b01884
From aaf938307acbe987f5e1effc2392894c22235013 Mon Sep 17 00:00:00 2001
b01884
From: Christian Heimes <cheimes@redhat.com>
b01884
Date: Fri, 11 Jan 2019 11:18:05 +0100
b01884
Subject: [PATCH] Create systemd-user HBAC service and rule
b01884
b01884
authselect changed pam_systemd session from optional to required. When
b01884
the HBAC rule allow_all is disabled and replaced with more fine grained
b01884
rules, loginsi now to fail, because systemd's user@.service is able to
b01884
create a systemd session.
b01884
b01884
Add systemd-user HBAC service and a HBAC rule that allows systemd-user
b01884
to run on all hosts for all users by default. ipa-server-upgrade creates
b01884
the service and rule, too. In case the service already exists, no
b01884
attempt is made to create the rule. This allows admins to delete the
b01884
rule permanently.
b01884
b01884
See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
b01884
Fixes: https://pagure.io/freeipa/issue/7831
b01884
Signed-off-by: Christian Heimes <cheimes@redhat.com>
b01884
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
b01884
---
b01884
 install/share/bootstrap-template.ldif      |  8 +++
b01884
 install/share/default-hbac.ldif            | 13 +++++
b01884
 ipaserver/install/server/upgrade.py        | 36 +++++++++++++
b01884
 ipatests/test_integration/test_commands.py | 59 ++++++++++++++++++++++
b01884
 4 files changed, 116 insertions(+)
b01884
b01884
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
b01884
index d48c4fafc..6cd17e37e 100644
b01884
--- a/install/share/bootstrap-template.ldif
b01884
+++ b/install/share/bootstrap-template.ldif
b01884
@@ -346,6 +346,14 @@ cn: sudo-i
b01884
 description: sudo-i
b01884
 ipauniqueid:autogenerate
b01884
 
b01884
+dn: cn=systemd-user,cn=hbacservices,cn=hbac,$SUFFIX
b01884
+changetype: add
b01884
+objectclass: ipahbacservice
b01884
+objectclass: ipaobject
b01884
+cn: systemd-user
b01884
+description: pam_systemd and systemd user@.service
b01884
+ipauniqueid:autogenerate
b01884
+
b01884
 dn: cn=gdm,cn=hbacservices,cn=hbac,$SUFFIX
b01884
 changetype: add
b01884
 objectclass: ipahbacservice
b01884
diff --git a/install/share/default-hbac.ldif b/install/share/default-hbac.ldif
b01884
index 52fd30ec9..8dd90685c 100644
b01884
--- a/install/share/default-hbac.ldif
b01884
+++ b/install/share/default-hbac.ldif
b01884
@@ -12,3 +12,16 @@ ipaenabledflag: TRUE
b01884
 description: Allow all users to access any host from any host
b01884
 ipauniqueid: autogenerate
b01884
 
b01884
+# default HBAC policy for pam_systemd
b01884
+dn: ipauniqueid=autogenerate,cn=hbac,$SUFFIX
b01884
+changetype: add
b01884
+objectclass: ipaassociation
b01884
+objectclass: ipahbacrule
b01884
+cn: allow_systemd-user
b01884
+accessruletype: allow
b01884
+usercategory: all
b01884
+hostcategory: all
b01884
+servicecategory: systemd-user
b01884
+ipaenabledflag: TRUE
b01884
+description: Allow pam_systemd to run user@.service to create a system user session
b01884
+ipauniqueid: autogenerate
b01884
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
b01884
index ae6fcc77e..3869bae3c 100644
b01884
--- a/ipaserver/install/server/upgrade.py
b01884
+++ b/ipaserver/install/server/upgrade.py
b01884
@@ -1735,6 +1735,41 @@ def migrate_to_authselect():
b01884
     sysupgrade.set_upgrade_state('authcfg', 'migrated_to_authselect', True)
b01884
 
