packages/cockpit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:62e39c5678c6a55063c9c69fc3f5470188f020b1
Branches Tags
packages:main
...
compare: packages:5983b5719c610f4ee389f6e5d8370baa3682a3a2
Branches Tags
packages:main

10 Commits
62e39c5678 ... 5983b5719c

Author SHA1 Message Date
openeuler-ci-bot
5983b5719c
!60 [sync] PR-55: add more zh_CN translation for i18n 
From: @openeuler-sync-bot 
Reviewed-by: @small_leek 
Signed-off-by: @small_leek
 2024-05-22 10:53:57 +00:00
lingsheng
70e9f019d3 add more zh_CN translation for i18n 
(cherry picked from commit 0f880e1b10384f1b6ed1bc233014815549bedab3)
 2024-05-22 16:15:55 +08:00
openeuler-ci-bot
0a57eda621
!51 [sync] PR-49: fix CVE-2020-35850 
From: @openeuler-sync-bot 
Reviewed-by: @open-bot 
Signed-off-by: @open-bot
 2024-04-30 01:36:35 +00:00
lingsheng
e1c32f9bb4 fix CVE-2020-35850 
Signed-off-by: lingsheng <860373352@qq.com>
(cherry picked from commit 7cb13c1d265c257dc49772f65509effc100bc621)
 2024-04-30 09:06:38 +08:00
openeuler-ci-bot
a0f71f2776
!36 [sync] PR-34: splits subpackages 
From: @openeuler-sync-bot 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
 2023-01-12 08:38:32 +00:00
zhangpan
ad82398460 splits subpackages 
(cherry picked from commit 0fc046be2f37fa44901acb052f3f3bc51cdb5957)
 2023-01-12 16:17:27 +08:00
zhangpan
61c7993e2e splits subpackages 
(cherry picked from commit b8242abc4712a1dd9b7a0dab8b8a33e84f8688a8)
 2023-01-12 16:17:27 +08:00
zhangpan
8c45ac7d27 splits subpackages 
(cherry picked from commit e7093a7875fa734c2baf0ff29c786dd1a52c990b)
 2023-01-12 16:17:27 +08:00
zhangpan
86a7b3a1ac splits subpackages 
(cherry picked from commit 6d33eb1f04190074abb4951e44057f1ae65e0a8e)
 2023-01-12 16:17:27 +08:00
zhangpan
13963ad4b8 splits subpackages 
(cherry picked from commit 591d3905333afb6ea49d8246d60a7a7113db5cae)
 2023-01-12 16:17:27 +08:00
3 changed files with 823 additions and 5 deletions
Show Stats Expand all files Collapse all files

692
0001-add-more-zh_CN-translation-for-i18n.patch Normal file
View File

@ -0,0 +1,692 @@
From 30e1e26186f10210c9b65cca0b014ea376162c0e Mon Sep 17 00:00:00 2001
From: hanjinpeng <hanjinpeng@kylinos.cn>
Date: Fri, 15 Jul 2022 21:03:17 +0800
Subject: [PATCH] add more zh_CN translation for i18n
---
dist/systemd/po.zh_CN.js | 192 +++++++++++++++++++--------------------
1 file changed, 96 insertions(+), 96 deletions(-)
diff --git a/dist/systemd/po.zh_CN.js b/dist/systemd/po.zh_CN.js
index eb45f32..31b7059 100644
--- a/dist/systemd/po.zh_CN.js
+++ b/dist/systemd/po.zh_CN.js
@@ -81,7 +81,7 @@ return plural;
],
"$0 is not available from any repository.": [
null,
- ""
+ "$0 在任何一个仓库不可使用"
],
"$0 minute": [
"$0 minutes",
@@ -97,7 +97,7 @@ return plural;
],
"$0 will be installed.": [
null,
- ""
+ "$0 将要被安装"
],
"$0 year": [
"$0 years",
@@ -289,11 +289,11 @@ return plural;
],
"Additional packages:": [
null,
- ""
+ "附加包"
],
"Advanced TCA": [
