|
 |
b01884 |
From aaf938307acbe987f5e1effc2392894c22235013 Mon Sep 17 00:00:00 2001
|
|
|
b01884 |
From: Christian Heimes <cheimes@redhat.com>
|
|
|
b01884 |
Date: Fri, 11 Jan 2019 11:18:05 +0100
|
|
|
b01884 |
Subject: [PATCH] Create systemd-user HBAC service and rule
|
|
|
b01884 |
|
|
|
b01884 |
authselect changed pam_systemd session from optional to required. When
|
|
|
b01884 |
the HBAC rule allow_all is disabled and replaced with more fine grained
|
|
|
b01884 |
rules, loginsi now to fail, because systemd's user@.service is able to
|
|
|
b01884 |
create a systemd session.
|
|
|
b01884 |
|
|
|
b01884 |
Add systemd-user HBAC service and a HBAC rule that allows systemd-user
|
|
|
b01884 |
to run on all hosts for all users by default. ipa-server-upgrade creates
|
|
|
b01884 |
the service and rule, too. In case the service already exists, no
|
|
|
b01884 |
attempt is made to create the rule. This allows admins to delete the
|
|
|
b01884 |
rule permanently.
|
|
|
b01884 |
|
|
|
b01884 |
See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
|
|
|
b01884 |
Fixes: https://pagure.io/freeipa/issue/7831
|
|
|
b01884 |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
b01884 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
b01884 |
---
|
|
|
b01884 |
install/share/bootstrap-template.ldif | 8 +++
|
|
|
b01884 |
install/share/default-hbac.ldif | 13 +++++
|
|
|
b01884 |
ipaserver/install/server/upgrade.py | 36 +++++++++++++
|
|
|
b01884 |
ipatests/test_integration/test_commands.py | 59 ++++++++++++++++++++++
|
|
|
b01884 |
4 files changed, 116 insertions(+)
|
|
|
b01884 |
|
|
|
b01884 |
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
|
|
|
b01884 |
index d48c4fafc..6cd17e37e 100644
|
|
|
b01884 |
--- a/install/share/bootstrap-template.ldif
|
|
|
b01884 |
+++ b/install/share/bootstrap-template.ldif
|
|
|
b01884 |
@@ -346,6 +346,14 @@ cn: sudo-i
|
|
|
b01884 |
description: sudo-i
|
|
|
b01884 |
ipauniqueid:autogenerate
|
|
|
b01884 |
|
|
|
b01884 |
+dn: cn=systemd-user,cn=hbacservices,cn=hbac,$SUFFIX
|
|
|
b01884 |
+changetype: add
|
|
|
b01884 |
+objectclass: ipahbacservice
|
|
|
b01884 |
+objectclass: ipaobject
|
|
|
b01884 |
+cn: systemd-user
|
|
|
b01884 |
+description: pam_systemd and systemd user@.service
|
|
|
b01884 |
+ipauniqueid:autogenerate
|
|
|
b01884 |
+
|
|
|
b01884 |
dn: cn=gdm,cn=hbacservices,cn=hbac,$SUFFIX
|
|
|
b01884 |
changetype: add
|
|
|
b01884 |
objectclass: ipahbacservice
|
|
|
b01884 |
diff --git a/install/share/default-hbac.ldif b/install/share/default-hbac.ldif
|
|
|
b01884 |
index 52fd30ec9..8dd90685c 100644
|
|
|
b01884 |
--- a/install/share/default-hbac.ldif
|
|
|
b01884 |
+++ b/install/share/default-hbac.ldif
|
|
|
b01884 |
@@ -12,3 +12,16 @@ ipaenabledflag: TRUE
|
|
|
b01884 |
description: Allow all users to access any host from any host
|
|
|
b01884 |
ipauniqueid: autogenerate
|
|
|
b01884 |
|
|
|
b01884 |
+# default HBAC policy for pam_systemd
|
|
|
b01884 |
