[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Sat Dec 19 08:12:01 UTC 2020
The branch, master has been updated
via 9b44f7a71ec gpo: Apply Group Policy Sudo Rights from VGP
via 932af62eade gpo: Test Group Policy VGP Sudo Rights
via 440802c24a8 gpo: Add gp_xml_ext parser for group policy
from 6b5041c0212 smbd: close_file() should never see an internal dirfsp.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9b44f7a71ec7772fbb47167e0ba4d5c51397cfad
Author: David Mulder <dmulder at suse.com>
Date: Tue Nov 3 10:45:45 2020 -0700
gpo: Apply Group Policy Sudo Rights from VGP
This adds a Group Policy extension which applies
Sudo rights set by Vintela Group Policy in the
SYSVOL.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Dec 19 08:11:50 UTC 2020 on sn-devel-184
commit 932af62eade70714ca7351738b936123c5345fd0
Author: David Mulder <dmulder at suse.com>
Date: Tue Nov 3 13:14:34 2020 -0700
gpo: Test Group Policy VGP Sudo Rights
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 440802c24a8f49809b41f14997e406d2795b8e95
Author: David Mulder <dmulder at suse.com>
Date: Tue Nov 3 10:44:27 2020 -0700
gpo: Add gp_xml_ext parser for group policy
This adds an extension parser for parsing xml
files in the sysvol.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/gpclass.py | 9 ++++
python/samba/tests/gpo.py | 68 +++++++++++++++++++++++
python/samba/vgp_sudoers_ext.py | 101 +++++++++++++++++++++++++++++++++++
source4/scripting/bin/samba-gpupdate | 2 +
4 files changed, 180 insertions(+)
create mode 100644 python/samba/vgp_sudoers_ext.py
Changeset truncated at 500 lines:
diff --git a/python/samba/gpclass.py b/python/samba/gpclass.py
index ac73671eb58..1b29711f245 100644
--- a/python/samba/gpclass.py
+++ b/python/samba/gpclass.py
@@ -341,6 +341,15 @@ class gp_pol_ext(gp_ext):
return ndr_unpack(preg.file, raw)
+class gp_xml_ext(gp_ext):
+ def read(self, data_file):
+ raw = open(data_file, 'rb').read()
+ try:
+ return etree.fromstring(raw.decode())
+ except UnicodeDecodeError:
+ return etree.fromstring(raw.decode('utf-16'))
+
+
''' Fetch the hostname of a writable DC '''
diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py
index 115b71ac61d..a0dce8d96d7 100644
--- a/python/samba/tests/gpo.py
+++ b/python/samba/tests/gpo.py
@@ -27,6 +27,7 @@ from tempfile import NamedTemporaryFile, TemporaryDirectory
from samba.gp_sec_ext import gp_krb_ext, gp_access_ext
from samba.gp_scripts_ext import gp_scripts_ext
from samba.gp_sudoers_ext import gp_sudoers_ext
+from samba.vgp_sudoers_ext import vgp_sudoers_ext
from samba.gpclass import gp_inf_ext
from samba.gp_smb_conf_ext import gp_smb_conf_ext
import logging
@@ -37,6 +38,7 @@ from samba.dcerpc import preg
from samba.ndr import ndr_pack
import codecs
from shutil import copyfile
+import xml.etree.ElementTree as etree
realm = os.environ.get('REALM')
policies = realm + '/POLICIES'
@@ -440,6 +442,72 @@ class GPOTests(tests.TestCase):
# Unstage the Registry.pol file
unstage_file(reg_pol)
+ def test_vgp_sudoers(self):
+ local_path = self.lp.cache_path('gpo_cache')
+ guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}'
+ manifest = os.path.join(local_path, policies, guid, 'MACHINE',
