Update to latest released upstream version 2.2.0

This commit is contained in:
Michal Židek 2019-06-17 14:39:56 +02:00
parent 1d0af0b97b
commit 76a13b3c78
5 changed files with 11 additions and 225 deletions

1
.gitignore vendored
View File

@ -82,3 +82,4 @@ sssd-1.2.91.tar.gz
/sssd-1.16.2.tar.gz /sssd-1.16.2.tar.gz
/sssd-2.0.0.tar.gz /sssd-2.0.0.tar.gz
/sssd-2.1.0.tar.gz /sssd-2.1.0.tar.gz
/sssd-2.2.0.tar.gz

View File

@ -1,218 +0,0 @@
From 2f27dd9f05c2d3ed1c190ba387bc97738988efb0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 17 Oct 2018 16:57:20 +0200
Subject: [PATCH] GPO: Add option ad_gpo_ignore_unreadable
Add option to ignore group policy containers in AD
with unreadable or missing attributes. This is
for the case when server contains GPOs that
have very strict permissions on their attributes
in AD but are unrelated to access control.
Rather then using this option it is better to
change the permissions on the AD objects but
that may not be always possible (company policy,
not access to server etc.).
Resolves:
https://pagure.io/SSSD/sssd/issue/3867
CVE-2018-16838
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/config/cfg_rules.ini | 1 +
src/man/sssd-ad.5.xml | 19 +++++++++++++
src/providers/ad/ad_common.h | 1 +
src/providers/ad/ad_gpo.c | 67 +++++++++++++++++++++++++++++++++++++++++---
src/providers/ad/ad_opts.c | 1 +
5 files changed, 85 insertions(+), 4 deletions(-)
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index b3764bd..292aa4d 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -441,6 +441,7 @@ option = ad_enabled_domains
option = ad_enable_gc
option = ad_gpo_access_control
option = ad_gpo_implicit_deny
+option = ad_gpo_ignore_unreadable
option = ad_gpo_cache_timeout
option = ad_gpo_default_right
option = ad_gpo_map_batch
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index ae3279d..5c51e80 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -437,6 +437,25 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>ad_gpo_ignore_unreadable (boolean)</term>
+ <listitem>
+ <para>
+ Normally when some group policy containers (AD
+ object) of applicable group policy objects are
+ not readable by SSSD then users are denied access.
+ This option allows to ignore group policy
+ containers and with them associated policies
+ if their attributes in group policy containers
+ are not readable for SSSD.
+ </para>
+ <para>
+ Default: False
+ </para>
+ </listitem>
+ </varlistentry>
+
+
<varlistentry>
<term>ad_gpo_cache_timeout (integer)</term>
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index 662276c..4eb4101 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -53,6 +53,7 @@ enum ad_basic_opt {
AD_ENABLE_GC,
AD_GPO_ACCESS_CONTROL,
AD_GPO_IMPLICIT_DENY,
+ AD_GPO_IGNORE_UNREADABLE,
AD_GPO_CACHE_TIMEOUT,
AD_GPO_MAP_INTERACTIVE,
AD_GPO_MAP_REMOTE_INTERACTIVE,
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 3b472e0..5f85910 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -3603,6 +3603,7 @@ struct ad_gpo_process_gpo_state {
struct ad_access_ctx *access_ctx;
struct tevent_context *ev;
struct sdap_id_op *sdap_op;
+ struct dp_option *ad_options;
struct sdap_options *opts;
char *server_hostname;
struct sss_domain_info *host_domain;
@@ -3647,6 +3648,7 @@ ad_gpo_process_gpo_send(TALLOC_CTX *mem_ctx,
state->ev = ev;
state->sdap_op = sdap_op;
+ state->ad_options = access_ctx->ad_options;
state->opts = opts;
state->server_hostname = server_hostname;
state->host_domain = host_domain;
@@ -3872,6 +3874,54 @@ static bool machine_ext_names_is_blank(char *attr_value)
}
static errno_t
+ad_gpo_missing_or_unreadable_attr(struct ad_gpo_process_gpo_state *state,
+ struct tevent_req *req)
+{
+ bool ignore_unreadable = dp_opt_get_bool(state->ad_options,
+ AD_GPO_IGNORE_UNREADABLE);
+
+ if (ignore_unreadable) {
+ /* If admins decided to skip GPOs with unreadable
+ * attributes just log the SID of skipped GPO */