null,
- ""
+ "高级 TCA"
],
"After": [
null,
@@ -305,11 +305,11 @@ return plural;
],
"Alert and above": [
null,
- ""
+ "Alert 及更高级别"
],
"All In One": [
null,
- ""
+ "多合一"
],
"Asset Tag": [
null,
@@ -329,43 +329,43 @@ return plural;
],
"BIOS": [
null,
- ""
+ "BIOS"
],
"BIOS date": [
null,
- ""
+ "BIOS日期"
],
"BIOS version": [
null,
- ""
+ "BIOS版本"
],
"Before": [
null,
- ""
+ "之前"
],
"Binds To": [
null,
- ""
+ "绑定到"
],
"Blade": [
null,
- ""
+ "刀片"
],
"Blade enclosure": [
null,
- ""
+ "刀片机箱"
],
"Bound By": [
null,
- ""
+ "边界为"
],
"Bug Fix Updates Available": [
null,
- ""
+ "可利用的bug修复"
],
"Bus Expansion Chassis": [
null,
- ""
+ "总线扩展机箱"
],
"CPU": [
null,
@@ -397,19 +397,19 @@ return plural;
],
"Checking for updates…": [
null,
- ""
+ "检查更新"
],
"Checking installed software": [
null,
- ""
+ "检查安装的软件"
],
"Class": [
null,
- ""
+ "分类"
],
"Click to see system hardware information": [
null,
- ""
+ "点击查看系统硬件信息"
],
"Close": [
null,
@@ -421,7 +421,7 @@ return plural;
],
"Compact PCI": [
null,
- ""
+ "紧凑型 PCI"
],
"Condition $0=$1 was not met": [
null,
@@ -433,19 +433,19 @@ return plural;
],
"Conflicted By": [
null,
- ""
+ "冲突于"
],
"Conflicts": [
null,
- ""
+ "冲突"
],
"Consists Of": [
null,
- ""
+ "组成"
],
"Convertible": [
null,
- ""
+ "可转换"
],
"Create Timer": [
null,
@@ -457,7 +457,7 @@ return plural;
],
"Critical and above": [
null,
- ""
+ "Critical 及更高级别"
],
"Current boot": [
null,
@@ -465,7 +465,7 @@ return plural;
],
"Debug and above": [
null,
- ""
+ "Debug 及更高级别"
],
"Delay": [
null,
@@ -477,11 +477,11 @@ return plural;
],
"Desktop": [
null,
- ""
+ "桌面"
],
"Detachable": [
null,
- ""
+ "可拆卸"
],
"Disable": [
null,
@@ -497,7 +497,7 @@ return plural;
],
"Docking Station": [
null,
- ""
+ "扩展坞"
],
"Domain": [
null,
@@ -509,11 +509,11 @@ return plural;
],
"Downloading $0": [
null,
- ""
+ "正在下载 $0"
],
"Embedded PC": [
null,
- ""
+ "嵌入式 PC"
],
"Enable": [
null,
@@ -525,7 +525,7 @@ return plural;
],
"Enable persistent metrics…": [
null,
- ""
+ "启用持久性指标..."
],
"Enabled": [
null,
@@ -533,7 +533,7 @@ return plural;
],
"Enhancement Updates Available": [
null,
- ""
+ "增强可利用的更新"
],
"Entry": [
null,
@@ -545,7 +545,7 @@ return plural;
],
"Error and above": [
null,
- ""
+ "Error 及更高级别"
],
"Everything": [
null,
@@ -553,7 +553,7 @@ return plural;
],
"Expansion Chassis": [
null,
- ""
+ "总线扩展机箱"
],
"Free": [
null,
@@ -577,7 +577,7 @@ return plural;
],
"Hand Held": [
null,
- ""
+ "手持式"
],
"Hardware": [
null,
@@ -585,7 +585,7 @@ return plural;
],
"Hardware Information": [
null,
- ""
+ "硬件信息"
],
"Host Name": [
null,
@@ -613,7 +613,7 @@ return plural;
],
"Info and above": [
null,
- ""
+ "Info 及更高级别"
],
"Install": [
null,
@@ -621,11 +621,11 @@ return plural;
],
"Install Software": [
null,
- ""
+ "安装的软件"
],
"Installing $0": [
null,
- ""
+ "正在安装 $0"
],
"Instantiate": [
null,
@@ -657,11 +657,11 @@ return plural;
],
"IoT Gateway": [
null,
- ""
+ "IoT 网关"
],
"Joins Namespace Of": [
