[sos/f19] Add stray patches from previous commit
Bryn Reeves
bmr at fedoraproject.org
Tue Jun 17 23:15:27 UTC 2014
commit 625ed857b6bf27a591dbbb2dac3bcd6b419a7992
Author: Bryn M. Reeves <bmr at redhat.com>
Date: Tue Jun 17 23:56:39 2014 +0100
Add stray patches from previous commit
0073-Restore-generic-UI-preamble-text.patch
0074-Add-postprocessing-for-etc-fstab-passwords.patch
0075-Elide-bootloader-password-in-grub-plugin.patch
0076-Make-sure-grub-password-regex-handles-all-cases.patch
0077-Elide-passwords-in-grub2-plugin.patch
0073-Restore-generic-UI-preamble-text.patch | 84 ++++++++++++++++++++
...dd-postprocessing-for-etc-fstab-passwords.patch | 29 +++++++
...-Elide-bootloader-password-in-grub-plugin.patch | 34 ++++++++
...ure-grub-password-regex-handles-all-cases.patch | 44 ++++++++++
0077-Elide-passwords-in-grub2-plugin.patch | 59 ++++++++++++++
5 files changed, 250 insertions(+), 0 deletions(-)
---
diff --git a/0073-Restore-generic-UI-preamble-text.patch b/0073-Restore-generic-UI-preamble-text.patch
new file mode 100644
index 0000000..29213d0
--- /dev/null
+++ b/0073-Restore-generic-UI-preamble-text.patch
@@ -0,0 +1,84 @@
+From 035b9989e7bb194227751c00b45b62f1d4af8858 Mon Sep 17 00:00:00 2001
+From: "Bryn M. Reeves" <bmr at redhat.com>
+Date: Sun, 6 Apr 2014 16:34:14 +0100
+Subject: [PATCH 73/77] Restore generic UI preamble text
+
+The generic UI text in the policy base class was replaced with
+the Red Hat Enterprise Linux wording in commit c59877c. The
+wording isn't suitable for all distributions so revert this part
+of the commit and move the RHEL text back to the RHEL-specific
+policy class.
+
+Signed-off-by: Bryn M. Reeves <bmr at redhat.com>
+---
+ sos/policies/__init__.py | 18 +++++++-----------
+ sos/policies/redhat.py | 20 ++++++++++++++++++++
+ 2 files changed, 27 insertions(+), 11 deletions(-)
+
+diff --git a/sos/policies/__init__.py b/sos/policies/__init__.py
+index 3ae3979..e92b9dd 100644
+--- a/sos/policies/__init__.py
++++ b/sos/policies/__init__.py
+@@ -117,21 +117,17 @@ class PackageManager(object):
+ class Policy(object):
+
+ msg = _("""\
+-This command will collect diagnostic and configuration \
+-information from this %(distro)s system and installed \
+-applications.
++This command will collect system configuration and diagnostic information \
++from this %(distro)s system. An archive containing the collected information \
++will be generated in %(tmpdir)s.
+
+-An archive containing the collected information will be \
+-generated in %(tmpdir)s and may be provided to a %(vendor)s \
+-support representative.
++For more information on %(vendor)s visit:
+
+-Any information provided to %(vendor)s will be treated in \
+-accordance with the published support policies at:\n
+ %(vendor_url)s
+
+-The generated archive may contain data considered sensitive \
+-and its content should be reviewed by the originating \
+-organization before being passed to any third party.
++The generated archive may contain data considered sensitive and its content \
++should be reviewed by the originating organization before being passed to \
++any third party.
+
+ No changes will be made to system configuration.
+ %(vendor_text)s
+diff --git a/sos/policies/redhat.py b/sos/policies/redhat.py
+index 2eade3a..6959e20 100644
+--- a/sos/policies/redhat.py
++++ b/sos/policies/redhat.py
+@@ -95,6 +95,26 @@ class RHELPolicy(RedHatPolicy):
+ distro = "Red Hat Enterprise Linux"
+ vendor = "Red Hat"
+ vendor_url = "https://access.redhat.com/support/"
++ msg = _("""\
++This command will collect diagnostic and configuration \
++information from this %(distro)s system and installed \
++applications.
