Class: Installation::SecuritySettings

Inherits:
Object
  • Object
show all
Includes:
Yast::I18n, Yast::Logger
Defined in:
src/lib/installation/security_settings.rb

Overview

Class that stores the security proposal settings during installation.

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initializeSecuritySettings

Constructor



45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# File 'src/lib/installation/security_settings.rb', line 45

def initialize
  textdomain "installation"
  Yast.import "PackagesProposal"
  Yast.import "ProductFeatures"
  Yast.import "Linuxrc"

  load_features
  enable_firewall! if @enable_firewall
  enable_sshd! if wanted_enable_sshd?
  open_ssh! if wanted_open_ssh?
  open_vnc! if wanted_open_vnc?
  propose_lsm_config
  # FIXME: obtain from Y2Firewall::Firewalld, control file or allow to
  # chose a different one in the proposal
  @default_zone = "public"
end

Instance Attribute Details

#default_zoneObject

[String] Name of the default zone where perform the changes



39
40
41
# File 'src/lib/installation/security_settings.rb', line 39

def default_zone
  @default_zone
end

#enable_firewallObject

[Boolean] Whether the firewalld service will be enable



31
32
33
# File 'src/lib/installation/security_settings.rb', line 31

def enable_firewall
  @enable_firewall
end

#enable_sshdObject

[Boolean] Whether the sshd service will be enable



33
34
35
# File 'src/lib/installation/security_settings.rb', line 33

def enable_sshd
  @enable_sshd
end

#open_sshObject

[Boolean] Whether the ssh port will be opened



35
36
37
# File 'src/lib/installation/security_settings.rb', line 35

def open_ssh
  @open_ssh
end

#open_vncObject

[Boolean] Whether the vnc port will be opened



37
38
39
# File 'src/lib/installation/security_settings.rb', line 37

def open_vnc
  @open_vnc
end

#polkit_default_privilegesObject

[String, nil] Setting for policy kit default privileges For more info see /etc/sysconfig/security#POLKIT_DEFAULT_PRIVS



42
43
44
# File 'src/lib/installation/security_settings.rb', line 42

def polkit_default_privileges
  @polkit_default_privileges
end

Class Method Details

.create_instanceObject

Enforce a new clean instance



263
264
265
# File 'src/lib/installation/security_settings.rb', line 263

def create_instance
  @instance = new
end

.instanceObject

Singleton instance



257
258
259
260
# File 'src/lib/installation/security_settings.rb', line 257

def instance
  create_instance unless @instance
  @instance
end

.runObject



252
253
254
# File 'src/lib/installation/security_settings.rb', line 252

def run
  instance.run
end

Instance Method Details

#access_problem?Boolean

Return whether the current settings could be a problem for the user to login



172
173
174
175
176
177
178
179
180
181
# File 'src/lib/installation/security_settings.rb', line 172

def access_problem?
  # public key is not the only way
  return false unless only_public_key_auth?

  # without running sshd it is useless
  return true unless @enable_sshd

  # firewall is up and port for ssh is not open
  @enable_firewall && !@open_ssh
end

#close_ssh!Object

Set the ssh port to be closed



150
151
152
153
# File 'src/lib/installation/security_settings.rb', line 150

def close_ssh!
  log.info "Closing SSH port"
  self.open_ssh = false
end

#close_vnc!Object

Set the vnc port to be closed



162
163
164
165
# File 'src/lib/installation/security_settings.rb', line 162

def close_vnc!
  log.info "Closing VNC port"
  self.open_vnc = false
end

#disable_firewall!Object

Remove the firewalld package from being installed and sets the firewalld service to be disabled



121
122
123
124
125
# File 'src/lib/installation/security_settings.rb', line 121

def disable_firewall!
  Yast::PackagesProposal.RemoveResolvables("firewall", :package, ["firewalld"])
  log.info "Disabling firewall"
  self.enable_firewall = false
end

#disable_sshd!Object

Remove the openssh package from being installed and sets the sshd service to be disabled