+dn: ipauniqueid=autogenerate,cn=hbac,$SUFFIX
|
|
|
b01884 |
+changetype: add
|
|
|
b01884 |
+objectclass: ipaassociation
|
|
|
b01884 |
+objectclass: ipahbacrule
|
|
|
b01884 |
+cn: allow_systemd-user
|
|
|
b01884 |
+accessruletype: allow
|
|
|
b01884 |
+usercategory: all
|
|
|
b01884 |
+hostcategory: all
|
|
|
b01884 |
+servicecategory: systemd-user
|
|
|
b01884 |
+ipaenabledflag: TRUE
|
|
|
b01884 |
+description: Allow pam_systemd to run user@.service to create a system user session
|
|
|
b01884 |
+ipauniqueid: autogenerate
|
|
|
b01884 |
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
|
|
b01884 |
index ae6fcc77e..3869bae3c 100644
|
|
|
b01884 |
--- a/ipaserver/install/server/upgrade.py
|
|
|
b01884 |
+++ b/ipaserver/install/server/upgrade.py
|
|
|
b01884 |
@@ -1735,6 +1735,41 @@ def migrate_to_authselect():
|
|
|
b01884 |
sysupgrade.set_upgrade_state('authcfg', 'migrated_to_authselect', True)
|
|
|
b01884 |
|
|
|
b01884 |
|
|
|
b01884 |
+def add_systemd_user_hbac():
|
|
|
b01884 |
+ logger.info('[Create systemd-user hbac service and rule]')
|
|
|
b01884 |
+ rule = 'allow_systemd-user'
|
|
|
b01884 |
+ service = 'systemd-user'
|
|
|
b01884 |
+ try:
|
|
|
b01884 |
+ api.Command.hbacsvc_add(
|
|
|
b01884 |
+ service,
|
|
|
b01884 |
+ description='pam_systemd and systemd user@.service'
|
|
|
b01884 |
+ )
|
|
|
b01884 |
+ except ipalib.errors.DuplicateEntry:
|
|
|
b01884 |
+ logger.info('hbac service %s already exists', service)
|
|
|
b01884 |
+ # Don't create hbac rule when hbacsvc already exists, so the rule
|
|
|
b01884 |
+ # does not get re-created after it has been deleted by an admin.
|
|
|
b01884 |
+ return
|
|
|
b01884 |
+ else:
|
|
|
b01884 |
+ logger.info('Created hbacsvc %s', service)
|
|
|
b01884 |
+
|
|
|
b01884 |
+ try:
|
|
|
b01884 |
+ api.Command.hbacrule_add(
|
|
|
b01884 |
+ rule,
|
|
|
b01884 |
+ description=('Allow pam_systemd to run user@.service to create '
|
|
|
b01884 |
+ 'a system user session'),
|
|
|
b01884 |
+ usercategory='all',
|
|
|
b01884 |
+ hostcategory='all',
|
|
|
b01884 |
+ )
|
|
|
b01884 |
+ except ipalib.errors.DuplicateEntry:
|
|
|
b01884 |
+ logger.info('hbac rule %s already exists', rule)
|
|
|
b01884 |
+ else:
|
|
|
b01884 |
+ api.Command.hbacrule_add_service(
|
|
|
b01884 |
+ rule,
|
|
|
b01884 |
+ hbacsvc=(service,)
|
|
|
b01884 |
+ )
|
|
|
b01884 |
+ logger.info('Created hbac rule %s with hbacsvc=%s', rule, service)
|
|
|
b01884 |
+
|
|
|
b01884 |
+
|
|
|
b01884 |
def fix_permissions():
|
|
|
b01884 |
"""Fix permission of public accessible files and directories
|
|
|
b01884 |
|
|
|
b01884 |
@@ -2050,6 +2085,7 @@ def upgrade_configuration():
|
|
|
b01884 |
cainstance.ensure_ipa_authority_entry()
|
|
|
b01884 |
|
|
|
b01884 |
migrate_to_authselect()
|
|
|
b01884 |
+ add_systemd_user_hbac()
|
|
|
b01884 |
|
|
|
b01884 |
sssd_update()
|
|
|
b01884 |
|
|
|
b01884 |
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
|
|
|
b01884 |
