Univention Bugzilla – Attachment 7456 Details for
Bug 39700
univention-system-activation: On non-master systems, root ssh restrictions are not removed
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
univention-system-activation.patch
univention-system-activation.patch (text/plain), 4.86 KB, created by
Eduard Mai
on 2016-02-05 17:22:00 CET
(
hide
)
Description:
univention-system-activation.patch
Filename:
MIME Type:
Creator:
Eduard Mai
Created:
2016-02-05 17:22:00 CET
Size:
4.86 KB
patch
obsolete
>Index: debian/univention-system-activation.postinst >=================================================================== >--- debian/univention-system-activation.postinst (Revision 67211) >+++ debian/univention-system-activation.postinst (Arbeitskopie) >@@ -39,16 +39,7 @@ > > # Don't change it on a configured system > if [ ! -e /var/univention-join/joined ]; then >- # disallow root login >- ucr set --force auth/gdm/user/root=no \ >- auth/kdm/user/root=no \ >- auth/login/user/root=no \ >- auth/other/user/root=no \ >- auth/sshd/user/root=no >- >- # disallow su >- ucr set --force auth/su/restrict=yes \ >- auth/su/user/root=no >+ /usr/sbin/univention-system-activation restrict-root > fi > ;; > >Index: debian/univention-system-activation.install >=================================================================== >--- debian/univention-system-activation.install (Revision 67211) >+++ debian/univention-system-activation.install (Arbeitskopie) >@@ -1,5 +1,5 @@ > scripts/univention-system-activation usr/sbin >-src/* usr/share/pyshared/univention/system_activation >+src/* usr/share/pyshared/univention/system_activation > www usr/share/univention-system-activation > conffiles/etc/sudoers.d/univention-system-activation etc/sudoers.d > conffiles/usr/lib/univention-system-setup/appliance-hooks.d/96_enable_system_activation usr/lib/univention-system-setup/appliance-hooks.d >Index: scripts/univention-system-activation >=================================================================== >--- scripts/univention-system-activation (Revision 67211) >+++ scripts/univention-system-activation (Arbeitskopie) >@@ -29,6 +29,40 @@ > # /usr/share/common-licenses/AGPL-3; if not, see > # <http://www.gnu.org/licenses/>. > >+function allow_root_login() { >+ ucr unset --force auth/gdm/user/root \ >+ auth/kdm/user/root \ >+ auth/login/user/root \ >+ auth/other/user/root \ >+ auth/sshd/user/root >+ >+ # reset su restrictions >+ ucr unset --force auth/su/restrict \ >+ auth/su/user/root >+ >+ # set to the default values, these values are not set >+ # during the pam installation, because they were set >+ # in the force layer >+ ucr set auth/gdm/user/root?yes \ >+ auth/kdm/user/root?yes \ >+ auth/login/user/root?yes \ >+ auth/other/user/root?yes \ >+ auth/sshd/user/root?yes >+} >+ >+function restrict_root_login() { >+ # disallow root login >+ ucr set --force auth/gdm/user/root=no \ >+ auth/kdm/user/root=no \ >+ auth/login/user/root=no \ >+ auth/other/user/root=no \ >+ auth/sshd/user/root=no >+ >+ # disallow su >+ ucr set --force auth/su/restrict=yes \ >+ auth/su/user/root=no >+} >+ > if [ $# -eq 0 -o "$1" = "-h" -o "$1" = "--help" ]; then > echo > echo "When started, deactivates all access to the UCS and enforces the" >@@ -62,6 +96,8 @@ > # disable sites > a2dissite ${active_sites[@]} > >+ restrict_root_login >+ > # enable system activation site configuration and reload apache > a2ensite univention-system-activation > /etc/init.d/apache2 reload >@@ -84,32 +120,17 @@ > # unset previously stored sites > ucr unset apache2/system_activation/sites > >- # allow root login again >- ucr unset --force auth/gdm/user/root \ >- auth/kdm/user/root \ >- auth/login/user/root \ >- auth/other/user/root \ >- auth/sshd/user/root >+ allow_root_login > >- # reset su restrictions >- ucr unset --force auth/su/restrict \ >- auth/su/user/root >- >- # set to the default values, these values are not set >- # during the pam installation, because they were set >- # in the force layer >- ucr set auth/gdm/user/root?yes \ >- auth/kdm/user/root?yes \ >- auth/login/user/root?yes \ >- auth/other/user/root?yes \ >- auth/sshd/user/root?yes >- > # apache reload as last step > /etc/init.d/apache2 reload >+elif [ "$ACTION" == "allow-root" ]; then >+ allow_root_login >+elif [ "$ACTION" == "restrict-root" ]; then >+ restrict_root_login > else > echo > echo "ERROR: Unknown action given" > echo > exit 1 > fi >- >Index: conffiles/usr/lib/univention-system-setup/appliance-hooks.d/96_enable_system_activation >=================================================================== >--- conffiles/usr/lib/univention-system-setup/appliance-hooks.d/96_enable_system_activation (Revision 67211) >+++ conffiles/usr/lib/univention-system-setup/appliance-hooks.d/96_enable_system_activation (Arbeitskopie) >@@ -33,8 +33,15 @@ > /usr/bin/univention-ldapsearch -LLL '(&(objectClass=univentionLicense)(univentionLicenseKeyID=*))' dn | grep -q 'dn:' > } > >-if ! has_activated_license; then >+role="$(ucr get server/role)" >+if [ "$role" == "domaincontroller_master" ]; then > /usr/sbin/univention-system-activation start >+elif has_activated_license; then >+ # Installing an App Appliance as non DC Master without activated license in the domain >+ # is restricted by system-setup and not handled here >+ >+ # lift root restrictions set by univention-system-activation.postinst on non DC Master >+ # roles because system-activation is not started there >+ /usr/sbin/univention-system-activation allow-root > fi >- > exit 0
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=7456">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 39700
:
7455
| 7456 |
7534
|
7536
|
7539