sssd/0014-GPO-Add-gpo_implicit_d...

From 3bd67c772c951f33422261ef658a104ccecc9561 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Tue, 3 Jul 2018 20:03:39 +0200
Subject: [PATCH 19/83] GPO: Add gpo_implicit_deny option

This option (when set to True) can be used to deny access to
users even if there is not applicable GPO. Normally users are
allowed access in this situation.

Resolves:
https://pagure.io/SSSD/sssd/issue/3701

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/config/cfg_rules.ini     |  1 +
 src/man/sssd-ad.5.xml        | 21 +++++++++++++++++++++
 src/providers/ad/ad_common.h |  1 +
 src/providers/ad/ad_gpo.c    | 13 ++++++++++++-
 src/providers/ad/ad_opts.c   |  1 +
 5 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 36e83a9..78f215e 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -437,6 +437,7 @@ option = ad_enable_dns_sites
 option = ad_enabled_domains
 option = ad_enable_gc
 option = ad_gpo_access_control
+option = ad_gpo_implicit_deny
 option = ad_gpo_cache_timeout
 option = ad_gpo_default_right
 option = ad_gpo_map_batch
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index f43c7fc..0eac382 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -418,6 +418,27 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
                 </varlistentry>
 
                 <varlistentry>
+                    <term>ad_gpo_implicit_deny (boolean)</term>
+                    <listitem>
+                        <para>
+                            Normally when no applicable GPOs are found the
+                            users are allowed access. When this option is set
+                            to True users will be allowed access only when
+                            explicitly allowed by a GPO rule. Otherwise users
+                            will be denied access. This can be used to harden
+                            security but be careful when using this option
+                            because it can deny access even to users in the
+                            built-in Administrators group if no GPO rules
+                            apply to them.
+                        </para>
+                        <para>
+                            Default: False (seconds)
+                        </para>
+                    </listitem>
+                </varlistentry>
+
+
+                <varlistentry>
                     <term>ad_gpo_cache_timeout (integer)</term>
                     <listitem>
                         <para>
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index dd440da..2c52c99 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -52,6 +52,7 @@ enum ad_basic_opt {
     AD_ACCESS_FILTER,
     AD_ENABLE_GC,
     AD_GPO_ACCESS_CONTROL,
+    AD_GPO_IMPLICIT_DENY,
     AD_GPO_CACHE_TIMEOUT,
     AD_GPO_MAP_INTERACTIVE,
     AD_GPO_MAP_REMOTE_INTERACTIVE,
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index d568643..f3be723 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1586,6 +1586,7 @@ struct ad_gpo_access_state {
     struct ldb_context *ldb_ctx;
     struct ad_access_ctx *access_ctx;
     enum gpo_access_control_mode gpo_mode;
+    bool gpo_implicit_deny;
     enum gpo_map_type gpo_map_type;
     struct sdap_id_conn_ctx *conn;
     struct sdap_id_op *sdap_op;
@@ -1712,6 +1713,8 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
     state->gpo_mode = ctx->gpo_access_control_mode;
     state->gpo_timeout_option = ctx->gpo_cache_timeout;
     state->ad_hostname = dp_opt_get_string(ctx->ad_options, AD_HOSTNAME);
+    state->gpo_implicit_deny = dp_opt_get_bool(ctx->ad_options,
+                                               AD_GPO_IMPLICIT_DENY);
     state->access_ctx = ctx;
     state->opts = ctx->sdap_access_ctx->id_ctx->opts;
     state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
@@ -2171,7 +2174,15 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
             }
         }
 
-        ret = EOK;
+        if (state->gpo_implicit_deny == true) {
+            DEBUG(SSSDBG_TRACE_FUNC,
+                  "No applicable GPOs have been found and ad_gpo_implicit_deny"
+                  " is set to 'true'. The user will be denied access.\n");
+            ret = ERR_ACCESS_DENIED;
+        } else {
+            ret = EOK;
+        }
+
         goto done;
     }
 
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
index ac93327..c1d9cd7 100644
--- a/src/providers/ad/ad_opts.c
+++ b/src/providers/ad/ad_opts.c
@@ -38,6 +38,7 @@ struct dp_option ad_basic_opts[] = {
     { "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING},
     { "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     { "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING },
+    { "ad_gpo_implicit_deny", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
     { "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
-- 
2.9.5
Backport a bunch of upstream fixes - Resolves: upstream#3821 - crash related to sbus_router_destructor() - Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref - Resolves: upstream#3819 - sssd only sets the SELinux login context if it differs from the default - Resolves: upstream#3807 - The sbus codegen script relies on "python" which might not be available on all distributions - Resolves: upstream#3820 - sudo: search with lower cased name for case insensitive domains - Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from an allow-any default to a deny-any default when it can't find any GPOs to apply to a user login. - Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort startup - Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11 also for local account authentication - Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup - Resolves: upstream#3826 - Remove references of sss_user/group/add/del commands in man pages since local provider is deprecated - Resolves: upstream#3827 - SSSD should log to syslog if a domain is not started due to a misconfiguration - Resolves: upstream#3830 - Printing incorrect information about domain with sssctl utility - Resolves: upstream#3489 - p11_child should work wit openssl1.0+ - Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary changes in nsswitch.conf - Resovles: upstream#3650 - RFE: Require smartcard authentication - Resolves: upstream#3334 - sssctl config-check does not check any special characters in domain name of domain section - Resolves: upstream#3849 - Files: The files provider always enumerates which causes duplicate when running getent passwd - Related: upstream#3855 - session not recording for local user when groups defined - Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb - Related: upstream#3493 - Remove the pysss.local interface 2018-10-24 08:34:15 +00:00			`From 3bd67c772c951f33422261ef658a104ccecc9561 Mon Sep 17 00:00:00 2001`
			`From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>`
			`Date: Tue, 3 Jul 2018 20:03:39 +0200`
			`Subject: [PATCH 19/83] GPO: Add gpo_implicit_deny option`