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Group Policy Container with DN [%s] has unreadable or missing "
+ "attributes -> skipping this GPO "
+ "(ad_gpo_ignore_unreadable = True)\n",
+ state->candidate_gpos[state->gpo_index]->gpo_dn);
+ state->gpo_index++;
+ return ad_gpo_get_gpo_attrs_step(req);
+ } else {
+ /* Inform in logs and syslog that this GPO can
+ * not be processed due to unreadable or missing
+ * attributes and point to possible server side
+ * and client side solutions. */
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Group Policy Container with DN [%s] is unreadable or has "
+ "unreadable or missing attributes. In order to fix this "
+ "make sure that this AD object has following attributes "
+ "readable: nTSecurityDescriptor, cn, gPCFileSysPath, "
+ "gPCMachineExtensionNames, gPCFunctionalityVersion, flags. "
+ "Alternatively if you do not have access to the server or can "
+ "not change permissions on this object, you can use option "
+ "ad_gpo_ignore_unreadable = True which will skip this GPO."
+ "See 'man ad_gpo_ignore_unreadable for details.'\n",
+ state->candidate_gpos[state->gpo_index]->gpo_dn);
+ sss_log(SSSDBG_CRIT_FAILURE,
+ "Group Policy Container with DN [%s] is unreadable or has "
+ "unreadable or missing attributes. In order to fix this "
+ "make sure that this AD object has following attributes "
+ "readable: nTSecurityDescriptor, cn, gPCFileSysPath, "
+ "gPCMachineExtensionNames, gPCFunctionalityVersion, flags. "
+ "Alternatively if you do not have access to the server or can "
+ "not change permissions on this object, you can use option "
+ "ad_gpo_ignore_unreadable = True which will skip this GPO."
+ "See 'man ad_gpo_ignore_unreadable for details.'\n",
+ state->candidate_gpos[state->gpo_index]->gpo_dn);
+ return EFAULT;
+ }
+}
+
+static errno_t
ad_gpo_sd_process_attrs(struct tevent_req *req,
char *smb_host,
struct sysdb_attrs *result)
@@ -3890,7 +3940,10 @@ ad_gpo_sd_process_attrs(struct tevent_req *req,
/* retrieve AD_AT_CN */
ret = sysdb_attrs_get_string(result, AD_AT_CN, &gpo_guid);
- if (ret != EOK) {
+ if (ret == ENOENT) {
+ ret = ad_gpo_missing_or_unreadable_attr(state, req);
+ goto done;
+ } else if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"sysdb_attrs_get_string failed: [%d](%s)\n",
ret, sss_strerror(ret));
@@ -3911,7 +3964,10 @@ ad_gpo_sd_process_attrs(struct tevent_req *req,
AD_AT_FILE_SYS_PATH,
&raw_file_sys_path);
- if (ret != EOK) {
+ if (ret == ENOENT) {
+ ret = ad_gpo_missing_or_unreadable_attr(state, req);
+ goto done;
+ } else if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"sysdb_attrs_get_string failed: [%d](%s)\n",
ret, sss_strerror(ret));
@@ -3959,7 +4015,10 @@ ad_gpo_sd_process_attrs(struct tevent_req *req,
/* retrieve AD_AT_FLAGS */
ret = sysdb_attrs_get_int32_t(result, AD_AT_FLAGS,
&gp_gpo->gpo_flags);
- if (ret != EOK) {
+ if (ret == ENOENT) {
+ ret = ad_gpo_missing_or_unreadable_attr(state, req);
+ goto done;
+ } else if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"sysdb_attrs_get_int32_t failed: [%d](%s)\n",
ret, sss_strerror(ret));
@@ -3977,7 +4036,7 @@ ad_gpo_sd_process_attrs(struct tevent_req *req,
if ((ret == ENOENT) || (el->num_values == 0)) {
DEBUG(SSSDBG_OP_FAILURE,
"nt_sec_desc attribute not found or has no value\n");
- ret = ENOENT;
+ ret = ad_gpo_missing_or_unreadable_attr(state, req);
goto done;
}
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
index 9ca18c4..f2ca215 100644
--- a/src/providers/ad/ad_opts.c
+++ b/src/providers/ad/ad_opts.c
@@ -39,6 +39,7 @@ struct dp_option ad_basic_opts[] = {
{ "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING },
{ "ad_gpo_implicit_deny", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "ad_gpo_ignore_unreadable", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
{ "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
--
2.9.5

