Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package yast2-installation for
openSUSE:Factory checked in at 2023-06-21 22:36:55
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/yast2-installation (Old)
and /work/SRC/openSUSE:Factory/.yast2-installation.new.15902 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-installation"
Wed Jun 21 22:36:55 2023 rev:521 rq:1093932 version:4.6.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/yast2-installation/yast2-installation.changes
2023-05-16 14:21:48.149812385 +0200
+++
/work/SRC/openSUSE:Factory/.yast2-installation.new.15902/yast2-installation.changes
2023-06-21 22:37:00.553342083 +0200
@@ -1,0 +2,6 @@
+Thu Jun 15 15:01:13 UTC 2023 - Stefan Hundhammer <shundham...@suse.com>
+
+- Don't always enable sshd and open the ssh port (bsc#1211764)
+- 4.6.4
+
+-------------------------------------------------------------------
Old:
----
yast2-installation-4.6.3.tar.bz2
New:
----
yast2-installation-4.6.4.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ yast2-installation.spec ++++++
--- /var/tmp/diff_new_pack.ZCi0J1/_old 2023-06-21 22:37:02.457353542 +0200
+++ /var/tmp/diff_new_pack.ZCi0J1/_new 2023-06-21 22:37:02.465353591 +0200
@@ -17,7 +17,7 @@
Name: yast2-installation
-Version: 4.6.3
+Version: 4.6.4
Release: 0
Summary: YaST2 - Installation Parts
License: GPL-2.0-only
++++++ yast2-installation-4.6.3.tar.bz2 -> yast2-installation-4.6.4.tar.bz2
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-installation-4.6.3/package/yast2-installation.changes
new/yast2-installation-4.6.4/package/yast2-installation.changes
--- old/yast2-installation-4.6.3/package/yast2-installation.changes
2023-05-15 10:18:51.000000000 +0200
+++ new/yast2-installation-4.6.4/package/yast2-installation.changes
2023-06-20 10:58:04.000000000 +0200
@@ -1,4 +1,10 @@
-------------------------------------------------------------------
+Thu Jun 15 15:01:13 UTC 2023 - Stefan Hundhammer <shundham...@suse.com>
+
+- Don't always enable sshd and open the ssh port (bsc#1211764)
+- 4.6.4
+
+-------------------------------------------------------------------
Thu May 11 16:44:38 UTC 2023 - Stefan Hundhammer <shundham...@suse.com>
- Use a larger font for xterm during installation via X resources
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-installation-4.6.3/package/yast2-installation.spec
new/yast2-installation-4.6.4/package/yast2-installation.spec
--- old/yast2-installation-4.6.3/package/yast2-installation.spec
2023-05-15 10:18:51.000000000 +0200
+++ new/yast2-installation-4.6.4/package/yast2-installation.spec
2023-06-20 10:58:04.000000000 +0200
@@ -16,7 +16,7 @@
#
Name: yast2-installation
-Version: 4.6.3
+Version: 4.6.4
Release: 0
Summary: YaST2 - Installation Parts
License: GPL-2.0-only
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-installation-4.6.3/src/lib/installation/clients/security_proposal.rb
new/yast2-installation-4.6.4/src/lib/installation/clients/security_proposal.rb
---
old/yast2-installation-4.6.3/src/lib/installation/clients/security_proposal.rb
2023-05-15 10:18:51.000000000 +0200
+++
new/yast2-installation-4.6.4/src/lib/installation/clients/security_proposal.rb
2023-06-20 10:58:04.000000000 +0200
@@ -217,6 +217,10 @@
# Returns the SSH service part of the firewall proposal description
# @return [String] proposal html text
def sshd_proposal
+ # Check if only public key auth is configured, and if yes,
+ # enable SSHD and open the SSH port; but only now, after we are sure
+ # that the user was prompted for the root password (bsc#1211764).
+ @settings.propose
if @settings.enable_sshd
_(
"SSH service will be enabled (<a href=\"%s\">disable</a>)"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-installation-4.6.3/src/lib/installation/security_settings.rb
new/yast2-installation-4.6.4/src/lib/installation/security_settings.rb
--- old/yast2-installation-4.6.3/src/lib/installation/security_settings.rb
2023-05-15 10:18:51.000000000 +0200
+++ new/yast2-installation-4.6.4/src/lib/installation/security_settings.rb
2023-06-20 10:58:04.000000000 +0200
@@ -78,6 +78,33 @@
Yast::PackagesProposal.SetResolvables("LSM", :pattern,
lsm_config.needed_patterns)
end
+ # Make a one-time proposal for the security settings:
+ #
+ # If only public key authentication is configured, and no root password is
set,
+ # open the SSH port and enable SSHD so at least SSH access can be used.