++
++An archive containing the collected information will be \
++generated in %(tmpdir)s and may be provided to a %(vendor)s \
++support representative.
++
++Any information provided to %(vendor)s will be treated in \
++accordance with the published support policies at:\n
++ %(vendor_url)s
++
++The generated archive may contain data considered sensitive \
++and its content should be reviewed by the originating \
++organization before being passed to any third party.
++
++No changes will be made to system configuration.
++%(vendor_text)s
++""")
+
+ def __init__(self):
+ super(RHELPolicy, self).__init__()
+--
+1.9.3
+
diff --git a/0074-Add-postprocessing-for-etc-fstab-passwords.patch b/0074-Add-postprocessing-for-etc-fstab-passwords.patch
new file mode 100644
index 0000000..47362b8
--- /dev/null
+++ b/0074-Add-postprocessing-for-etc-fstab-passwords.patch
@@ -0,0 +1,29 @@
+From b3404e2cebdaa1bb8e10687fe544a21b72285f50 Mon Sep 17 00:00:00 2001
+From: "Bryn M. Reeves" <bmr at redhat.com>
+Date: Fri, 30 May 2014 14:41:42 +0100
+Subject: [PATCH 74/77] Add postprocessing for /etc/fstab passwords
+
+Signed-off-by: Bryn M. Reeves <bmr at redhat.com>
+---
+ sos/plugins/filesys.py | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sos/plugins/filesys.py b/sos/plugins/filesys.py
+index 9deb75d..2dcfc59 100644
+--- a/sos/plugins/filesys.py
++++ b/sos/plugins/filesys.py
+@@ -49,4 +49,11 @@ class Filesys(Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin):
+ for dev in zip(self.do_regex_find_all(ext_fs_regex, mounts)):
+ self.add_cmd_output("dumpe2fs -h %s" % (dev))
+
++ def postproc(self):
++ self.do_file_sub(
++ "/etc/fstab",
++ r"(password=)[^\s]*",
++ r"\1********"
++ )
++
+ # vim: et ts=4 sw=4
+--
+1.9.3
+
diff --git a/0075-Elide-bootloader-password-in-grub-plugin.patch b/0075-Elide-bootloader-password-in-grub-plugin.patch
new file mode 100644
index 0000000..bb069af
--- /dev/null
+++ b/0075-Elide-bootloader-password-in-grub-plugin.patch
@@ -0,0 +1,34 @@
+From e1e324b63a28a4ed83f898d9297ae85ffb714622 Mon Sep 17 00:00:00 2001
+From: "Bryn M. Reeves" <bmr at redhat.com>
+Date: Mon, 2 Jun 2014 14:55:03 +0100
+Subject: [PATCH 75/77] Elide bootloader password in grub plugin
+
+The grub.conf configuration file collected by the grub plugin may
+contain a plaintext or md5 hashed bootloader password. Add a regex
+substitution for all files matching '.*\/grub\.conf' and replace
+the password with '*'s.
+
+Signed-off-by: Bryn M. Reeves <bmr at redhat.com>
+---
+ sos/plugins/grub.py | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sos/plugins/grub.py b/sos/plugins/grub.py
+index 3911041..33b9f7a 100644
+--- a/sos/plugins/grub.py
++++ b/sos/plugins/grub.py
+@@ -30,4 +30,11 @@ class Grub(Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin):
+ "/etc/grub.d"
+ ])
+
++ def postproc(self):
++ self.do_path_regex_sub(
++ r".*\/grub.conf",
++ r"(password)\s(--md5)\s(.*)",
++ r"\1 \2 ********"
++ )
++
+ # vim: et ts=4 sw=4
+--
+1.9.3
+
diff --git a/0076-Make-sure-grub-password-regex-handles-all-cases.patch b/0076-Make-sure-grub-password-regex-handles-all-cases.patch
new file mode 100644
index 0000000..13d3016
--- /dev/null
+++ b/0076-Make-sure-grub-password-regex-handles-all-cases.patch
@@ -0,0 +1,44 @@
+From 1cea3c481ee9753302605ec7648a3402ea27ddac Mon Sep 17 00:00:00 2001
+From: "Bryn M. Reeves" <bmr at redhat.com>
+Date: Mon, 2 Jun 2014 15:27:10 +0100
+Subject: [PATCH 76/77] Make sure grub password regex handles all cases
+
+The regex to match passwords in grub.conf needs to handle both
+the --md5 and non-md5 cases and to apply the substitution only
+to the secret part (password or password hash).
