|
 |
c5477d |
From 62d2e9832561d590fdcfbcab8bd03f5cb31fd5d1 Mon Sep 17 00:00:00 2001
|
|
|
c5477d |
From: Vratislav Podzimek <vpodzime@redhat.com>
|
|
|
c5477d |
Date: Wed, 25 May 2016 08:53:17 +0200
|
|
|
c5477d |
Subject: [PATCH 05/13] Enforce the minimal root password length
|
|
|
c5477d |
|
|
|
c5477d |
With Anaconda supporting the pwpolicy command putting restrictions on (among the
|
|
|
c5477d |
other things) root password minimal length we can actually enforce the policy
|
|
|
c5477d |
given in the SCAP content in interactive installations.
|
|
|
c5477d |
|
|
|
c5477d |
Resolves: rhbz#1238281
|
|
|
c5477d |
---
|
|
|
c5477d |
org_fedora_oscap/rule_handling.py | 50 ++++++++++++++++++++++++++++++++++-----
|
|
|
c5477d |
1 file changed, 44 insertions(+), 6 deletions(-)
|
|
|
c5477d |
|
|
|
c5477d |
diff --git a/org_fedora_oscap/rule_handling.py b/org_fedora_oscap/rule_handling.py
|
|
|
c5477d |
index 6a67e8a..a7bed22 100644
|
|
|
c5477d |
--- a/org_fedora_oscap/rule_handling.py
|
|
|
c5477d |
+++ b/org_fedora_oscap/rule_handling.py
|
|
|
c5477d |
@@ -26,6 +26,8 @@ Module with various classes for handling pre-installation rules.
|
|
|
c5477d |
import optparse
|
|
|
c5477d |
import shlex
|
|
|
c5477d |
|
|
|
c5477d |
+from pyanaconda.pwpolicy import F22_PwPolicyData
|
|
|
c5477d |
+
|
|
|
c5477d |
from org_fedora_oscap import common
|
|
|
c5477d |
from org_fedora_oscap.common import OSCAPaddonError, RuleMessage
|
|
|
c5477d |
|
|
|
c5477d |
@@ -35,6 +37,9 @@ __all__ = ["RuleData"]
|
|
|
c5477d |
import gettext
|
|
|
c5477d |
_ = lambda x: gettext.ldgettext("oscap-anaconda-addon", x)
|
|
|
c5477d |
|
|
|
c5477d |
+import logging
|
|
|
c5477d |
+log = logging.getLogger("anaconda")
|
|
|
c5477d |
+
|
|
|
c5477d |
# TODO: use set instead of list for mount options?
|
|
|
c5477d |
def parse_csv(option, opt_str, value, parser):
|
|
|
c5477d |
for item in value.split(","):
|
|
|
c5477d |
@@ -392,6 +397,9 @@ class PasswdRules(RuleHandler):
|
|
|
c5477d |
"""Constructor initializing attributes."""
|
|
|
c5477d |
|
|
|
c5477d |
self._minlen = 0
|
|
|
c5477d |
+ self._created_policy = False
|
|
|
c5477d |
+ self._orig_minlen = None
|
|
|
c5477d |
+ self._orig_strict = None
|
|
|
c5477d |
|
|
|
c5477d |
def __str__(self):
|
|
|
c5477d |
"""Standard method useful for debugging and testing."""
