mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-11 00:31:56 -06:00
Create systemd-user HBAC service and rule
authselect changed pam_systemd session from optional to required. When the HBAC rule allow_all is disabled and replaced with more fine grained rules, loginsi now to fail, because systemd's user@.service is able to create a systemd session. Add systemd-user HBAC service and a HBAC rule that allows systemd-user to run on all hosts for all users by default. ipa-server-upgrade creates the service and rule, too. In case the service already exists, no attempt is made to create the rule. This allows admins to delete the rule permanently. See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928 Fixes: https://pagure.io/freeipa/issue/7831 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
parent
c26cb5afde
commit
2ef6e14c5a
@ -346,6 +346,14 @@ cn: sudo-i
|
||||
description: sudo-i
|
||||
ipauniqueid:autogenerate
|
||||
|
||||
dn: cn=systemd-user,cn=hbacservices,cn=hbac,$SUFFIX
|
||||
changetype: add
|
||||
objectclass: ipahbacservice
|
||||
objectclass: ipaobject
|
||||
cn: systemd-user
|
||||
description: pam_systemd and systemd user@.service
|
||||
ipauniqueid:autogenerate
|
||||
|
||||
dn: cn=gdm,cn=hbacservices,cn=hbac,$SUFFIX
|
||||
changetype: add
|
||||
objectclass: ipahbacservice
|
||||
|
@ -12,3 +12,16 @@ ipaenabledflag: TRUE
|
||||
description: Allow all users to access any host from any host
|
||||
ipauniqueid: autogenerate
|
||||
|
||||
# default HBAC policy for pam_systemd
|
||||
dn: ipauniqueid=autogenerate,cn=hbac,$SUFFIX
|
||||
changetype: add
|
||||
objectclass: ipaassociation
|
||||
objectclass: ipahbacrule
|
||||
cn: allow_systemd-user
|
||||
accessruletype: allow
|
||||
usercategory: all
|
||||
hostcategory: all
|
||||
servicecategory: systemd-user
|
||||
ipaenabledflag: TRUE
|
||||
description: Allow pam_systemd to run user@.service to create a system user session
|
||||
ipauniqueid: autogenerate
|
||||
|
@ -1735,6 +1735,41 @@ def migrate_to_authselect():
|
||||
sysupgrade.set_upgrade_state('authcfg', 'migrated_to_authselect', True)
|
||||
|
||||
|
||||
def add_systemd_user_hbac():
|
||||
logger.info('[Create systemd-user hbac service and rule]')
|
||||
rule = 'allow_systemd-user'
|
||||
service = 'systemd-user'
|
||||
try:
|
||||
api.Command.hbacsvc_add(
|
||||
service,
|
||||
description='pam_systemd and systemd user@.service'
|
||||
)
|
||||
except ipalib.errors.DuplicateEntry:
|
||||
logger.info('hbac service %s already exists', service)
|
||||
# Don't create hbac rule when hbacsvc already exists, so the rule
|
||||
# does not get re-created after it has been deleted by an admin.
|
||||
return
|
||||
else:
|
||||
logger.info('Created hbacsvc %s', service)
|
||||
|
||||
try:
|
||||
api.Command.hbacrule_add(
|
||||
rule,
|
||||
description=('Allow pam_systemd to run user@.service to create '
|
||||
'a system user session'),
|
||||
usercategory='all',
|
||||
hostcategory='all',
|
||||
)
|
||||
except ipalib.errors.DuplicateEntry:
|
||||
logger.info('hbac rule %s already exists', rule)
|
||||
else:
|
||||
api.Command.hbacrule_add_service(
|
||||
rule,
|
||||
hbacsvc=(service,)
|
||||
)
|
||||
logger.info('Created hbac rule %s with hbacsvc=%s', rule, service)
|
||||
|
||||
|
||||
def fix_permissions():
|
||||
"""Fix permission of public accessible files and directories
|
||||
|
||||
@ -2050,6 +2085,7 @@ def upgrade_configuration():
|
||||
cainstance.ensure_ipa_authority_entry()
|
||||
|
||||
migrate_to_authselect()
|
||||
add_systemd_user_hbac()
|
||||
|
||||
sssd_update()
|
||||
|
||||
|
@ -495,3 +495,62 @@ class TestIPACommand(IntegrationTest):
|
||||
assert result.returncode == 1
|
||||
|
||||
self.master.run_command(['rm', '-f', filename])
|
||||
|
||||
def test_hbac_systemd_user(self):
|
||||
# https://pagure.io/freeipa/issue/7831
|
||||
tasks.kinit_admin(self.master)
|
||||
# check for presence
|
||||
self.master.run_command(
|
||||
['ipa', 'hbacrule-show', 'allow_systemd-user']
|
||||
)
|
||||
self.master.run_command(
|
||||
['ipa', 'hbacsvc-show', 'systemd-user']
|
||||
)
|
||||
|
||||
# delete both
|
||||
self.master.run_command(
|
||||
['ipa', 'hbacrule-del', 'allow_systemd-user']
|
||||
)
|
||||
self.master.run_command(
|
||||
['ipa', 'hbacsvc-del', 'systemd-user']
|
||||
)
|
||||
|
||||
# run upgrade
|
||||
result = self.master.run_command(['ipa-server-upgrade'])
|
||||
assert 'Created hbacsvc systemd-user' in result.stderr_text
|
||||
assert 'Created hbac rule allow_systemd-user' in result.stderr_text
|
||||
|
||||
# check for presence
|
||||
result = self.master.run_command(
|
||||
['ipa', 'hbacrule-show', 'allow_systemd-user', '--all']
|
||||
)
|
||||
lines = set(l.strip() for l in result.stdout_text.split('\n'))
|
||||
assert 'User category: all' in lines
|
||||
assert 'Host category: all' in lines
|
||||
assert 'Enabled: TRUE' in lines
|
||||
assert 'Services: systemd-user' in lines
|
||||
assert 'accessruletype: allow' in lines
|
||||
|
||||
self.master.run_command(
|
||||
['ipa', 'hbacsvc-show', 'systemd-user']
|
||||
)
|
||||
|
||||
# only delete rule
|
||||
self.master.run_command(
|
||||
['ipa', 'hbacrule-del', 'allow_systemd-user']
|
||||
)
|
||||
|
||||
# run upgrade
|
||||
result = self.master.run_command(['ipa-server-upgrade'])
|
||||
assert (
|
||||
'hbac service systemd-user already exists' in result.stderr_text
|
||||
)
|
||||
assert (
|
||||
'Created hbac rule allow_systemd-user' not in result.stderr_text
|
||||
)
|
||||
result = self.master.run_command(
|
||||
['ipa', 'hbacrule-show', 'allow_systemd-user'],
|
||||
raiseonerr=False
|
||||
)
|
||||
assert result.returncode != 0
|
||||
assert 'HBAC rule not found' in result.stderr_text
|
||||
|
Loading…
Reference in New Issue
Block a user