Class: Installation::SecuritySettings

Inherits:

Object

• Object
• Installation::SecuritySettings

Includes:

Yast::I18n, Yast::Logger

Defined in:

src/lib/installation/security_settings.rb

Overview

Class that stores the security proposal settings during installation.

Instance Attribute Summary

• #default_zone ⇒ Object

  [String] Name of the default zone where perform the changes.

• #enable_firewall ⇒ Object

  [Boolean] Whether the firewalld service will be enable.

• #enable_sshd ⇒ Object

  [Boolean] Whether the sshd service will be enable.

• #open_ssh ⇒ Object

  [Boolean] Whether the ssh port will be opened.

• #open_vnc ⇒ Object

  [Boolean] Whether the vnc port will be opened.

• #polkit_default_privileges ⇒ Object

  [String, nil] Setting for policy kit default privileges For more info see /etc/sysconfig/security#POLKIT_DEFAULT_PRIVS.

Class Method Summary

• .create_instance ⇒ Object

  Enforce a new clean instance.

• .instance ⇒ Object

  Singleton instance.

• .run ⇒ Object

Instance Method Summary

• #access_problem? ⇒ Boolean

  Return whether the current settings could be a problem for the user to login.

• #close_ssh! ⇒ Object

  Set the ssh port to be closed.

• #close_vnc! ⇒ Object

  Set the vnc port to be closed.

• #disable_firewall! ⇒ Object

  Remove the firewalld package from being installed and sets the firewalld service to be disabled.

• #disable_sshd! ⇒ Object

  Remove the openssh package from being installed and sets the sshd service to be disabled.

• #enable_firewall! ⇒ Object

  Add the firewall package to be installed and sets the firewalld service to be enabled.

• #enable_sshd! ⇒ Object

  Add the openssh package to be installed and sets the sshd service to be enabled.

• #human_polkit_privileges ⇒ Object
• #initialize ⇒ SecuritySettings constructor

  Constructor.

• #load_features ⇒ Object

  Load the default values defined in the control file.

• #lsm_config ⇒ Y2Security::LSM::Config

  The LSM config handler.

• #open_ssh! ⇒ Object

  Set the ssh port to be opened.

• #open_vnc! ⇒ Object

  Set the vnc port to be opened.

• #propose ⇒ Object

  Make a one-time proposal for the security settings:.

• #propose_lsm_config ⇒ Object

  When Linux Security Module is declared as configurable and there is no Module selected yet it will select the desired LSM and the needed patterns for it accordingly.

• #reset_proposal ⇒ Object

  Reset the proposal; i.e.

Constructor Details

#initialize ⇒ SecuritySettings

Constructor

# File 'src/lib/installation/security_settings.rb', line 45

def initialize
  textdomain "installation"
  Yast.import "PackagesProposal"
  Yast.import "ProductFeatures"
  Yast.import "Linuxrc"

  load_features
  enable_firewall! if @enable_firewall
  enable_sshd! if wanted_enable_sshd?
  open_ssh! if wanted_open_ssh?
  open_vnc! if wanted_open_vnc?
  propose_lsm_config
  # FIXME: obtain from Y2Firewall::Firewalld, control file or allow to
  # chose a different one in the proposal
  @default_zone = "public"
end

Instance Attribute Details

#default_zone ⇒ Object

[String] Name of the default zone where perform the changes

# File 'src/lib/installation/security_settings.rb', line 39

def default_zone
  @default_zone
end

#enable_firewall ⇒ Object

[Boolean] Whether the firewalld service will be enable

# File 'src/lib/installation/security_settings.rb', line 31

def enable_firewall
  @enable_firewall
end

#enable_sshd ⇒ Object

[Boolean] Whether the sshd service will be enable

# File 'src/lib/installation/security_settings.rb', line 33

def enable_sshd
  @enable_sshd
end

#open_ssh ⇒ Object

[Boolean] Whether the ssh port will be opened

# File 'src/lib/installation/security_settings.rb', line 35

def open_ssh
  @open_ssh
end

#open_vnc ⇒ Object

[Boolean] Whether the vnc port will be opened

# File 'src/lib/installation/security_settings.rb', line 37

def open_vnc
  @open_vnc
end

#polkit_default_privileges ⇒ Object

[String, nil] Setting for policy kit default privileges For more info see /etc/sysconfig/security#POLKIT_DEFAULT_PRIVS

# File 'src/lib/installation/security_settings.rb', line 42

def polkit_default_privileges
  @polkit_default_privileges
end

Class Method Details

.create_instance ⇒ Object

Enforce a new clean instance

# File 'src/lib/installation/security_settings.rb', line 263

def create_instance
  @instance = new
end

.instance ⇒ Object

Singleton instance

# File 'src/lib/installation/security_settings.rb', line 257

def instance
  create_instance unless @instance
  @instance
end

.run ⇒ Object

# File 'src/lib/installation/security_settings.rb', line 252

def run
  instance.run
end

Instance Method Details

#access_problem? ⇒ Boolean

Return whether the current settings could be a problem for the user to login

Returns:

• (Boolean) —

  true if the root user uses only public key authentication and the system is not accesible through ssh

# File 'src/lib/installation/security_settings.rb', line 172

def access_problem?
  # public key is not the only way
  return false unless only_public_key_auth?