|
|
|
c5477d |
@@ -414,25 +422,55 @@ class PasswdRules(RuleHandler):
|
|
|
c5477d |
# no password restrictions, nothing to be done here
|
|
|
c5477d |
return []
|
|
|
c5477d |
|
|
|
c5477d |
+ ret = []
|
|
|
c5477d |
if not ksdata.rootpw.password:
|
|
|
c5477d |
# root password was not set
|
|
|
c5477d |
|
|
|
c5477d |
- # password length enforcement is not suported in the Anaconda yet
|
|
|
c5477d |
msg = _("make sure to create password with minimal length of %d "
|
|
|
c5477d |
- "characters" % self._minlen)
|
|
|
c5477d |
- return [RuleMessage(common.MESSAGE_TYPE_WARNING, msg)]
|
|
|
c5477d |
+ "characters") % self._minlen
|
|
|
c5477d |
+ ret = [RuleMessage(common.MESSAGE_TYPE_WARNING, msg)]
|
|
|
c5477d |
else:
|
|
|
c5477d |
# root password set
|
|
|
c5477d |
if ksdata.rootpw.isCrypted:
|
|
|
c5477d |
msg = _("cannot check root password length (password is crypted)")
|
|
|
c5477d |
+ log.warning("cannot check root password length (password is crypted)")
|
|
|
c5477d |
return [RuleMessage(common.MESSAGE_TYPE_WARNING, msg)]
|
|
|
c5477d |
elif len(ksdata.rootpw.password) < self._minlen:
|
|
|
c5477d |
# too short
|
|
|
c5477d |
msg = _("root password is too short, a longer one with at "
|
|
|
c5477d |
- "least %d characters is required" % self._minlen)
|
|
|
c5477d |
- return [RuleMessage(common.MESSAGE_TYPE_FATAL, msg)]
|
|
|
c5477d |
+ "least %d characters is required") % self._minlen
|
|
|
c5477d |
+ ret = [RuleMessage(common.MESSAGE_TYPE_FATAL, msg)]
|
|
|
c5477d |
else:
|
|
|
c5477d |
- return []
|
|
|
c5477d |
+ ret = []
|
|
|
c5477d |
+
|
|
|
c5477d |
+ # set the policy in any case (so that a weaker password is not entered)
|
|
|
c5477d |
+ pw_policy = ksdata.anaconda.pwpolicy.get_policy("root")
|
|
|
c5477d |
+ if pw_policy is None:
|
|
|
c5477d |
+ pw_policy = F22_PwPolicyData()
|
|
|
c5477d |
+ ksdata.anaconda.pwpolicy.policyList.append(pw_policy)
|
|
|
c5477d |
+ self._created_policy = True
|
|
|
c5477d |
+
|
|
|
c5477d |
+ self._orig_minlen = pw_policy.minlen
|
|
|
c5477d |
+ self._orig_strict = pw_policy.strict
|
|
|
c5477d |
+ pw_policy.minlen = self._minlen
|
|
|
c5477d |
+ pw_policy.strict = True
|
|
|
c5477d |
+
|
|
|
c5477d |
+ return ret
|
|
|
c5477d |
+
|
|
|
c5477d |
+ def revert_changes(self, ksdata, storage):
|
|
|
c5477d |
+ """:see: RuleHander.revert_changes"""
|
|
|
c5477d |
+
|
|
|
c5477d |
+ pw_policy = ksdata.anaconda.pwpolicy.get_policy("root")
|
|
|
c5477d |
+ if self._created_policy:
|
|
|
c5477d |
+ ksdata.anaconda.pwpolicy.policyList.remove(pw_policy)
|
|
|
c5477d |
+ self._created_policy = False
|
|
|
c5477d |
+ else:
|
|
|
c5477d |
+ if self._orig_minlen is not None:
|
|
|
c5477d |
+ pw_policy.minlen = self._orig_minlen
|
|
|
c5477d |
+ self._orig_minlen = None
|
|
|
c5477d |
+ if self._orig_strict is not None:
|
|
|
c5477d |
+ pw_policy.strict = self._orig_strict
|
|
|
c5477d |
+ self._orig_strict = None
|
|
|
c5477d |
|
|
|
c5477d |
class PackageRules(RuleHandler):
|
|
|
c5477d |
"""Simple class holding data from the rules affecting installed packages."""
|
|
|
c5477d |
--
|
|
|
c5477d |
2.5.5
|
|
|
c5477d |
|