8) -# -# SYS_GID_MIN to SYS_GID_MAX inclusive is the range for -# GIDs for dynamically allocated administrative and system groups. -# GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically -# allocated groups. -# -GID_MIN 1000 -GID_MAX 60000 -# System accounts -SYS_GID_MIN 100 -SYS_GID_MAX 499 -# Extra per user group ids -SUB_GID_MIN 100000 -SUB_GID_MAX 600100000 -SUB_GID_COUNT 65536 - -# -# Max number of login(1) retries if password is bad -# -LOGIN_RETRIES 3 - -# -# Max time in seconds for login(1) -# -LOGIN_TIMEOUT 60 - -# -# Which fields may be changed by regular users using chfn(1) - use -# any combination of letters "frwh" (full name, room number, work -# phone, home phone). If not defined, no changes are allowed. -# For backward compatibility, "yes" = "rwh" and "no" = "frwh". -# -CHFN_RESTRICT rwh - -# -# This variable is deprecated. Use ENCRYPT_METHOD instead! -# -#MD5_CRYPT_ENAB DO_NOT_USE - -# -# If set to MD5, MD5-based algorithm will be used for encrypting password -# If set to SHA256, SHA256-based algorithm will be used for encrypting password -# If set to SHA512, SHA512-based algorithm will be used for encrypting password -# If set to DES, DES-based algorithm will be used for encrypting password (default) -# Overrides the MD5_CRYPT_ENAB option -# -# Note: If you use PAM, it is recommended to use a value consistent with -# the PAM modules configuration. -# -ENCRYPT_METHOD SHA512 - -# -# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. -# -# Define the number of SHA rounds. -# With a lot of rounds, it is more difficult to brute-force the password. -# However, more CPU resources will be needed to authenticate users if -# this value is increased. -# -# If not specified, the libc will choose the default number of rounds (5000). -# The values must be within the 1000-999999999 range. -# If only one of the MIN or MAX values is set, then this value will be used. -# If MIN > MAX, the highest value will be used. -# -#SHA_CRYPT_MIN_ROUNDS 5000 -#SHA_CRYPT_MAX_ROUNDS 5000 - -# -# Should login be allowed if we can't cd to the home directory? -# Default is no. -# -DEFAULT_HOME yes - -# -# If defined, this command is run when adding a user. -# It should rebuild any NIS database etc. to add the -# new created account. -# -USERADD_CMD /usr/sbin/useradd.local - -# -# If defined, this command is run when removing a user. -# It should remove any at/cron/print jobs etc. owned by -# the user to be removed (passed as the first argument). -# -# See also USERDEL_PRECMD and USERDEL_POSTCMD below. -# -#USERDEL_CMD /usr/sbin/userdel_local - -# -# If defined, this command is run before removing a user. -# It should remove any at/cron/print jobs etc. owned by -# the user to be removed. -# -USERDEL_PRECMD /usr/sbin/userdel-pre.local - -# -# If defined, this command is run after removing a user. -# It should rebuild any NIS database etc. to remove the -# account from it. -# -USERDEL_POSTCMD /usr/sbin/userdel-post.local - -# -# Enable setting of the umask group bits to be the same as owner bits -# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is -# the same as gid, and username is the same as the primary group name. -# -# This also enables userdel(8) to remove user groups if no members exist. -# -USERGROUPS_ENAB no - -# -# If set to a non-zero number, the shadow utilities will make sure that -# groups never have more than this number of users on one line. -# This permits to support split groups (groups split into multiple lines, -# with the same group ID, to avoid limitation of the line length in the -# group file). -# -# 0 is the default value and disables this feature. -# -#MAX_MEMBERS_PER_GROUP 0 - -# -# If useradd(8) should create home directories for users by default (non -# system users only). -# This option is overridden with the -M or -m flags on the useradd(8) -# command-line. -# -CREATE_HOME no - -# -# Force use shadow, even if shadow passwd & shadow group files are -# missing. -# -FORCE_SHADOW no - -# -# User/group names must match the following regex expression. -# The default is [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?, -# but be aware that the result could depend on the locale settings. -# -#CHARACTER_CLASS [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\? -CHARACTER_CLASS [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]\? diff --git a/library/general/test/data/login.defs/custom/usr/etc/login.defs.d/encrypt_method.defs b/library/general/test/data/login.defs/custom/usr/etc/login.defs.d/encrypt_method.defs deleted file mode 100644 index e69de29bb..000000000 diff --git a/library/general/test/data/login.defs/vendor/etc/login.defs.d/99-local.defs b/library/general/test/data/login.defs/vendor/etc/login.defs.d/99-local.defs deleted file mode 100644 index e69de29bb..000000000 diff --git a/library/general/test/data/login.defs/vendor/usr/etc/login.defs b/library/general/test/data/login.defs/vendor/usr/etc/login.defs deleted file mode 100644 index 4d65d1b5f..000000000 --- a/library/general/test/data/login.defs/vendor/usr/etc/login.defs +++ /dev/null @@ -1,300 +0,0 @@ -# -# /etc/login.defs - Configuration control definitions for the shadow package. -# Some variables are used by login(1), su(1) and runuser(1) from util-linux -# package as well pam pam_unix(8) from pam package. -# -# For more, see login.defs(5). Please note that SUSE supports only variables -# listed here! Not listed variables from login.defs(5) have no effect. -# - -# -# Delay in seconds before being allowed another attempt after a login failure -# Note: When PAM is used, some modules may enforce a minimum delay (e.g. -# pam_unix(8) enforces a 2s delay) -# -FAIL_DELAY 3 - -# -# Enable display of unknown usernames when login(1) failures are recorded. -# -LOG_UNKFAIL_ENAB no - -# -# Enable "syslog" logging of newgrp(1) and sg(1) activity. -# -SYSLOG_SG_ENAB yes - -# -# If defined, either full pathname of a file containing device names or -# a ":" delimited list of device names. Root logins will be allowed only -# from these devices. -# -CONSOLE /etc/securetty -#CONSOLE console:tty01:tty02:tty03:tty04 - -# -# Limit the highest user ID number for which the lastlog entries should -# be updated. -# -# No LASTLOG_UID_MAX means that there is no user ID limit for writing -# lastlog entries. -# -#LASTLOG_UID_MAX - -# -# If defined, all su(1) activity is logged to this file. -# -#SULOG_FILE /var/log/sulog - -# -# If defined, ":" delimited list of "message of the day" files to -# be displayed upon login. -# -#MOTD_FILE /etc/motd:/usr/share/misc/motd - -# -# If defined, file which maps tty line to TERM environment parameter. -# Each line of the file is in a format similar to "vt100 tty01". -# -#TTYTYPE_FILE /etc/ttytype - -# -# If defined, file which inhibits all the usual chatter during the login -# sequence. If a full pathname, then hushed mode will be enabled if the -# user's name or shell are found in the file. If not a full pathname, then -# hushed mode will be enabled if the file exists in the user's home directory. -# -#HUSHLOGIN_FILE .hushlogin -HUSHLOGIN_FILE /etc/hushlogins - -# If this variable is set to "yes", hostname will be suppressed in the -# login: prompt. -#LOGIN_PLAIN_PROMPT no - -# -# *REQUIRED* The default PATH settings, for superuser and normal users. -# -# (they are minimal, add the rest in the shell startup files) -# -# ENV_PATH: The default PATH settings for non-root. -# -# ENV_ROOTPATH: The default PATH settings for root -# (used by login, su and runuser). -# -# ENV_SUPATH is an ENV_ROOTPATH override for su and runuser -# (and falback for login). -# -ENV_PATH /usr/local/bin:/bin:/usr/bin -ENV_ROOTPATH /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin -#ENV_SUPATH /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin - -# If this variable is set to "yes" (default is "no"), su will always set -# path. every su call will overwrite the PATH variable. -# -# Per default, only "su -" will set a new PATH. -# -# The recommended value is "yes". The default "no" behavior could have -# a security implication in applications that use commands without path. -# -ALWAYS_SET_PATH yes - -# -# Terminal permissions -# -# TTYGROUP Login tty will be assigned this group ownership. -# TTYPERM Login tty will be set to this permission. -# -# If you have a write(1) program which is "setgid" to a special group -# which owns the terminals, define TTYGROUP as the number of such group -# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and -# set TTYPERM to either 622 or 600. -# -TTYGROUP tty -TTYPERM 0620 - -# Default initial "umask" value used by login(1) on non-PAM enabled systems. -# Default "umask" value for pam_umask(8) on PAM enabled systems. -# UMASK is also used by useradd(8) and newusers(8) to set the mode for new -# home directories. -# 022 is the default value, but 027, or even 077, could be considered -# for increased privacy. There is no One True Answer here: each sysadmin -# must make up their mind. -UMASK 022 - -# -# Password aging controls: -# -# PASS_MAX_DAYS Maximum number of days a password may be used. -# PASS_MIN_DAYS Minimum number of days allowed between password changes. -# PASS_WARN_AGE Number of days warning given before a password expires. -# -PASS_MAX_DAYS 99999 -PASS_MIN_DAYS 0 -PASS_WARN_AGE 7 - -# -# Min/max values for automatic uid selection in useradd(8) -# -# SYS_UID_MIN to SYS_UID_MAX inclusive is the range for -# UIDs for dynamically allocated administrative and system accounts. -# UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically -# allocated user accounts. -# -UID_MIN 1000 -UID_MAX 60000 -# System accounts -SYS_UID_MIN 100 -SYS_UID_MAX 499 -# Extra per user uids -SUB_UID_MIN 100000 -SUB_UID_MAX 600100000 -SUB_UID_COUNT 65536 - -# -# Min/max values for automatic gid selection in groupadd(8) -# -# SYS_GID_MIN to SYS_GID_MAX inclusive is the range for -# GIDs for dynamically allocated administrative and system groups. -# GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically -# allocated groups. -# -GID_MIN 1000 -GID_MAX 60000 -# System accounts -SYS_GID_MIN 100 -SYS_GID_MAX 499 -# Extra per user group ids -SUB_GID_MIN 100000 -SUB_GID_MAX 600100000 -SUB_GID_COUNT 65536 - -# -# Max number of login(1) retries if password is bad -# -LOGIN_RETRIES 3 - -# -# Max time in seconds for login(1) -# -LOGIN_TIMEOUT 60 - -# -# Which fields may be changed by regular users using chfn(1) - use -# any combination of letters "frwh" (full name, room number, work -# phone, home phone). If not defined, no changes are allowed. -# For backward compatibility, "yes" = "rwh" and "no" = "frwh". -# -CHFN_RESTRICT rwh - -# -# This variable is deprecated. Use ENCRYPT_METHOD instead! -# -#MD5_CRYPT_ENAB DO_NOT_USE - -# -# If set to MD5, MD5-based algorithm will be used for encrypting password -# If set to SHA256, SHA256-based algorithm will be used for encrypting password -# If set to SHA512, SHA512-based algorithm will be used for encrypting password -# If set to DES, DES-based algorithm will be used for encrypting password (default) -# Overrides the MD5_CRYPT_ENAB option -# -# Note: If you use PAM, it is recommended to use a value consistent with -# the PAM modules configuration. -# -ENCRYPT_METHOD SHA512 - -# -# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. -# -# Define the number of SHA rounds. -# With a lot of rounds, it is more difficult to brute-force the password. -# However, more CPU resources will be needed to authenticate users if -# this value is increased. -# -# If not specified, the libc will choose the default number of rounds (5000). -# The values must be within the 1000-999999999 range. -# If only one of the MIN or MAX values is set, then this value will be used. -# If MIN > MAX, the highest value will be used. -# -#SHA_CRYPT_MIN_ROUNDS 5000 -#SHA_CRYPT_MAX_ROUNDS 5000 - -# -# Should login be allowed if we can't cd to the home directory? -# Default is no. -# -DEFAULT_HOME yes - -# -# If defined, this command is run when adding a user. -# It should rebuild any NIS database etc. to add the -# new created account. -# -USERADD_CMD /usr/sbin/useradd.local - -# -# If defined, this command is run when removing a user. -# It should remove any at/cron/print