78 lines
3.3 KiB
Diff
78 lines
3.3 KiB
Diff
From 5862f8b67f02fad30ec6a067318c876b4dba396f Mon Sep 17 00:00:00 2001
|
|
From: Jakub Jelen <jjelen@redhat.com>
|
|
Date: Thu, 5 May 2022 20:09:50 +0200
|
|
Subject: [PATCH 23/39] Add doc strings and improve code readability
|
|
|
|
The original code was quite confusing. This reuses the global_value
|
|
function and checks for the only rare corner case we want to consider
|
|
allowing without inhibiting the upgrade.
|
|
|
|
The test coverage is still passing with the new code.
|
|
|
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
---
|
|
.../libraries/opensshpermitrootlogincheck.py | 40 ++++++++++++++-----
|
|
1 file changed, 30 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/libraries/opensshpermitrootlogincheck.py b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/libraries/opensshpermitrootlogincheck.py
|
|
index d247b220..c2237571 100644
|
|
--- a/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/libraries/opensshpermitrootlogincheck.py
|
|
+++ b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/libraries/opensshpermitrootlogincheck.py
|
|
@@ -1,4 +1,11 @@
|
|
def global_value(config, default):
|
|
+ """
|
|
+ Find the global value for PermitRootLogin option in sshd_config.
|
|
+
|
|
+ OpenSSH is using the first value found in configuration file, that is not
|
|
+ in match block other than "all". If there is no such option, the argument
|
|
+ "default" will be returned.
|
|
+ """
|
|
for opt in config.permit_root_login:
|
|
if (opt.in_match is None or opt.in_match[0].lower() == 'all'):
|
|
return opt.value
|
|
@@ -6,18 +13,31 @@ def global_value(config, default):
|
|
|
|
|
|
def semantics_changes(config):
|
|
- globally_enabled = False
|
|
- in_match_disabled = False
|
|
+ """
|
|
+ Check if the current configuration changes semantics if upgraded from RHEL7 to RHEL8
|
|
+
|
|
+ The case where the configuration does not contain *any* PermitRootLogin option is
|
|
+ already covered in the actor and does not need to be handled here.
|
|
+
|
|
+ This tries to capture the case, where the root login is enabled in at least one
|
|
+ match block. The global default changes so the new configurations will not allow
|
|
+ all password root logins, but there is at least some chance to access the system as
|
|
+ root with password.
|
|
+
|
|
+ Examples:
|
|
+ * If the root login is globally set (enabled or disabled), the semantics stays the same.
|
|
+ * If the root login is enabled only in match blocks, the semantics changes, but the
|
|
+ machine stays accessible at least for clients matching this block.
|
|
+
|
|
+ """
|
|
+ config_global_value = global_value(config, None)
|
|
+ in_match_enabled = False
|
|
if not config.permit_root_login:
|
|
return True
|
|
|
|
for opt in config.permit_root_login:
|
|
- if opt.value != "yes" and opt.in_match is not None \
|
|
- and opt.in_match[0].lower() != 'all':
|
|
- in_match_disabled = True
|
|
-
|
|
- if opt.value == "yes" and (opt.in_match is None or
|
|
- opt.in_match[0].lower() == 'all'):
|
|
- globally_enabled = True
|
|
+ if opt.value == "yes" and opt.in_match is not None and \
|
|
+ opt.in_match[0].lower() != 'all':
|
|
+ in_match_enabled = True
|
|
|
|
- return not globally_enabled and in_match_disabled
|
|
+ return config_global_value is None and not in_match_enabled
|
|
--
|
|
2.35.3
|
|
|