From ae19eb551eb6733ea7a4cf7a4e526371971f1663 Mon Sep 17 00:00:00 2001

From: Vratislav Podzimek <vpodzime@redhat.com>

Date: Wed, 16 Sep 2015 14:36:23 +0200

Subject: [PATCH] Do not remove the root password behind user's back (#1263254)

If the chosen profile requires a longer password than what was set in kickstart,

consider it a misconfiguration like any other such issue instead of silently

removing the password and going on. Removing password brings two problems:

1) in text mode it causes a system with no (empty) root password to be installed

2) in graphical mode it causes the installation with a complete kickstart to

hang waiting for a new root password

Signed-off-by: Vratislav Podzimek <vpodzime@redhat.com>

---

 org_fedora_oscap/rule_handling.py | 29 ++++++-----------------------

 1 file changed, 6 insertions(+), 23 deletions(-)

diff --git a/org_fedora_oscap/rule_handling.py b/org_fedora_oscap/rule_handling.py

index a969b16..6a67e8a 100644

--- a/org_fedora_oscap/rule_handling.py

+++ b/org_fedora_oscap/rule_handling.py

@@ -392,7 +392,6 @@ class PasswdRules(RuleHandler):

         """Constructor initializing attributes."""

         self._minlen = 0

-        self._removed_password = None

     def __str__(self):

         """Standard method useful for debugging and testing."""

@@ -415,7 +414,7 @@ class PasswdRules(RuleHandler):

             # no password restrictions, nothing to be done here

             return []

-        if not ksdata.rootpw.password and self._removed_password is None:

+        if not ksdata.rootpw.password:

             # root password was not set

             # password length enforcement is not suported in the Anaconda yet

@@ -427,30 +426,14 @@ class PasswdRules(RuleHandler):

             if ksdata.rootpw.isCrypted:

                 msg = _("cannot check root password length (password is crypted)")

                 return [RuleMessage(common.MESSAGE_TYPE_WARNING, msg)]

-            elif len(ksdata.rootpw.password) < self._minlen or \

-                    self._removed_password is not None:

-                # too short or already removed

-                msg = _("root password was too short, a longer one with at "

-                        "least %d characters will be required" % self._minlen)

-                if not report_only and self._removed_password is None:

-                    # remove the password and reset the seen flag no to confuse Anaconda

-                    self._removed_password = ksdata.rootpw.password

-                    ksdata.rootpw.password = ""

-                    ksdata.rootpw.seen = False

-                return [RuleMessage(common.MESSAGE_TYPE_WARNING, msg)]

+            elif len(ksdata.rootpw.password) < self._minlen:

+                # too short

+                msg = _("root password is too short, a longer one with at "

+                        "least %d characters is required" % self._minlen)

+                return [RuleMessage(common.MESSAGE_TYPE_FATAL, msg)]

             else:

                 return []

-    def revert_changes(self, ksdata, storage):

-        """:see: RuleHandler.revert_changes"""

-

-        # set the old password back

-        if self._removed_password is not None:

-            ksdata.rootpw.password = self._removed_password

-            ksdata.rootpw.seen = True

-

-            self._removed_password = None

-

 class PackageRules(RuleHandler):

     """Simple class holding data from the rules affecting installed packages."""

-- 

2.1.0