+ #
+ # This should be called AFTER the user was prompted for the root password,
e.g.
+ # when the security proposal is made during installation.
+ #
+ # This is done only once. Use 'reset_proposal' to do do it again.
+ def propose
+ return if @proposal_done
+
+ @proposal_done = true
+ log.info("Making security settings proposal")
+ return unless only_public_key_auth?
+
+ log.info("Only public key auth")
+ open_ssh! unless @open_ssh
+ enable_sshd! unless @enable_sshd
+ end
+
+ # Reset the proposal; i.e. the next call to 'propose' will do a fresh
+ # proposal.
+ def reset_proposal
+ @proposal_done = false
+ end
+
# Services
# Add the firewall package to be installed and sets the firewalld service
@@ -85,7 +112,7 @@
def enable_firewall!
Yast::PackagesProposal.AddResolvables("firewall", :package,
["firewalld"])
- log.info "Enabling Firewall"
+ log.info "Enabling firewall"
self.enable_firewall = true
end
@@ -93,7 +120,7 @@
# service to be disabled
def disable_firewall!
Yast::PackagesProposal.RemoveResolvables("firewall", :package,
["firewalld"])
- log.info "Disabling Firewall"
+ log.info "Disabling firewall"
self.enable_firewall = false
end
@@ -121,19 +148,19 @@
# Set the ssh port to be closed
def close_ssh!
- log.info "Opening SSH port"
+ log.info "Closing SSH port"
self.open_ssh = false
end
# Set the vnc port to be opened
def open_vnc!
- log.info "Close VNC port"
+ log.info "Opening VNC port"
self.open_vnc = true
end
# Set the vnc port to be closed
def close_vnc!
- log.info "Close VNC port"
+ log.info "Closing VNC port"
self.open_vnc = false
end
@@ -144,7 +171,7 @@
# authentication and the system is not accesible through ssh
def access_problem?
# public key is not the only way
- return false unless only_public_key_auth
+ return false unless only_public_key_auth?
# without running sshd it is useless
return true unless @enable_sshd
@@ -181,27 +208,32 @@
end
def wanted_enable_sshd?
- Yast::Linuxrc.usessh || only_public_key_auth || @enable_sshd
+ Yast::Linuxrc.usessh || @enable_sshd
end
def wanted_open_ssh?
- Yast::Linuxrc.usessh || only_public_key_auth || @open_ssh
+ Yast::Linuxrc.usessh || @open_ssh
end
def wanted_open_vnc?
Yast::Linuxrc.vnc
end
- # Determines whether only public key authentication is supported
+ # Determines whether only public key authentication is supported.
+ #
+ # Do not call this prematurely before the user was even prompted for a
root password;
+ # in particular, do not call this from the constructor of this class.
#
# @note If the root user does not have a password, we assume that we will
use a public
# key in order to log into the system. In such a case, we need to enable
the SSH
# service (including opening the port).
- def only_public_key_auth
- return true unless root_user
+ def only_public_key_auth?
+ if root_user.nil?
+ log.warn("No root user created yet; can't check root password!")
+ return false
+ end
password = root_user.password_content || ""
-
password.empty?
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-installation-4.6.3/test/lib/clients/security_proposal_test.rb
new/yast2-installation-4.6.4/test/lib/clients/security_proposal_test.rb
--- old/yast2-installation-4.6.3/test/lib/clients/security_proposal_test.rb
2023-05-15 10:18:51.000000000 +0200
+++ new/yast2-installation-4.6.4/test/lib/clients/security_proposal_test.rb
2023-06-20 10:58:04.000000000 +0200
@@ -26,6 +26,20 @@
subject(:client) { described_class.new }
let(:proposal_settings) { Installation::SecuritySettings.create_instance }
+ def create_target_config
+ root = Y2Users::User.create_root
+ config = Y2Users::Config.new.attach(root)
+
+ Y2Users::ConfigManager.instance.target = config
+ end
+
+ before do
+ create_target_config
+ Y2Users::ConfigManager.instance.target.users.root.password = root_password
+ end
+
+ let(:root_password) { Y2Users::Password.create_plain("s3cr3t") }
+
describe "#initialize" do
it "instantiates a new proposal settings" do
expect(Installation::SecuritySettings).to receive(:instance)
@@ -154,7 +168,7 @@
let(:ssh_open) { true }
before do
- allow(proposal_settings).to
receive(:only_public_key_auth).and_return(true)
+ allow(proposal_settings).to
receive(:only_public_key_auth?).and_return(true)
proposal_settings.enable_sshd = ssh_enabled
proposal_settings.open_ssh = ssh_open
end
@@ -166,10 +180,17 @@
expect(proposal["warning"]).to be_nil
end
end
- context "and the SSH port is close" do
+ context "and the SSH port is closed" do
let(:ssh_open) { false }
- it "returns the proposal warning about the situation" do
+ it "returns no warning for the the original proposal" do
+ proposal = client.make_proposal({})
+ expect(proposal["warning"]).to be_nil
+ end
+
+ it "returns a warning after the user changed settings manually" do
+ client.make_proposal({})
+ proposal_settings.close_ssh!