+
+This needs to deal with the fact that python will return 'None'
+for unmatched pattern groups leading to an exception in re.subn()
+if not all referenced groups match for a given string (in contrast
+to e.g. the perl approach of treating these groups as the empty
+string).
+
+Make this explicit by using an empty alternate in the possibly
+unmatched '--md5' group:
+
+ r"(password\s*)(--md5\s*|\s*)(.*)",
+ r"\1\2********"
+
+Signed-off-by: Bryn M. Reeves <bmr at redhat.com>
+---
+ sos/plugins/grub.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sos/plugins/grub.py b/sos/plugins/grub.py
+index 33b9f7a..926439f 100644
+--- a/sos/plugins/grub.py
++++ b/sos/plugins/grub.py
+@@ -33,8 +33,8 @@ class Grub(Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin):
+ def postproc(self):
+ self.do_path_regex_sub(
+ r".*\/grub.conf",
+- r"(password)\s(--md5)\s(.*)",
+- r"\1 \2 ********"
++ r"(password\s*)(--md5\s*|\s*)(.*)",
++ r"\1\2********"
+ )
+
+ # vim: et ts=4 sw=4
+--
+1.9.3
+
diff --git a/0077-Elide-passwords-in-grub2-plugin.patch b/0077-Elide-passwords-in-grub2-plugin.patch
new file mode 100644
index 0000000..e42a1b5
--- /dev/null
+++ b/0077-Elide-passwords-in-grub2-plugin.patch
@@ -0,0 +1,59 @@
+From c3ef170b88fa467463559d5262bfef6c3e025dce Mon Sep 17 00:00:00 2001
+From: "Bryn M. Reeves" <bmr at redhat.com>
+Date: Tue, 3 Jun 2014 19:23:46 +0100
+Subject: [PATCH 77/77] Elide passwords in grub2 plugin
+
+Remove both plaintext and pbkdf2 passwords from grub configuration
+files and command output. Since grub does not mandate any
+particular location for its authentication data we have to apply
+these liberaly (to all grub*.cfg as well as to all /etc/grub.d
+fragments and the output of grub2-mkconfig).
+
+Signed-off-by: Bryn M. Reeves <bmr at redhat.com>
+---
+ sos/plugins/grub2.py | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/sos/plugins/grub2.py b/sos/plugins/grub2.py
+index 95c1218..5f74981 100644
+--- a/sos/plugins/grub2.py
++++ b/sos/plugins/grub2.py
+@@ -34,4 +34,35 @@ class Grub2(Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin):
+ self.add_cmd_output("ls -lanR /boot")
+ self.add_cmd_output("grub2-mkconfig")
+
++ def postproc(self):
++ # the trailing space is required; python treats '_' as whitespace
++ # causing the passwd_exp to match pbkdf2 passwords and mangle them.
++ passwd_exp = r"(password )\s*(\S*)\s*(\S*)"
++ passwd_pbkdf2_exp = r"(password_pbkdf2)\s*(\S*)\s*(\S*)"
++ passwd_sub = r"\1 \2 ********"
++ passwd_pbkdf2_sub = r"\1 \2 grub.pbkdf2.********"
++
++ self.do_cmd_output_sub(
++ "grub2-mkconfig",
++ passwd_pbkdf2_exp,
++ passwd_pbkdf2_sub
++ )
++ self.do_cmd_output_sub(
++ "grub2-mkconfig",
++ passwd_exp,
++ passwd_sub
++ )
++
++ self.do_path_regex_sub(
++ r".*\/grub\.",
++ passwd_exp,
++ passwd_sub
++ )
++
++ self.do_path_regex_sub(
++ r".*\/grub\.",
++ passwd_pbkdf2_exp,
++ passwd_pbkdf2_sub
++ )
++
+ # vim: et ts=4 sw=4
+--
+1.9.3
+
More information about the scm-commits
mailing list