URL: https://github.com/freeipa/freeipa/pull/2751
Author: tiran
 Title: #2751: [Backport][ipa-4-6] Create systemd-user HBAC service and rule
Action: opened

PR body:
"""
Manual backport of PR #2746 

authselect changed pam_systemd session from optional to required. When
the HBAC rule allow_all is disabled and replaced with more fine grained
rules, loginsi now to fail, because systemd's user@.service is able to
create a systemd session.

Add systemd-user HBAC service and a HBAC rule that allows systemd-user
to run on all hosts for all users by default. ipa-server-upgrade creates
the service and rule, too. In case the service already exists, no
attempt is made to create the rule. This allows admins to delete the
rule permanently.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2751/head:pr2751
git checkout pr2751
From 0004684fc12d401325312edb7ba1eaafeb0bb5b5 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Fri, 11 Jan 2019 11:18:05 +0100
Subject: [PATCH] Create systemd-user HBAC service and rule

authselect changed pam_systemd session from optional to required. When
the HBAC rule allow_all is disabled and replaced with more fine grained
rules, loginsi now to fail, because systemd's user@.service is able to
create a systemd session.

Add systemd-user HBAC service and a HBAC rule that allows systemd-user
to run on all hosts for all users by default. ipa-server-upgrade creates
the service and rule, too. In case the service already exists, no
attempt is made to create the rule. This allows admins to delete the
rule permanently.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 install/share/bootstrap-template.ldif      |  8 +++
 install/share/default-hbac.ldif            | 13 +++++
 ipaserver/install/server/upgrade.py        | 37 ++++++++++++++
 ipatests/test_integration/test_commands.py | 59 ++++++++++++++++++++++
 4 files changed, 117 insertions(+)

diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index b19de724f3..1b80794e66 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -346,6 +346,14 @@ cn: sudo-i
 description: sudo-i
 ipauniqueid:autogenerate
 
+dn: cn=systemd-user,cn=hbacservices,cn=hbac,$SUFFIX
+changetype: add
+objectclass: ipahbacservice
+objectclass: ipaobject
+cn: systemd-user
+description: pam_systemd and systemd user@.service
+ipauniqueid:autogenerate
+
 dn: cn=gdm,cn=hbacservices,cn=hbac,$SUFFIX
 changetype: add
 objectclass: ipahbacservice
diff --git a/install/share/default-hbac.ldif b/install/share/default-hbac.ldif
index 52fd30ec9a..8dd90685cc 100644
--- a/install/share/default-hbac.ldif
+++ b/install/share/default-hbac.ldif
@@ -12,3 +12,16 @@ ipaenabledflag: TRUE
 description: Allow all users to access any host from any host
 ipauniqueid: autogenerate
 
+# default HBAC policy for pam_systemd
+dn: ipauniqueid=autogenerate,cn=hbac,$SUFFIX
+changetype: add
+objectclass: ipaassociation
+objectclass: ipahbacrule
+cn: allow_systemd-user
+accessruletype: allow
+usercategory: all
+hostcategory: all
+servicecategory: systemd-user
+ipaenabledflag: TRUE
+description: Allow pam_systemd to run user@.service to create a system user session
+ipauniqueid: autogenerate
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 1aff263eaa..0d96313608 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1687,6 +1687,41 @@ def update_replica_config(db_suffix):
         logger.info("Updated entry %s", dn)
 
 
+def add_systemd_user_hbac():
+    logger.info('[Create systemd-user hbac service and rule]')
+    rule = 'allow_systemd-user'
+    service = 'systemd-user'
+    try:
+        api.Command.hbacsvc_add(
+            service,
+            description='pam_systemd and systemd user@.service'
+        )
+    except ipalib.errors.DuplicateEntry:
+        logger.info('hbac service %s already exists', service)
+        # Don't create hbac rule when hbacsvc already exists, so the rule
+        # does not get re-created after it has been deleted by an admin.
+        return
+    else:
+        logger.info('Created hbacsvc %s', service)
+
+    try:
+        api.Command.hbacrule_add(
+            rule,
+            description=('Allow pam_systemd to run user@.service to create '
+                         'a system user session'),
+            usercategory='all',
+            hostcategory='all',
+        )
+    except ipalib.errors.DuplicateEntry:
+        logger.info('hbac rule %s already exists', rule)
+    else:
+        api.Command.hbacrule_add_service(
+            rule,
+            hbacsvc=(service,)
+        )
+        logger.info('Created hbac rule %s with hbacsvc=%s', rule, service)
+
+
 def fix_permissions():
     """Fix permission of public accessible files and directories
 
@@ -1993,6 +2028,8 @@ def upgrade_configuration():
         ca.setup_lightweight_ca_key_retrieval()
         cainstance.ensure_ipa_authority_entry()
 
+    add_systemd_user_hbac()
+
     sssd_update()
 
     krb = krbinstance.KrbInstance(fstore)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 5b7c138dd1..cd641f3a83 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -432,3 +432,62 @@ def test_sssd_ifp_access_ipaapi(self):
             ['sudo', '-u', IPAAPI_USER, '--'] + cmd
         )
         assert uid in result.stdout_text
+
+    def test_hbac_systemd_user(self):
+        # https://pagure.io/freeipa/issue/7831
+        tasks.kinit_admin(self.master)
+        # check for presence
+        self.master.run_command(
+            ['ipa', 'hbacrule-show', 'allow_systemd-user']
+        )
+        self.master.run_command(
+            ['ipa', 'hbacsvc-show', 'systemd-user']
+        )
+
+        # delete both
+        self.master.run_command(
+            ['ipa', 'hbacrule-del', 'allow_systemd-user']
+        )
+        self.master.run_command(
+            ['ipa', 'hbacsvc-del', 'systemd-user']
+        )
+
+        # run upgrade
+        result = self.master.run_command(['ipa-server-upgrade'])
+        assert 'Created hbacsvc systemd-user' in result.stderr_text
+        assert 'Created hbac rule allow_systemd-user' in result.stderr_text
+
+        # check for presence
+        result = self.master.run_command(
+            ['ipa', 'hbacrule-show', 'allow_systemd-user', '--all']
+        )
+        lines = set(l.strip() for l in result.stdout_text.split('\n'))
+        assert 'User category: all' in lines
+        assert 'Host category: all' in lines
+        assert 'Enabled: TRUE' in lines
+        assert 'Services: systemd-user' in lines
+        assert 'accessruletype: allow' in lines
+
+        self.master.run_command(
+            ['ipa', 'hbacsvc-show', 'systemd-user']
+        )
+
+        # only delete rule
+        self.master.run_command(
+            ['ipa', 'hbacrule-del', 'allow_systemd-user']
+        )
+
+        # run upgrade
+        result = self.master.run_command(['ipa-server-upgrade'])
+        assert (
+            'hbac service systemd-user already exists' in result.stderr_text
+        )
+        assert (
+            'Created hbac rule allow_systemd-user' not in result.stderr_text
+        )
+        result = self.master.run_command(
+            ['ipa', 'hbacrule-show', 'allow_systemd-user'],
+            raiseonerr=False
+        )
+        assert result.returncode != 0
+        assert 'HBAC rule not found' in result.stderr_text
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org

Reply via email to