proposal = client.make_proposal({})
expect(proposal["warning"]).to include("might not be allowed")
end
@@ -179,7 +200,14 @@
context "and the SSH is disabled" do
let(:ssh_enabled) { false }
+ it "returns no warning for the the original proposal" do
+ proposal = client.make_proposal({})
+ expect(proposal["warning"]).to be_nil
+ end
+
it "returns the proposal warning about the situation" do
+ client.make_proposal({})
+ proposal_settings.disable_sshd!
proposal = client.make_proposal({})
expect(proposal["warning"]).to include("might not be allowed")
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-installation-4.6.3/test/lib/security_settings_test.rb
new/yast2-installation-4.6.4/test/lib/security_settings_test.rb
--- old/yast2-installation-4.6.3/test/lib/security_settings_test.rb
2023-05-15 10:18:51.000000000 +0200
+++ new/yast2-installation-4.6.4/test/lib/security_settings_test.rb
2023-06-20 10:58:04.000000000 +0200
@@ -68,6 +68,12 @@
described_class.create_instance
end
+ it "does not yet check for public key auth only" do
+ expect_any_instance_of(described_class).not_to
receive(:only_public_key_auth?)
+
+ described_class.create_instance
+ end
+
context "when firewall has been enabled in the control file" do
let(:global_section) { { "enable_firewall" => true, "enable_sshd" =>
false } }
@@ -103,7 +109,9 @@
described_class.create_instance
end
end
+ end
+ describe "#propose" do
context "when no root password was set" do
let(:root_password) { Y2Users::Password.create_plain("") }
@@ -111,11 +119,35 @@
allow(Yast::Linuxrc).to receive(:usessh).and_return(false)
end
- it "opens SSH to allow public key authentication" do
+ it "without propose does not change the SSH settings" do
+ expect_any_instance_of(described_class).not_to receive(:enable_sshd!)
+ expect_any_instance_of(described_class).not_to receive(:open_ssh!)
+
+ described_class.create_instance
+ end
+
+ it "with propose opens SSH to allow public key authentication" do
expect_any_instance_of(described_class).to receive(:enable_sshd!)
expect_any_instance_of(described_class).to receive(:open_ssh!)
- described_class.create_instance
+ instance = described_class.create_instance
+ instance.propose
+ end
+ end
+
+ context "when a root password was set" do
+ let(:root_password) { Y2Users::Password.create_plain("s3cr3t") }
+
+ before do
+ allow(Yast::Linuxrc).to receive(:usessh).and_return(false)
+ end
+
+ it "does not change the SSH settings" do
+ expect_any_instance_of(described_class).not_to receive(:enable_sshd!)
+ expect_any_instance_of(described_class).not_to receive(:open_ssh!)
+
+ instance = described_class.create_instance
+ instance.propose
end
end
end
@@ -290,19 +322,19 @@
subject.enable_sshd = ssh_enabled
subject.enable_firewall = firewall_enabled
subject.open_ssh = ssh_open
- allow(subject).to
receive(:only_public_key_auth).and_return(only_ssh_key_auth)
+ allow(subject).to
receive(:only_public_key_auth?).and_return(only_ssh_key_auth)
end
context "when the root user uses only SSH key based authentication" do
context "when sshd is enabled" do
- context "and firewall is enabled" do
+ context "and the firewall is enabled" do
context "and the SSH port is open" do
it "returns false" do
expect(subject.access_problem?).to eql(false)
end
end
- context "and the SSH port is close" do
+ context "and the SSH port is closed" do
let(:ssh_open) { false }
it "returns true" do
@@ -311,7 +343,7 @@
end
end
- context "and firewall is disabled" do
+ context "and the firewall is disabled" do
let(:firewall_enabled) { false }
it "returns false" do