137
138
139
140
141
# File 'src/lib/installation/security_settings.rb', line 137

def disable_sshd!
  Yast::PackagesProposal.RemoveResolvables("firewall", :package, ["openssh"])
  log.info "Disabling SSHD"
  self.enable_sshd = false
end

#enable_firewall!Object

Add the firewall package to be installed and sets the firewalld service to be enabled



112
113
114
115
116
117
# File 'src/lib/installation/security_settings.rb', line 112

def enable_firewall!
  Yast::PackagesProposal.AddResolvables("firewall", :package, ["firewalld"])

  log.info "Enabling firewall"
  self.enable_firewall = true
end

#enable_sshd!Object

Add the openssh package to be installed and sets the sshd service to be enabled



129
130
131
132
133
# File 'src/lib/installation/security_settings.rb', line 129

def enable_sshd!
  Yast::PackagesProposal.AddResolvables("firewall", :package, ["openssh"])
  log.info "Enabling SSHD"
  self.enable_sshd = true
end

#human_polkit_privilegesObject



183
184
185
186
187
188
189
190
191
192
# File 'src/lib/installation/security_settings.rb', line 183

def human_polkit_privileges
  {
    ""            => _("Default"),
    # TRANSLATORS: restrictive in sense the most restrictive policy
    "restrictive" => _("Restrictive"),
    "standard"    => _("Standard"),
    # TRANSLATORS: easy in sense the least restrictive policy
    "easy"        => _("Easy")
  }
end

#load_featuresObject

Load the default values defined in the control file



63
64
65
66
67
68
# File 'src/lib/installation/security_settings.rb', line 63

def load_features
  load_feature(:enable_firewall, :enable_firewall)
  load_feature(:firewall_enable_ssh, :open_ssh)
  load_feature(:enable_sshd, :enable_sshd)
  load_feature(:polkit_default_privs, :polkit_default_privileges)
end

#lsm_configY2Security::LSM::Config



195
196
197
# File 'src/lib/installation/security_settings.rb', line 195

def lsm_config
  Y2Security::LSM::Config.instance
end

#open_ssh!Object

Set the ssh port to be opened



144
145
146
147
# File 'src/lib/installation/security_settings.rb', line 144

def open_ssh!
  log.info "Opening SSH port"
  self.open_ssh = true
end

#open_vnc!Object

Set the vnc port to be opened



156
157
158
159
# File 'src/lib/installation/security_settings.rb', line 156

def open_vnc!
  log.info "Opening VNC port"
  self.open_vnc = true
end

#proposeObject

Make a one-time proposal for the security settings:

If only public key authentication is configured, and no root password is set, open the SSH port and enable SSHD so at least SSH access can be used.

This should be called AFTER the user was prompted for the root password, e.g. when the security proposal is made during installation.

This is done only once. Use 'reset_proposal' to do do it again.



90
91
92
93
94
95
96
97
98
99
100
# File 'src/lib/installation/security_settings.rb', line 90

def propose
  return if @proposal_done

  @proposal_done = true
  log.info("Making security settings proposal")
  return unless only_public_key_auth?

  log.info("Only public key auth")
  open_ssh! unless @open_ssh
  enable_sshd! unless @enable_sshd
end

#propose_lsm_configObject

When Linux Security Module is declared as configurable and there is no Module selected yet it will select the desired LSM and the needed patterns for it accordingly



72
73
74
75
76
77
78
79
# File 'src/lib/installation/security_settings.rb', line 72

def propose_lsm_config
  return unless lsm_config.configurable?
  return if lsm_config.selected

  lsm_config.propose_default
  # It will be set even if the proposal is not shown (e.g. configurable but not selectable)
  Yast::PackagesProposal.SetResolvables("LSM", :pattern, lsm_config.needed_patterns)
end

#reset_proposalObject

Reset the proposal; i.e. the next call to 'propose' will do a fresh proposal.



104
105
106
# File 'src/lib/installation/security_settings.rb', line 104

def reset_proposal
  @proposal_done = false
end