b01884
 
b01884
+def add_systemd_user_hbac():
b01884
+    logger.info('[Create systemd-user hbac service and rule]')
b01884
+    rule = 'allow_systemd-user'
b01884
+    service = 'systemd-user'
b01884
+    try:
b01884
+        api.Command.hbacsvc_add(
b01884
+            service,
b01884
+            description='pam_systemd and systemd user@.service'
b01884
+        )
b01884
+    except ipalib.errors.DuplicateEntry:
b01884
+        logger.info('hbac service %s already exists', service)
b01884
+        # Don't create hbac rule when hbacsvc already exists, so the rule
b01884
+        # does not get re-created after it has been deleted by an admin.
b01884
+        return
b01884
+    else:
b01884
+        logger.info('Created hbacsvc %s', service)
b01884
+
b01884
+    try:
b01884
+        api.Command.hbacrule_add(
b01884
+            rule,
b01884
+            description=('Allow pam_systemd to run user@.service to create '
b01884
+                         'a system user session'),
b01884
+            usercategory='all',
b01884
+            hostcategory='all',
b01884
+        )
b01884
+    except ipalib.errors.DuplicateEntry:
b01884
+        logger.info('hbac rule %s already exists', rule)
b01884
+    else:
b01884
+        api.Command.hbacrule_add_service(
b01884
+            rule,
b01884
+            hbacsvc=(service,)
b01884
+        )
b01884
+        logger.info('Created hbac rule %s with hbacsvc=%s', rule, service)
b01884
+
b01884
+
b01884
 def fix_permissions():
b01884
     """Fix permission of public accessible files and directories
b01884
 
b01884
@@ -2050,6 +2085,7 @@ def upgrade_configuration():
b01884
         cainstance.ensure_ipa_authority_entry()
b01884
 
b01884
     migrate_to_authselect()
b01884
+    add_systemd_user_hbac()
b01884
 
b01884
     sssd_update()
b01884
 
b01884
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
b01884
index cfb2fa48d..1fb6450a2 100644
b01884
--- a/ipatests/test_integration/test_commands.py
b01884
+++ b/ipatests/test_integration/test_commands.py
b01884
@@ -462,3 +462,62 @@ class TestIPACommand(IntegrationTest):
b01884
             ['sudo', '-u', IPAAPI_USER, '--'] + cmd
b01884
         )
b01884
         assert uid in result.stdout_text
b01884
+
b01884
+    def test_hbac_systemd_user(self):
b01884
+        # https://pagure.io/freeipa/issue/7831
b01884
+        tasks.kinit_admin(self.master)
b01884
+        # check for presence
b01884
+        self.master.run_command(
b01884
+            ['ipa', 'hbacrule-show', 'allow_systemd-user']
b01884
+        )
b01884
+        self.master.run_command(
b01884
+            ['ipa', 'hbacsvc-show', 'systemd-user']
b01884
+        )
b01884
+
b01884
+        # delete both
b01884
+        self.master.run_command(
b01884
+            ['ipa', 'hbacrule-del', 'allow_systemd-user']
b01884
+        )
b01884
+        self.master.run_command(
b01884
+            ['ipa', 'hbacsvc-del', 'systemd-user']
b01884
+        )
b01884
+
b01884
+        # run upgrade
b01884
+        result = self.master.run_command(['ipa-server-upgrade'])
b01884
+        assert 'Created hbacsvc systemd-user' in result.stderr_text
b01884
+        assert 'Created hbac rule allow_systemd-user' in result.stderr_text
b01884
+
b01884
+        # check for presence
b01884
+        result = self.master.run_command(
b01884
+            ['ipa', 'hbacrule-show', 'allow_systemd-user', '--all']
b01884
+        )
b01884
+        lines = set(l.strip() for l in result.stdout_text.split('\n'))
b01884
+        assert 'User category: all' in lines
b01884
+        assert 'Host category: all' in lines
b01884
+        assert 'Enabled: TRUE' in lines
b01884
+        assert 'Services: systemd-user' in lines
b01884
+        assert 'accessruletype: allow' in lines
b01884
+
b01884
+        self.master.run_command(
b01884
+            ['ipa', 'hbacsvc-show', 'systemd-user']
b01884
+        )
b01884
+
b01884
+        # only delete rule
b01884
+        self.master.run_command(
b01884
+            ['ipa', 'hbacrule-del', 'allow_systemd-user']
b01884
+        )
b01884
+
b01884
+        # run upgrade
b01884
+        result = self.master.run_command(['ipa-server-upgrade'])
b01884
+        assert (
b01884
+            'hbac service systemd-user already exists' in result.stderr_text
b01884
+        )
b01884
+        assert (
b01884
+            'Created hbac rule allow_systemd-user' not in result.stderr_text
b01884
+        )
b01884
+        result = self.master.run_command(
b01884
+            ['ipa', 'hbacrule-show', 'allow_systemd-user'],
b01884
+            raiseonerr=False
b01884
+        )
b01884
+        assert result.returncode != 0
b01884
+        assert 'HBAC rule not found' in result.stderr_text
b01884
-- 
b01884
2.20.1
b01884