index cfb2fa48d..1fb6450a2 100644
|
|
|
b01884 |
--- a/ipatests/test_integration/test_commands.py
|
|
|
b01884 |
+++ b/ipatests/test_integration/test_commands.py
|
|
|
b01884 |
@@ -462,3 +462,62 @@ class TestIPACommand(IntegrationTest):
|
|
|
b01884 |
['sudo', '-u', IPAAPI_USER, '--'] + cmd
|
|
|
b01884 |
)
|
|
|
b01884 |
assert uid in result.stdout_text
|
|
|
b01884 |
+
|
|
|
b01884 |
+ def test_hbac_systemd_user(self):
|
|
|
b01884 |
+ # https://pagure.io/freeipa/issue/7831
|
|
|
b01884 |
+ tasks.kinit_admin(self.master)
|
|
|
b01884 |
+ # check for presence
|
|
|
b01884 |
+ self.master.run_command(
|
|
|
b01884 |
+ ['ipa', 'hbacrule-show', 'allow_systemd-user']
|
|
|
b01884 |
+ )
|
|
|
b01884 |
+ self.master.run_command(
|
|
|
b01884 |
+ ['ipa', 'hbacsvc-show', 'systemd-user']
|
|
|
b01884 |
+ )
|
|
|
b01884 |
+
|
|
|
b01884 |
+ # delete both
|
|
|
b01884 |
+ self.master.run_command(
|
|
|
b01884 |
+ ['ipa', 'hbacrule-del', 'allow_systemd-user']
|
|
|
b01884 |
+ )
|
|
|
b01884 |
+ self.master.run_command(
|
|
|
b01884 |
+ ['ipa', 'hbacsvc-del', 'systemd-user']
|
|
|
b01884 |
+ )
|
|
|
b01884 |
+
|
|
|
b01884 |
+ # run upgrade
|
|
|
b01884 |
+ result = self.master.run_command(['ipa-server-upgrade'])
|
|
|
b01884 |
+ assert 'Created hbacsvc systemd-user' in result.stderr_text
|
|
|
b01884 |
+ assert 'Created hbac rule allow_systemd-user' in result.stderr_text
|
|
|
b01884 |
+
|
|
|
b01884 |
+ # check for presence
|
|
|
b01884 |
+ result = self.master.run_command(
|
|
|
b01884 |
+ ['ipa', 'hbacrule-show', 'allow_systemd-user', '--all']
|
|
|
b01884 |
+ )
|
|
|
b01884 |
+ lines = set(l.strip() for l in result.stdout_text.split('\n'))
|
|
|
b01884 |
+ assert 'User category: all' in lines
|
|
|
b01884 |
+ assert 'Host category: all' in lines
|
|
|
b01884 |
+ assert 'Enabled: TRUE' in lines
|
|
|
b01884 |
+ assert 'Services: systemd-user' in lines
|
|
|
b01884 |
+ assert 'accessruletype: allow' in lines
|
|
|
b01884 |
+
|
|
|
b01884 |
+ self.master.run_command(
|
|
|
b01884 |
+ ['ipa', 'hbacsvc-show', 'systemd-user']
|
|
|
b01884 |
+ )
|
|
|
b01884 |
+
|
|
|
b01884 |
+ # only delete rule
|
|
|
b01884 |
+ self.master.run_command(
|
|
|
b01884 |
+ ['ipa', 'hbacrule-del', 'allow_systemd-user']
|
|
|
b01884 |
+ )
|
|
|
b01884 |
+
|
|
|
b01884 |
+ # run upgrade
|
|
|
b01884 |
+ result = self.master.run_command(['ipa-server-upgrade'])
|
|
|
b01884 |
+ assert (
|
|
|
b01884 |
+ 'hbac service systemd-user already exists' in result.stderr_text
|
|
|
b01884 |
+ )
|
|
|
b01884 |
+ assert (
|
|
|
b01884 |
+ 'Created hbac rule allow_systemd-user' not in result.stderr_text
|
|
|
b01884 |
+ )
|
|
|
b01884 |
+ result = self.master.run_command(
|
|
|
b01884 |
+ ['ipa', 'hbacrule-show', 'allow_systemd-user'],
|
|
|
b01884 |
+ raiseonerr=False
|
|
|
b01884 |
+ )
|
|
|
b01884 |
+ assert result.returncode != 0
|
|
|
b01884 |
+ assert 'HBAC rule not found' in result.stderr_text
|
|
|
b01884 |
--
|
|
|
b01884 |
2.20.1
|
|
|
b01884 |
|