null,
- ""
+ "加入命名空间"
],
"Journal": [
null,
@@ -681,7 +681,7 @@ return plural;
],
"Laptop": [
null,
- ""
+ "笔记本电脑"
],
"Last 24 hours": [
null,
@@ -713,11 +713,11 @@ return plural;
],
"Low Profile Desktop": [
null,
- ""
+ "低调桌面"
],
"Lunch Box": [
null,
- ""
+ "主机类型"
],
"Machine ID": [
null,
@@ -729,7 +729,7 @@ return plural;
],
"Main Server Chassis": [
null,
- ""
+ "主服务器机箱"
],
"Manually": [
null,
@@ -753,11 +753,11 @@ return plural;
],
"Mini PC": [
null,
- ""
+ "迷你 PC"
],
"Mini Tower": [
null,
- ""
+ "迷你电脑"
],
"Minute needs to be a number between 0-59": [
null,
@@ -769,7 +769,7 @@ return plural;
],
"Model": [
null,
- ""
+ "型号"
],
"Monday": [
null,
@@ -825,11 +825,11 @@ return plural;
],
"Notebook": [
null,
- ""
+ "笔记本"
],
"Notice and above": [
null,
- ""
+ "Notice 及更高级别"
],
"Off": [
null,
@@ -849,7 +849,7 @@ return plural;
],
"Only Emergency": [
null,
- ""
+ "只有紧急情况"
],
"Only alphabets, numbers, : , _ , . , @ , - are allowed.": [
null,
@@ -861,11 +861,11 @@ return plural;
],
"Other": [
null,
- ""
+ "其他"
],
"PCI": [
null,
- ""
+ "PCI"
],
"PackageKit crashed": [
null,
@@ -873,7 +873,7 @@ return plural;
],
"Part Of": [
null,
- ""
+ "部分"
],
"Paths": [
null,
@@ -885,15 +885,15 @@ return plural;
],
"Peripheral Chassis": [
null,
- ""
+ "外设机箱"
],
"Pizza Box": [
null,
- ""
+ "披萨盒"
],
"Portable": [
null,
- ""
+ "可移植"
],
"Power Options": [
null,
@@ -913,23 +913,23 @@ return plural;
],
"Problem details": [
null,
- ""
+ "问题详情"
],
"Problem info": [
null,
- ""
+ "问题信息"
],
"Propagates Reload To": [
null,
- ""
+ "传播重新加载到"
],
"RAID Chassis": [
null,
- ""
+ "RAID 机箱"
],
"Rack Mount Chassis": [
null,
- ""
+ "机架式机箱"
],
"Real Host Name": [
null,
@@ -957,15 +957,15 @@ return plural;
],
"Reload Propagated From": [
null,
- ""
+ "重新加载的传播来自"
],
"Removals:": [
null,
- ""
+ "移除"
],
"Removing $0": [
null,
- ""
+ "正在删除 $0"
],
"Repeat Daily": [
null,
@@ -989,11 +989,11 @@ return plural;
],
"Report": [
null,
- ""
+ "报告"
],
"Reported": [
null,
- ""
+ "已报告"
],
"Reporter 'reporter-ureport' not found.": [
null,
@@ -1005,19 +1005,19 @@ return plural;
],
"Required By": [
null,
- ""
+ "要求自"
],
"Requires": [
null,
- ""
+ "要求"
],
"Requisite": [
null,
- ""
+ "必要"
],
"Requisite Of": [
null,
- ""
+ "必备的"
],
"Reset": [
null,
@@ -1041,7 +1041,7 @@ return plural;
],
"Sealed-case PC": [
null,
- ""
+ "密封式 PC"
],
"Seconds": [
null,
@@ -1053,7 +1053,7 @@ return plural;
],
"Security Updates Available": [
null,
- ""
+ "可利用的安全更新"
],
"Service Logs": [
null,
@@ -1093,7 +1093,7 @@ return plural;
],
"Slot": [
null,
- ""
+ "槽"
],
"Sockets": [
null,
@@ -1101,7 +1101,7 @@ return plural;
],
"Space-saving Computer": [
null,
- ""
+ "节省空间的计算机"
],
"Specific Time": [
null,
@@ -1121,7 +1121,7 @@ return plural;
],
"Stick PC": [
null,
- ""
+ "PC 棒"
],
"Stop": [
null,
@@ -1133,11 +1133,11 @@ return plural;
],
"Sub Chassis": [
null,
- ""
+ "子机箱"
],
"Sub Notebook": [
null,
- ""
+ "子笔记本"
],
"Sunday": [
