From aaf938307acbe987f5e1effc2392894c22235013 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Fri, 11 Jan 2019 11:18:05 +0100
Subject: [PATCH] Create systemd-user HBAC service and rule
authselect changed pam_systemd session from optional to required. When
the HBAC rule allow_all is disabled and replaced with more fine grained
rules, loginsi now to fail, because systemd's user@.service is able to
create a systemd session.
Add systemd-user HBAC service and a HBAC rule that allows systemd-user
to run on all hosts for all users by default. ipa-server-upgrade creates
the service and rule, too. In case the service already exists, no
attempt is made to create the rule. This allows admins to delete the
rule permanently.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
install/share/bootstrap-template.ldif | 8 +++
install/share/default-hbac.ldif | 13 +++++
ipaserver/install/server/upgrade.py | 36 +++++++++++++
ipatests/test_integration/test_commands.py | 59 ++++++++++++++++++++++
4 files changed, 116 insertions(+)
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index d48c4fafc..6cd17e37e 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -346,6 +346,14 @@ cn: sudo-i
description: sudo-i
ipauniqueid:autogenerate
+dn: cn=systemd-user,cn=hbacservices,cn=hbac,$SUFFIX
+changetype: add
+objectclass: ipahbacservice
+objectclass: ipaobject
+cn: systemd-user
+description: pam_systemd and systemd user@.service
+ipauniqueid:autogenerate
+
dn: cn=gdm,cn=hbacservices,cn=hbac,$SUFFIX
changetype: add
objectclass: ipahbacservice
diff --git a/install/share/default-hbac.ldif b/install/share/default-hbac.ldif
index 52fd30ec9..8dd90685c 100644
--- a/install/share/default-hbac.ldif
+++ b/install/share/default-hbac.ldif
@@ -12,3 +12,16 @@ ipaenabledflag: TRUE
description: Allow all users to access any host from any host
ipauniqueid: autogenerate
+# default HBAC policy for pam_systemd
+dn: ipauniqueid=autogenerate,cn=hbac,$SUFFIX
+changetype: add
+objectclass: ipaassociation
+objectclass: ipahbacrule
+cn: allow_systemd-user
+accessruletype: allow
+usercategory: all
+hostcategory: all
+servicecategory: systemd-user
+ipaenabledflag: TRUE
+description: Allow pam_systemd to run user@.service to create a system user session
+ipauniqueid: autogenerate
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index ae6fcc77e..3869bae3c 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1735,6 +1735,41 @@ def migrate_to_authselect():
sysupgrade.set_upgrade_state('authcfg', 'migrated_to_authselect', True)
+def add_systemd_user_hbac():
+ logger.info('[Create systemd-user hbac service and rule]')
+ rule = 'allow_systemd-user'
+ service = 'systemd-user'
+ try:
+ api.Command.hbacsvc_add(
+ service,
+ description='pam_systemd and systemd user@.service'
+ )
+ except ipalib.errors.DuplicateEntry:
+ logger.info('hbac service %s already exists', service)
+ # Don't create hbac rule when hbacsvc already exists, so the rule
+ # does not get re-created after it has been deleted by an admin.
+ return
+ else:
+ logger.info('Created hbacsvc %s', service)
+
+ try:
+ api.Command.hbacrule_add(
+ rule,
+ description=('Allow pam_systemd to run user@.service to create '
+ 'a system user session'),
+ usercategory='all',
+ hostcategory='all',
+ )
+ except ipalib.errors.DuplicateEntry:
+ logger.info('hbac rule %s already exists', rule)
+ else:
+ api.Command.hbacrule_add_service(
+ rule,
+ hbacsvc=(service,)
+ )
+ logger.info('Created hbac rule %s with hbacsvc=%s', rule, service)
+
+
def fix_permissions():
"""Fix permission of public accessible files and directories
@@ -2050,6 +2085,7 @@ def upgrade_configuration():
cainstance.ensure_ipa_authority_entry()
migrate_to_authselect()
+ add_systemd_user_hbac()
sssd_update()
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index cfb2fa48d..1fb6450a2 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -462,3 +462,62 @@ class TestIPACommand(IntegrationTest):
['sudo', '-u', IPAAPI_USER, '--'] + cmd
)
assert uid in result.stdout_text
+
+ def test_hbac_systemd_user(self):
+ # https://pagure.io/freeipa/issue/7831
+ tasks.kinit_admin(self.master)
+ # check for presence
+ self.master.run_command(
+ ['ipa', 'hbacrule-show', 'allow_systemd-user']
+ )
+ self.master.run_command(
+ ['ipa', 'hbacsvc-show', 'systemd-user']
+ )
+
+ # delete both
+ self.master.run_command(
+ ['ipa', 'hbacrule-del', 'allow_systemd-user']
+ )
+ self.master.run_command(
+ ['ipa', 'hbacsvc-del', 'systemd-user']
+ )
+
+ # run upgrade
+ result = self.master.run_command(['ipa-server-upgrade'])
+ assert 'Created hbacsvc systemd-user' in result.stderr_text
+ assert 'Created hbac rule allow_systemd-user' in result.stderr_text
+
+ # check for presence
+ result = self.master.run_command(
+ ['ipa', 'hbacrule-show', 'allow_systemd-user', '--all']
+ )
+ lines = set(l.strip() for l in result.stdout_text.split('\n'))
+ assert 'User category: all' in lines
+ assert 'Host category: all' in lines
+ assert 'Enabled: TRUE' in lines
+ assert 'Services: systemd-user' in lines
+ assert 'accessruletype: allow' in lines
+
+ self.master.run_command(
+ ['ipa', 'hbacsvc-show', 'systemd-user']
+ )
+
+ # only delete rule
+ self.master.run_command(
+ ['ipa', 'hbacrule-del', 'allow_systemd-user']
+ )
+
+ # run upgrade
+ result = self.master.run_command(['ipa-server-upgrade'])
+ assert (
+ 'hbac service systemd-user already exists' in result.stderr_text
+ )
+ assert (
+ 'Created hbac rule allow_systemd-user' not in result.stderr_text
+ )
+ result = self.master.run_command(
+ ['ipa', 'hbacrule-show', 'allow_systemd-user'],
+ raiseonerr=False
+ )
+ assert result.returncode != 0
+ assert 'HBAC rule not found' in result.stderr_text
--
2.20.1