jobs etc. owned by -# the user to be removed (passed as the first argument). -# -# See also USERDEL_PRECMD and USERDEL_POSTCMD below. -# -#USERDEL_CMD /usr/sbin/userdel_local - -# -# If defined, this command is run before removing a user. -# It should remove any at/cron/print jobs etc. owned by -# the user to be removed. -# -USERDEL_PRECMD /usr/sbin/userdel-pre.local - -# -# If defined, this command is run after removing a user. -# It should rebuild any NIS database etc. to remove the -# account from it. -# -USERDEL_POSTCMD /usr/sbin/userdel-post.local - -# -# Enable setting of the umask group bits to be the same as owner bits -# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is -# the same as gid, and username is the same as the primary group name. -# -# This also enables userdel(8) to remove user groups if no members exist. -# -USERGROUPS_ENAB no - -# -# If set to a non-zero number, the shadow utilities will make sure that -# groups never have more than this number of users on one line. -# This permits to support split groups (groups split into multiple lines, -# with the same group ID, to avoid limitation of the line length in the -# group file). -# -# 0 is the default value and disables this feature. -# -#MAX_MEMBERS_PER_GROUP 0 - -# -# If useradd(8) should create home directories for users by default (non -# system users only). -# This option is overridden with the -M or -m flags on the useradd(8) -# command-line. -# -CREATE_HOME no - -# -# Force use shadow, even if shadow passwd & shadow group files are -# missing. -# -FORCE_SHADOW no - -# -# User/group names must match the following regex expression. -# The default is [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?, -# but be aware that the result could depend on the locale settings. -# -#CHARACTER_CLASS [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\? -CHARACTER_CLASS [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]\? - -GROUPADD_CMD /usr/sbin/groupadd.local \ No newline at end of file diff --git a/library/general/test/data/login.defs/vendor/usr/etc/login.defs.d/encrypt_method.defs b/library/general/test/data/login.defs/vendor/usr/etc/login.defs.d/encrypt_method.defs deleted file mode 100644 index e69de29bb..000000000 From 0815da32f1dc0e799d41155687ed066b2cc4ad72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Imobach=20Gonz=C3=A1lez=20Sosa?= Date: Tue, 13 Apr 2021 07:55:05 +0100 Subject: [PATCH 6/7] Extend CFA::LoginDefs unit tests --- library/general/test/cfa/login_defs_test.rb | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/library/general/test/cfa/login_defs_test.rb b/library/general/test/cfa/login_defs_test.rb index 0646f610a..913923e52 100644 --- a/library/general/test/cfa/login_defs_test.rb +++ b/library/general/test/cfa/login_defs_test.rb @@ -90,4 +90,22 @@ end end end + + describe "#present_attributes" do + it "returns the list of present attributes" do + expect(login_defs.present_attributes).to include(*ATTRS_VALUES.keys) + end + end + + describe "#conflicts" do + subject(:other) { described_class.new(file_path: file_path, file_handler: file_handler) } + + before do + other.encrypt_method = "SHA256" + end + + it "returns the list of attributes with different values" do + expect(login_defs.conflicts(other)).to eq([:encrypt_method]) + end + end end From 25c9d7eb844776de9aef0939a6f1cc62a1f7d765 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Imobach=20Gonz=C3=A1lez=20Sosa?= Date: Tue, 13 Apr 2021 13:39:39 +0100 Subject: [PATCH 7/7] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ladislav Slezák --- package/yast2.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/yast2.changes b/package/yast2.changes index e4ca2c3d3..e22eb82dc 100644 --- a/package/yast2.changes +++ b/package/yast2.changes @@ -2,7 +2,7 @@ Mon Apr 12 15:12:41 UTC 2021 - Imobach Gonzalez Sosa - The ShadowConfig module only considers the /etc/login.defs - file (bsc#1184131). + file (do not use unsupported /etc/login.defs.d/) (bsc#1184131). - 4.2.93 -------------------------------------------------------------------