null,
@@ -1161,11 +1161,11 @@ return plural;
],
"System Information": [
null,
- ""
+ "系统信息"
],
"System Not Registered": [
null,
- ""
+ "系统没有注册"
],
"System Services": [
null,
@@ -1177,11 +1177,11 @@ return plural;
],
"System Up To Date": [
null,
- ""
+ "系统最新"
],
"Tablet": [
null,
- ""
+ "平板"
],
"Targets": [
null,
@@ -1197,11 +1197,11 @@ return plural;
],
"The user <b>$0</b> is not permitted to change the system time": [
null,
- ""
+ "用户 <b>$0</b> 不允许改变系统时间"
],
"The user <b>$0</b> is not permitted to enable or disable services": [
null,
- ""
+ "用户 <b>$0</b> 不允许启用或者禁用服务"
],
"The user <b>$0</b> is not permitted to modify hostnames": [
null,
@@ -1245,15 +1245,15 @@ return plural;
],
"Total size: $0": [
null,
- ""
+ "总大小: $0"
],
"Tower": [
null,
- ""
+ "塔"
],
"Triggered By": [
null,
- ""
+ "被触发"
],
"Triggers": [
null,
@@ -1281,11 +1281,11 @@ return plural;
],
"Updates Available": [
null,
- ""
+ "可利用更新"
],
"Usage of $0 CPU core": [
"Usage of $0 CPU cores",
- ""
+ "$0 CPU核心的使用量"
],
"Used": [
null,
@@ -1297,7 +1297,7 @@ return plural;
],
"Vendor": [
null,
- ""
+ "厂商"
],
"Version": [
null,
@@ -1305,19 +1305,19 @@ return plural;
],
"Waiting for other software management operations to finish": [
null,
- ""
+ "等待其他软件管理操作完成"
],
"Wanted By": [
null,
- ""
+ "需要于"
],
"Wants": [
null,
- ""
+ "需要"
],
"Warning and above": [
null,
- ""
+ "Warning 及更高级别"
],
"Wednesday": [
null,
--
2.27.0

78
backport-CVE-2020-35850.patch Normal file
View File

@ -0,0 +1,78 @@
From 29500b32c66dff16ec4aabf119a5772f007a007e Mon Sep 17 00:00:00 2001
From: Martin Pitt <mpitt@redhat.com>
Date: Wed, 5 Apr 2023 17:03:45 +0200
Subject: [PATCH] ws: Disallow direct URL logins with LoginTo=false
The current documentation of LoginTo= isn't very specific about what
exactly happens with a "false" value; but it is plausible for an admin
to assume that "false" would disallow logging into a remote host
completely -- not merely hide the "Connect to:" field and then allowing
a direct URL login anyway.
It is sometimes important to disallow direct SSH logins from the login
page on publicly exposed bastion hosts, as this functionality allows
unauthenticated remote users to:
- scan the internal network for existing hosts, which might otherwise
not be accessible directly from the internet
(Fixes #18540, https://bugzilla.redhat.com/show_bug.cgi?id=2167006)
- scan the cockpit-ws host or internal network hosts for open ports
(Fixes #15077, https://bugzilla.redhat.com/show_bug.cgi?id=2018741)
So change ws to reject direct URL logins with `LoginTo=false`. This
happens most naturally in cockpit_session_launch(), as we still want to
allow remote URLs from the shell's host switcher in already
authenticated sessions. This will not produce a very friendly error
message, but it doesn't have to be -- at that point specifying direct
URLs can be considered hacking anyway.
Clarify the documentation accordingly.