View File

@ -15,7 +15,7 @@ index 0c515d34caaa3ea397c4c7e95eef0188df170840..252889dbb2b7b1e651966258e7b76eab
@@ -11,6 +11,7 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER} @@ -11,6 +11,7 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
Type=notify Type=notify
NotifyAccess=main NotifyAccess=main
PIDFile=@localstatedir@/run/sssd.pid PIDFile=@pidpath@/sssd.pid
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND +CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND
[Install] [Install]

View File

@ -1 +1 @@
SHA512 (sssd-2.1.0.tar.gz) = 12a7e5b89d462350af3c43e15b24a437dd985ac4a2e419d5e52cc0d05c6eacb9319d39b23681595ef860120cd1ae6e5fb265054afeddcb05d3d5f5de5d6ffa63 SHA512 (sssd-2.2.0.tar.gz) = 9ebd8784e1f0c72cb808bbc153c0b0aa9bf507938f78336a260073a89b49350dc2c6172653509738ea7a50bb9da596725e1d6c92f99c7a03308aa42f6378dbbb

View File

@ -35,15 +35,15 @@
%endif %endif
Name: sssd Name: sssd
Version: 2.1.0 Version: 2.2.0
Release: 2%{?dist} Release: 1%{?dist}
Summary: System Security Services Daemon Summary: System Security Services Daemon
License: GPLv3+ License: GPLv3+
URL: https://pagure.io/SSSD/sssd/ URL: https://pagure.io/SSSD/sssd/
Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
### Patches ### ### Patches ###
Patch0001: 0001-GPO-Add-option-ad_gpo_ignore_unreadable.patch #Patch0001: ...
### Downstream only patches ### ### Downstream only patches ###
Patch0502: 0502-SYSTEMD-Use-capabilities.patch Patch0502: 0502-SYSTEMD-Use-capabilities.patch
@ -461,7 +461,7 @@ UIDs/GIDs to names and vice versa. It can be also used for mapping principal
(user) name to IDs(UID or GID) or to obtain groups which user are member of. (user) name to IDs(UID or GID) or to obtain groups which user are member of.
%package -n libsss_certmap %package -n libsss_certmap
Summary: SSSD Certficate Mapping Library Summary: SSSD Certificate Mapping Library
License: LGPLv3+ License: LGPLv3+
Conflicts: sssd-common < %{version}-%{release} Conflicts: sssd-common < %{version}-%{release}
@ -469,7 +469,7 @@ Conflicts: sssd-common < %{version}-%{release}
Library to map certificates to users based on rules Library to map certificates to users based on rules
%package -n libsss_certmap-devel %package -n libsss_certmap-devel
Summary: SSSD Certficate Mapping Library Summary: SSSD Certificate Mapping Library
License: LGPLv3+ License: LGPLv3+
Requires: libsss_certmap = %{version}-%{release} Requires: libsss_certmap = %{version}-%{release}
@ -1068,6 +1068,9 @@ fi
%{_libdir}/%{name}/modules/libwbclient.so %{_libdir}/%{name}/modules/libwbclient.so
%changelog %changelog
* Mon Jun 17 2019 Michal Židek <mzidek@redhat.com> - 2.2.0-1
- Update to latest released upstream version
- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_2_0.html
* Wed Mar 27 2019 Michal Židek <mzidek@redhat.com> - 2.1.0-2 * Wed Mar 27 2019 Michal Židek <mzidek@redhat.com> - 2.1.0-2
- Resolves: upstream#3867 - [RFE] Need an option in SSSD so that it will skip - Resolves: upstream#3867 - [RFE] Need an option in SSSD so that it will skip