  # without running sshd it is useless
  return true unless @enable_sshd

  # firewall is up and port for ssh is not open
  @enable_firewall && !@open_ssh
end

#close_ssh! ⇒ Object

Set the ssh port to be closed

# File 'src/lib/installation/security_settings.rb', line 150

def close_ssh!
  log.info "Closing SSH port"
  self.open_ssh = false
end

#close_vnc! ⇒ Object

Set the vnc port to be closed

# File 'src/lib/installation/security_settings.rb', line 162

def close_vnc!
  log.info "Closing VNC port"
  self.open_vnc = false
end

#disable_firewall! ⇒ Object

Remove the firewalld package from being installed and sets the firewalld service to be disabled

# File 'src/lib/installation/security_settings.rb', line 121

def disable_firewall!
  Yast::PackagesProposal.RemoveResolvables("firewall", :package, ["firewalld"])
  log.info "Disabling firewall"
  self.enable_firewall = false
end

#disable_sshd! ⇒ Object

Remove the openssh package from being installed and sets the sshd service to be disabled

# File 'src/lib/installation/security_settings.rb', line 137

def disable_sshd!
  Yast::PackagesProposal.RemoveResolvables("firewall", :package, ["openssh"])
  log.info "Disabling SSHD"
  self.enable_sshd = false
end

#enable_firewall! ⇒ Object

Add the firewall package to be installed and sets the firewalld service to be enabled

# File 'src/lib/installation/security_settings.rb', line 112

def enable_firewall!
  Yast::PackagesProposal.AddResolvables("firewall", :package, ["firewalld"])

  log.info "Enabling firewall"
  self.enable_firewall = true
end

#enable_sshd! ⇒ Object

Add the openssh package to be installed and sets the sshd service to be enabled

# File 'src/lib/installation/security_settings.rb', line 129

def enable_sshd!
  Yast::PackagesProposal.AddResolvables("firewall", :package, ["openssh"])
  log.info "Enabling SSHD"
  self.enable_sshd = true
end

#human_polkit_privileges ⇒ Object

# File 'src/lib/installation/security_settings.rb', line 183

def human_polkit_privileges
  {
    ""            => _("Default"),
    # TRANSLATORS: restrictive in sense the most restrictive policy
    "restrictive" => _("Restrictive"),
    "standard"    => _("Standard"),
    # TRANSLATORS: easy in sense the least restrictive policy
    "easy"        => _("Easy")
  }
end

#load_features ⇒ Object

Load the default values defined in the control file

# File 'src/lib/installation/security_settings.rb', line 63

def load_features
  load_feature(:enable_firewall, :enable_firewall)
  load_feature(:firewall_enable_ssh, :open_ssh)
  load_feature(:enable_sshd, :enable_sshd)
  load_feature(:polkit_default_privs, :polkit_default_privileges)
end

#lsm_config ⇒ Y2Security::LSM::Config

Returns the LSM config handler.

Returns:

• (Y2Security::LSM::Config) —

  the LSM config handler

# File 'src/lib/installation/security_settings.rb', line 195

def lsm_config
  Y2Security::LSM::Config.instance
end

#open_ssh! ⇒ Object

Set the ssh port to be opened

# File 'src/lib/installation/security_settings.rb', line 144

def open_ssh!
  log.info "Opening SSH port"
  self.open_ssh = true
end

#open_vnc! ⇒ Object

Set the vnc port to be opened

# File 'src/lib/installation/security_settings.rb', line 156

def open_vnc!
  log.info "Opening VNC port"
  self.open_vnc = true
end

#propose ⇒ Object

Make a one-time proposal for the security settings:

If only public key authentication is configured, and no root password is set, open the SSH port and enable SSHD so at least SSH access can be used.

This should be called AFTER the user was prompted for the root password, e.g. when the security proposal is made during installation.

This is done only once. Use 'reset_proposal' to do do it again.

# File 'src/lib/installation/security_settings.rb', line 90

def propose
  return if @proposal_done

  @proposal_done = true
  log.info("Making security settings proposal")
  return unless only_public_key_auth?

  log.info("Only public key auth")
  open_ssh! unless @open_ssh
  enable_sshd! unless @enable_sshd
end

#propose_lsm_config ⇒ Object

When Linux Security Module is declared as configurable and there is no Module selected yet it will select the desired LSM and the needed patterns for it accordingly

# File 'src/lib/installation/security_settings.rb', line 72

def propose_lsm_config
  return unless lsm_config.configurable?
  return if lsm_config.selected

  lsm_config.propose_default
  # It will be set even if the proposal is not shown (e.g. configurable but not selectable)
  Yast::PackagesProposal.SetResolvables("LSM", :pattern, lsm_config.needed_patterns)
end

#reset_proposal ⇒ Object

Reset the proposal; i.e. the next call to 'propose' will do a fresh proposal.

# File 'src/lib/installation/security_settings.rb', line 104

def reset_proposal
  @proposal_done = false
end