Reference:https://github.com/cockpit-project/cockpit/commit/29500b32c66dff16ec4aabf119a5772f007a007e
Conflict:return NULL -> goto out;adapt context;delete test
---
doc/man/cockpit.conf.xml | 12 +++++++++---
src/ws/cockpitauth.c | 7 +++++++
2 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/doc/man/cockpit.conf.xml b/doc/man/cockpit.conf.xml
index 798e1f3f5bf..eced0ebaaa2 100644
--- a/doc/man/cockpit.conf.xml
+++ b/doc/man/cockpit.conf.xml
@@ -87,9 +87,15 @@ ForwardedForHeader = X-Forwarded-For
<term><option>LoginTo</option></term>
<listitem>
<para>When set to <literal>true</literal> the <emphasis>Connect to</emphasis> option
- on the login screen is visible and allows logging into another server. If this
- option is not specified then it will be automatically detected based on whether
- the <command>cockpit-ssh</command> process is available or not.</para>
+ on the login screen is visible and allows logging into another server. When set to
+ <literal>false</literal>, direct remote logins are disallowed. If this option is not specified
+ then it will be automatically detected based on whether the
+ <command>cockpit-ssh</command> process is available or not.</para>
+
+ <para>If cockpit-ws is exposed to the public internet, and also has access to a private
+ internal network, it is recommended to explicitly set <literal>LoginTo=false</literal>. This prevents
+ unauthenticated remote attackers from scanning the internal network for existing machines
+ and open ports.</para>
</listitem>
</varlistentry>
<varlistentry>
diff --git a/src/ws/cockpitauth.c b/src/ws/cockpitauth.c
index bc62663d78a..9639a9c84de 100644
--- a/src/ws/cockpitauth.c
+++ b/src/ws/cockpitauth.c
@@ -1011,6 +1011,13 @@ cockpit_session_create (CockpitAuth *self,
goto out;
}
+ /* this might be unset, which means "allow if cockpit-ssh is installed"; if it isn't, this will fail later on */
+ if (host && !cockpit_conf_bool ("WebService", "LoginTo", TRUE)) {
+ g_set_error (error, COCKPIT_ERROR, COCKPIT_ERROR_AUTHENTICATION_FAILED,
+ "Direct remote login is disabled");
+ goto out;
+ }
+
/* These are the credentials we'll carry around for this session */
creds = build_session_credentials (self, connection, headers,
application, type, authorization);

58
cockpit.spec
View File

@ -1,7 +1,7 @@
%bcond_with pcp
Name: cockpit
Version: 178
Release: 12
Release: 15
Summary: A easy-to-use, integrated, glanceable, and open web-based interface for Linux servers
License: LGPLv2+
URL: https://cockpit-project.org/
@ -10,6 +10,9 @@ Source0: https://github.com/cockpit-project/cockpit/releases/download/%{v
Patch6000: CVE-2019-3804.patch
Patch6001: backport-0001-CVE-2021-3660.patch
Patch6002: backport-0002-CVE-2021-3660.patch
Patch6003: backport-CVE-2020-35850.patch
Patch9000: 0001-add-more-zh_CN-translation-for-i18n.patch
BuildRequires: gcc
BuildRequires: pkgconfig(gio-unix-2.0) pkgconfig(json-glib-1.0) pkgconfig(polkit-agent-1) >= 0.105 pam-devel
@ -22,10 +25,9 @@ BuildRequires: pcp-libs-devel
%endif
Requires: glib-networking shadow-utils grep libpwquality coreutils NetworkManager kexec-tools openssl glib2 >= 2.37.4
Requires: python3 python3-dbus systemd udisks2 >= 2.6 libvirt libvirt-client PackageKit
Requires: python3 python3-dbus systemd udisks2 >= 2.6 PackageKit
Provides: %{name}-networkmanager %{name}-selinux %{name}-sosreport %{name}-dashboard = %{version}-%{release}
Provides: %{name}-machines = %{version}-%{release} %{name}-machines-ovirt = %{version}-%{release} %{name}-shell %{name}-systemd
Provides: %{name}-bridge = %{version}-%{release} %{name}-packagekit = %{version}-%{release} %{name}-storaged = %{version}-%{release}
Provides: %{name}-system = %{version}-%{release} %{name}-ws = %{version}-%{release} %{name}-ssh %{name}-realmd
Provides: %{name}-tuned %{name}-users %{name}-kdump
@ -33,7 +35,6 @@ Provides: bundled(js-jquery) = 3.3.1 bundled(js-moment) = 2.22.2 bundled(n
Provides: bundled(nodejs-promise) = 8.0.2 bundled(nodejs-requirejs) = 2.1.22 bundled(xstatic-bootstrap-datepicker-common) = 1.8.0
Obsoletes: %{name}-networkmanager %{name}-selinux %{name}-sosreport %{name}-dashboard < %{version}-%{release}
Obsoletes: %{name}-machines < %{version}-%{release} %{name}-machines-ovirt < %{version}-%{release} %{name}-shell %{name}-systemd
Obsoletes: %{name}-bridge < %{version}-%{release} %{name}-packagekit < %{version}-%{release} %{name}-storaged < %{version}-%{release}
Obsoletes: %{name}-system < %{version}-%{release} %{name}-ws < %{version}-%{release} %{name}-ssh %{name}-realmd
Obsoletes: %{name}-tuned %{name}-users %{name}-kdump
@ -69,6 +70,29 @@ Obsoletes: %{name}-tests < %{version}-%{release}
This package contains some test files for testing the %{name}.
