From aaf938307acbe987f5e1effc2392894c22235013 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 11 Jan 2019 11:18:05 +0100 Subject: [PATCH] Create systemd-user HBAC service and rule authselect changed pam_systemd session from optional to required. When the HBAC rule allow_all is disabled and replaced with more fine grained rules, loginsi now to fail, because systemd's user@.service is able to create a systemd session. Add systemd-user HBAC service and a HBAC rule that allows systemd-user to run on all hosts for all users by default. ipa-server-upgrade creates the service and rule, too. In case the service already exists, no attempt is made to create the rule. This allows admins to delete the rule permanently. See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928 Fixes: https://pagure.io/freeipa/issue/7831 Signed-off-by: Christian Heimes Reviewed-By: Alexander Bokovoy --- install/share/bootstrap-template.ldif | 8 +++ install/share/default-hbac.ldif | 13 +++++ ipaserver/install/server/upgrade.py | 36 +++++++++++++ ipatests/test_integration/test_commands.py | 59 ++++++++++++++++++++++ 4 files changed, 116 insertions(+) diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index d48c4fafc..6cd17e37e 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -346,6 +346,14 @@ cn: sudo-i description: sudo-i ipauniqueid:autogenerate +dn: cn=systemd-user,cn=hbacservices,cn=hbac,$SUFFIX +changetype: add +objectclass: ipahbacservice +objectclass: ipaobject +cn: systemd-user +description: pam_systemd and systemd user@.service +ipauniqueid:autogenerate + dn: cn=gdm,cn=hbacservices,cn=hbac,$SUFFIX changetype: add objectclass: ipahbacservice diff --git a/install/share/default-hbac.ldif b/install/share/default-hbac.ldif index 52fd30ec9..8dd90685c 100644 --- a/install/share/default-hbac.ldif +++ b/install/share/default-hbac.ldif @@ -12,3 +12,16 @@ ipaenabledflag: TRUE description: Allow all users to access any host from any host ipauniqueid: autogenerate +# default HBAC policy for pam_systemd +dn: ipauniqueid=autogenerate,cn=hbac,$SUFFIX +changetype: add +objectclass: ipaassociation +objectclass: ipahbacrule +cn: allow_systemd-user +accessruletype: allow +usercategory: all +hostcategory: all +servicecategory: systemd-user +ipaenabledflag: TRUE +description: Allow pam_systemd to run user@.service to create a system user session +ipauniqueid: autogenerate diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index ae6fcc77e..3869bae3c 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1735,6 +1735,41 @@ def migrate_to_authselect(): sysupgrade.set_upgrade_state('authcfg', 'migrated_to_authselect', True) +def add_systemd_user_hbac(): + logger.info('[Create systemd-user hbac service and rule]') + rule = 'allow_systemd-user' + service = 'systemd-user' + try: + api.Command.hbacsvc_add( + service, + description='pam_systemd and systemd user@.service' + ) + except ipalib.errors.DuplicateEntry: + logger.info('hbac service %s already exists', service) + # Don't create hbac rule when hbacsvc already exists, so the rule + # does not get re-created after it has been deleted by an admin. + return + else: + logger.info('Created hbacsvc %s', service) + + try: + api.Command.hbacrule_add( + rule, + description=('Allow pam_systemd to run user@.service to create ' + 'a system user session'), + usercategory='all', + hostcategory='all', + ) + except ipalib.errors.DuplicateEntry: + logger.info('hbac rule %s already exists', rule) + else: + api.Command.hbacrule_add_service( + rule, + hbacsvc=(service,) + ) + logger.info('Created hbac rule %s with hbacsvc=%s', rule, service) + + def fix_permissions(): """Fix permission of public accessible files and directories @@ -2050,6 +2085,7 @@ def upgrade_configuration(): cainstance.ensure_ipa_authority_entry() migrate_to_authselect() + add_systemd_user_hbac() sssd_update() diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py index cfb2fa48d..1fb6450a2 100644 --- a/ipatests/test_integration/test_commands.py +++ b/ipatests/test_integration/test_commands.py @@ -462,3 +462,62 @@ class TestIPACommand(IntegrationTest): ['sudo', '-u', IPAAPI_USER, '--'] + cmd ) assert uid in result.stdout_text + + def test_hbac_systemd_user(self): + # https://pagure.io/freeipa/issue/7831 + tasks.kinit_admin(self.master) + # check for presence + self.master.run_command( + ['ipa', 'hbacrule-show', 'allow_systemd-user'] + ) + self.master.run_command( + ['ipa', 'hbacsvc-show', 'systemd-user'] + ) + + # delete both + self.master.run_command( + ['ipa', 'hbacrule-del', 'allow_systemd-user'] + ) + self.master.run_command( + ['ipa', 'hbacsvc-del', 'systemd-user'] + ) + + # run upgrade + result = self.master.run_command(['ipa-server-upgrade']) + assert 'Created hbacsvc systemd-user' in result.stderr_text + assert 'Created hbac rule allow_systemd-user' in result.stderr_text + + # check for presence + result = self.master.run_command( + ['ipa', 'hbacrule-show', 'allow_systemd-user', '--all'] + ) + lines = set(l.strip() for l in result.stdout_text.split('\n')) + assert 'User category: all' in lines + assert 'Host category: all' in lines + assert 'Enabled: TRUE' in lines + assert 'Services: systemd-user' in lines + assert 'accessruletype: allow' in lines + + self.master.run_command( + ['ipa', 'hbacsvc-show', 'systemd-user'] + ) + + # only delete rule + self.master.run_command( + ['ipa', 'hbacrule-del', 'allow_systemd-user'] + ) + + # run upgrade + result = self.master.run_command(['ipa-server-upgrade']) + assert ( + 'hbac service systemd-user already exists' in result.stderr_text + ) + assert ( + 'Created hbac rule allow_systemd-user' not in result.stderr_text + ) + result = self.master.run_command( + ['ipa', 'hbacrule-show', 'allow_systemd-user'], + raiseonerr=False + ) + assert result.returncode != 0 + assert 'HBAC rule not found' in result.stderr_text -- 2.20.1