+ 'VGP/VTLA/SUDO/SUDOERSCONFIGURATION/MANIFEST.XML')
+ logger = logging.getLogger('gpo_tests')
+ cache_dir = self.lp.get('cache directory')
+ store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb'))
+
+ machine_creds = Credentials()
+ machine_creds.guess(self.lp)
+ machine_creds.set_machine_account()
+
+ # Initialize the group policy extension
+ ext = vgp_sudoers_ext(logger, self.lp, machine_creds, store)
+
+ ads = gpo.ADS_STRUCT(self.server, self.lp, machine_creds)
+ if ads.connect():
+ gpos = ads.get_gpo_list(machine_creds.get_username())
+
+ # Stage the manifest.xml file with test data
+ stage = etree.Element('vgppolicy')
+ policysetting = etree.Element('policysetting')
+ stage.append(policysetting)
+ version = etree.Element('version')
+ version.text = '1'
+ policysetting.append(version)
+ data = etree.Element('data')
+ sudoers_entry = etree.Element('sudoers_entry')
+ command = etree.Element('command')
+ command.text = 'ALL'
+ sudoers_entry.append(command)
+ user = etree.Element('user')
+ user.text = 'ALL'
+ sudoers_entry.append(user)
+ principal_list = etree.Element('listelement')
+ principal = etree.Element('principal')
+ principal.text = 'fakeu'
+ principal.attrib['type'] = 'user'
+ principal_list.append(principal)
+ sudoers_entry.append(principal_list)
+ data.append(sudoers_entry)
+ policysetting.append(data)
+ ret = stage_file(manifest, etree.tostring(stage))
+ self.assertTrue(ret, 'Could not create the target %s' % manifest)
+
+ # Process all gpos, with temp output directory
+ data = 'fakeu ALL=(ALL) NOPASSWD: ALL'
+ with TemporaryDirectory() as dname:
+ ext.process_group_policy([], gpos, dname)
+ sudoers = os.listdir(dname)
+ self.assertEquals(len(sudoers), 1, 'The sudoer file was not created')
+ self.assertIn(data,
+ open(os.path.join(dname, sudoers[0]), 'r').read(),
+ 'The sudoers entry was not applied')
+
+ # Remove policy
+ gp_db = store.get_gplog(machine_creds.get_username())
+ del_gpos = get_deleted_gpos_list(gp_db, [])
+ ext.process_group_policy(del_gpos, [])
+ self.assertEquals(len(os.listdir(dname)), 0,
+ 'Unapply failed to cleanup scripts')
+
+ # Unstage the Registry.pol file
+ unstage_file(manifest)
+
def test_gp_inf_ext_utf(self):
logger = logging.getLogger('gpo_tests')
cache_dir = self.lp.get('cache directory')
diff --git a/python/samba/vgp_sudoers_ext.py b/python/samba/vgp_sudoers_ext.py
new file mode 100644
index 00000000000..278f3558cc2
--- /dev/null
+++ b/python/samba/vgp_sudoers_ext.py
@@ -0,0 +1,101 @@
+# vgp_sudoers_ext samba gpo policy
+# Copyright (C) David Mulder <dmulder at suse.com> 2020
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import os
+from samba.gpclass import gp_xml_ext
+from base64 import b64encode
+from tempfile import NamedTemporaryFile
+from subprocess import Popen, PIPE
+from samba.gp_sudoers_ext import visudo, intro
+
+class vgp_sudoers_ext(gp_xml_ext):
+ def __str__(self):
+ return 'VGP/Unix Settings/Sudo Rights'
+
+ def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
+ sdir='/etc/sudoers.d'):
+ for guid, settings in deleted_gpo_list:
+ self.gp_db.set_guid(guid)
+ if str(self) in settings:
+ for attribute, sudoers in settings[str(self)].items():
+ if os.path.exists(sudoers):