It is not necessary for using %{name}.
%package cockpit-machines
BuildArch: noarch
Summary: Cockpit user interface for virtual machines
Requires: cockpit-bridge >= 122
Requires: cockpit-system >= 122
Requires: libvirt
Requires: libvirt-client
%description cockpit-machines
The Cockpit components for managing virtual machines.
If "virt-install" is installed, you can also create new virtual machines.
%package cockpit-machines-ovirt
BuildArch: noarch
Summary: Cockpit user interface for oVirt virtual machines
Requires: cockpit-bridge >= 122
Requires: cockpit-system >= 122
Requires: libvirt
Requires: libvirt-client
%description cockpit-machines-ovirt
The Cockpit components for managing oVirt virtual machines.
%package help
Summary: Help package for %{name}
BuildArch: noarch
@ -150,7 +174,7 @@ test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true
%{_datadir}/pixmaps/cockpit.png
%{_datadir}/%{name}/motd/{update-motd,inactive.motd}
%{_datadir}/%{name}/{static,branding}
%{_datadir}/%{name}/{base1,ssh,dashboard,realmd,tuned,shell,systemd,users,kdump,sosreport,storaged,networkmanager,packagekit,apps,machines,ovirt,selinux}/*
%{_datadir}/%{name}/{base1,ssh,dashboard,realmd,tuned,shell,systemd,users,kdump,sosreport,storaged,networkmanager,packagekit,apps,selinux}/*
%{_unitdir}/{cockpit.service,cockpit-motd.service,cockpit.socket}
%{_sysconfdir}/%{name}/machines.d
%{_prefix}/lib/tmpfiles.d/cockpit-tempfiles.conf
@ -173,6 +197,12 @@ test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true
%{_datadir}/cockpit/playground
%{_prefix}/lib/cockpit-test-assets
%files cockpit-machines
%{_datadir}/cockpit/machines
%files cockpit-machines-ovirt
%{_datadir}/cockpit/ovirt
%files help
%{_docdir}/cockpit
%exclude %{_docdir}/cockpit/{AUTHORS,COPYING,README.md}
@ -181,6 +211,24 @@ test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true
%doc %{_mandir}/man8/{cockpit-ws.8.gz,remotectl.8.gz,pam_ssh_add.8.gz}
%changelog
* Wed May 22 2024 lingsheng <lingsheng1@h-partners.com> - 178-15
- Type:NA
- ID:NA
- SUG:NA
- DESC:add more zh_CN translation for i18n
* Sun Apr 28 2024 lingsheng <lingsheng1@h-partners.com> - 178-14
- Type:CVE
- ID:CVE-2020-35850
- SUG:restart
- DESC:fix CVE-2020-35850
* Tue Jan 10 2023 zhangpan <zhangpan@h-partners.com> - 178-13
- Type:NA
- Id:NA
- SUG:NA
- DESC:splits subpackages cockpit-machines cockpit-machines-ovirt
* Tue Dec 13 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 178-12
- strip binary file