			`This option (when set to True) can be used to deny access to`
			`users even if there is not applicable GPO. Normally users are`
			`allowed access in this situation.`

			`Resolves:`
			`https://pagure.io/SSSD/sssd/issue/3701`

			`Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>`
			`---`
			`src/config/cfg_rules.ini \| 1 +`
			`src/man/sssd-ad.5.xml \| 21 +++++++++++++++++++++`
			`src/providers/ad/ad_common.h \| 1 +`
			`src/providers/ad/ad_gpo.c \| 13 ++++++++++++-`
			`src/providers/ad/ad_opts.c \| 1 +`
			`5 files changed, 36 insertions(+), 1 deletion(-)`

			`diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini`
			`index 36e83a9..78f215e 100644`
			`--- a/src/config/cfg_rules.ini`
			`+++ b/src/config/cfg_rules.ini`
			`@@ -437,6 +437,7 @@ option = ad_enable_dns_sites`
			`option = ad_enabled_domains`
			`option = ad_enable_gc`
			`option = ad_gpo_access_control`
			`+option = ad_gpo_implicit_deny`
			`option = ad_gpo_cache_timeout`
			`option = ad_gpo_default_right`
			`option = ad_gpo_map_batch`
			`diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml`
			`index f43c7fc..0eac382 100644`
			`--- a/src/man/sssd-ad.5.xml`
			`+++ b/src/man/sssd-ad.5.xml`
			`@@ -418,6 +418,27 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,`
			`</varlistentry>`

			`<varlistentry>`
			`+ <term>ad_gpo_implicit_deny (boolean)</term>`
			`+ <listitem>`
			`+ <para>`
			`+ Normally when no applicable GPOs are found the`
			`+ users are allowed access. When this option is set`
			`+ to True users will be allowed access only when`
			`+ explicitly allowed by a GPO rule. Otherwise users`
			`+ will be denied access. This can be used to harden`
			`+ security but be careful when using this option`
			`+ because it can deny access even to users in the`
			`+ built-in Administrators group if no GPO rules`
			`+ apply to them.`
			`+ </para>`
			`+ <para>`
			`+ Default: False (seconds)`
			`+ </para>`
			`+ </listitem>`
			`+ </varlistentry>`
			`+`
			`+`
			`+ <varlistentry>`
			`<term>ad_gpo_cache_timeout (integer)</term>`
			`<listitem>`
			`<para>`
			`diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h`
			`index dd440da..2c52c99 100644`
			`--- a/src/providers/ad/ad_common.h`
			`+++ b/src/providers/ad/ad_common.h`
			`@@ -52,6 +52,7 @@ enum ad_basic_opt {`
			`AD_ACCESS_FILTER,`
			`AD_ENABLE_GC,`
			`AD_GPO_ACCESS_CONTROL,`
			`+ AD_GPO_IMPLICIT_DENY,`
			`AD_GPO_CACHE_TIMEOUT,`
			`AD_GPO_MAP_INTERACTIVE,`
			`AD_GPO_MAP_REMOTE_INTERACTIVE,`
			`diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c`
			`index d568643..f3be723 100644`
			`--- a/src/providers/ad/ad_gpo.c`
			`+++ b/src/providers/ad/ad_gpo.c`
			`@@ -1586,6 +1586,7 @@ struct ad_gpo_access_state {`
			`struct ldb_context *ldb_ctx;`
			`struct ad_access_ctx *access_ctx;`
			`enum gpo_access_control_mode gpo_mode;`
			`+ bool gpo_implicit_deny;`
			`enum gpo_map_type gpo_map_type;`
			`struct sdap_id_conn_ctx *conn;`
			`struct sdap_id_op *sdap_op;`
			`@@ -1712,6 +1713,8 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,`
			`state->gpo_mode = ctx->gpo_access_control_mode;`
			`state->gpo_timeout_option = ctx->gpo_cache_timeout;`
			`state->ad_hostname = dp_opt_get_string(ctx->ad_options, AD_HOSTNAME);`
			`+ state->gpo_implicit_deny = dp_opt_get_bool(ctx->ad_options,`
			`+ AD_GPO_IMPLICIT_DENY);`
			`state->access_ctx = ctx;`
			`state->opts = ctx->sdap_access_ctx->id_ctx->opts;`
			`state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);`
			`@@ -2171,7 +2174,15 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)`
			`}`
			`}`

			`- ret = EOK;`
			`+ if (state->gpo_implicit_deny == true) {`
			`+ DEBUG(SSSDBG_TRACE_FUNC,`
			`+ "No applicable GPOs have been found and ad_gpo_implicit_deny"`
			`+ " is set to 'true'. The user will be denied access.\n");`
			`+ ret = ERR_ACCESS_DENIED;`
			`+ } else {`
			`+ ret = EOK;`
			`+ }`
			`+`
			`goto done;`
			`}`

			`diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c`
			`index ac93327..c1d9cd7 100644`
			`--- a/src/providers/ad/ad_opts.c`
			`+++ b/src/providers/ad/ad_opts.c`
			`@@ -38,6 +38,7 @@ struct dp_option ad_basic_opts[] = {`
			`{ "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING},`
			`{ "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },`
			`{ "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING },`
			`+ { "ad_gpo_implicit_deny", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },`
			`{ "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },`
			`{ "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },`
			`{ "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },`
			`--`
			`2.9.5`