+ os.unlink(sudoers)
+ self.gp_db.delete(str(self), attribute)
+ self.gp_db.commit()
+
+ for gpo in changed_gpo_list:
+ if gpo.file_sys_path:
+ self.gp_db.set_guid(gpo.name)
+ xml = 'MACHINE/VGP/VTLA/Sudo/SudoersConfiguration/manifest.xml'
+ path = os.path.join(gpo.file_sys_path, xml)
+ xml_conf = self.parse(path)
+ if not xml_conf:
+ continue
+ policy = xml_conf.find('policysetting')
+ data = policy.find('data')
+ for entry in data.findall('sudoers_entry'):
+ command = entry.find('command').text
+ user = entry.find('user').text
+ principals = [p.text for p in entry.find('listelement').findall('principal')]
+ nopassword = entry.find('password') == None
+ np_entry = ' NOPASSWD:' if nopassword else ''
+ p = '%s ALL=(%s)%s %s' % (','.join(principals), user, np_entry, command)
+ attribute = b64encode(p.encode()).decode()
+ old_val = self.gp_db.retrieve(str(self), attribute)
+ if not old_val:
+ contents = intro
+ contents += '%s\n' % p
+ with NamedTemporaryFile() as f:
+ with open(f.name, 'w') as w:
+ w.write(contents)
+ sudo_validation = \
+ Popen([visudo, '-c', '-f', f.name],
+ stdout=PIPE, stderr=PIPE).wait()
+ if sudo_validation == 0:
+ with NamedTemporaryFile(prefix='gp_',
+ delete=False,
+ dir=sdir) as f:
+ with open(f.name, 'w') as w:
+ w.write(contents)
+ self.gp_db.store(str(self),
+ attribute,
+ f.name)
+ else:
+ self.logger.warn('Sudoers apply "%s" failed'
+ % p)
+ self.gp_db.commit()
+
+ def rsop(self, gpo):
+ output = {}
+ xml = 'MACHINE/VGP/VTLA/Sudo/SudoersConfiguration/manifest.xml'
+ if gpo.file_sys_path:
+ path = os.path.join(gpo.file_sys_path, xml)
+ xml_conf = self.parse(path)
+ if not xml_conf:
+ return output
+ policy = xml_conf.find('policysetting')
+ data = policy.find('data')
+ for entry in data.findall('sudoers_entry'):
+ command = entry.find('command').text
+ user = entry.find('user').text
+ principals = [p.text for p in entry.find('listelement').findall('principal')]
+ nopassword = entry.find('password') == None
+ np_entry = ' NOPASSWD:' if nopassword else ''
+ p = '%s ALL=(%s)%s %s' % (','.join(principals), user, np_entry, command)
+ if str(self) not in output.keys():
+ output[str(self)] = []
+ output[str(self)].append(p)
+ return output
diff --git a/source4/scripting/bin/samba-gpupdate b/source4/scripting/bin/samba-gpupdate
index dfbb1901457..85300e15655 100755
--- a/source4/scripting/bin/samba-gpupdate
+++ b/source4/scripting/bin/samba-gpupdate
@@ -34,6 +34,7 @@ from samba.gp_sec_ext import gp_krb_ext, gp_access_ext
from samba.gp_ext_loader import get_gp_client_side_extensions
from samba.gp_scripts_ext import gp_scripts_ext
from samba.gp_sudoers_ext import gp_sudoers_ext
+from samba.vgp_sudoers_ext import vgp_sudoers_ext
from samba.gp_smb_conf_ext import gp_smb_conf_ext
from samba.gp_msgs_ext import gp_msgs_ext
import logging
@@ -89,6 +90,7 @@ if __name__ == "__main__":
gp_extensions.append(gp_krb_ext)
gp_extensions.append(gp_scripts_ext)
gp_extensions.append(gp_sudoers_ext)
+ gp_extensions.append(vgp_sudoers_ext)
gp_extensions.append(gp_smb_conf_ext)
gp_extensions.append(gp_msgs_ext)
gp_extensions.extend(machine_exts)
--
Samba Shared Repository
More information about the samba-cvs
mailing list