[Bug 1868154] Re: [MIR] realmd
** Changed in: realmd (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868154 Title: [MIR] realmd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1868154/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868154] Re: [MIR] realmd
$ ./change-override -c main -S realmd Override component to main realmd 0.16.3-3 in groovy: universe/admin -> main realmd 0.16.3-3 in groovy amd64: universe/admin/optional/100% -> main realmd 0.16.3-3 in groovy arm64: universe/admin/optional/100% -> main realmd 0.16.3-3 in groovy armhf: universe/admin/optional/100% -> main realmd 0.16.3-3 in groovy ppc64el: universe/admin/optional/100% -> main realmd 0.16.3-3 in groovy riscv64: universe/admin/optional/100% -> main realmd 0.16.3-3 in groovy s390x: universe/admin/optional/100% -> main Override [y|N]? y 7 publications overridden. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868154 Title: [MIR] realmd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1868154/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868154] Re: [MIR] realmd
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu-seeds/+git/platform/+merge/387868 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868154 Title: [MIR] realmd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1868154/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868154] Re: [MIR] realmd
Thank you all, MIR Ack, Security Ack and bug subscription is present - this is ready for promotion as soon as the seed was modified to pull it in. The same applies to the sibling bug in 1868159 ** Changed in: realmd (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868154 Title: [MIR] realmd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1868154/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868154] Re: [MIR] realmd
I reviewed realmd 0.16.3-3 as checked into focal. This shouldn't be considered a full audit but rather a quick gauge of maintainability. realmd automates configuring kerberos, ldap, sssd, ipa, etc on the system, and provides a dbus interface and command line tool. - CVE History: - one cve in our database, CVE-2015-2704, only open in trusty - Build-Depends: debhelper, intltool, libglib2.0-dev, libkrb5-dev, libldap2-dev, libpolkit-gobject-1-dev, libsystemd-dev, pkg-config, python3:any, xmlto, xsltproc - pre/post inst/rm scripts only automatically added sections - no init scripts - systemd unit is dbus activated - no setuid binaries - realm binary in PATH - no sudo fragments - polkit file allows anyone to discover realms, requires admin account to join or part realms, or change local machine login policy - no udev rules - extensive tests run during the build - no cron jobs - clean build logs - Spawns processes, given in a configuration file; looked safe - Memory management is typical glib / freedesktop style, looked safe - File IO - I believe paths to files are constructed dynmically, stored in a hashtable at runtime, it's a bit hard to follow - logging looked careful - Environment variables PATH, REALM_DEBUG, REALM_PERSIST, LOGNAME are used where they make sense, seeemed to be handled well - No privileged syscall use - Does not itself do cryptography - Use of temp files? - only temp files are in test code - Use of networking? - very little networking itself, the use of unix sockets for internal use, and use of a tcp socket for ldap, looked safe. - No webkit - Use of PolicyKit? - provides a policykit backend, uses polkit_authority_check_authorization_sync() with the flag requesting user interaction - cppcheck results look like false positives - coverity not checked - shellcheck not relevant realmd is a typical freedesktop program written with glib -- it's abstracted enough that it's a little difficult to follow and get the overall flow of the program, but every individual line looks fine. Errors are handled throughout, there's good comments where they help, etc. It's not my favourite coding style but it is professionally developed and looks up to task. I also don't love the packagekit integration: packagekit upstream has declared it's reached an end, and I'd rather someone configuring their system for an environment have chosen their packages themselves. However these aren't deal-breakers. Security team ACK for promoting realmd to main. Can someone double-check the function realm_samba_winbind_configure_async()? I'm afraid the idmap uid, gid, ranges may not be appropriate on debian/ubuntu systems. Bug filed while reviewing: https://gitlab.freedesktop.org/realmd/realmd/-/issues/27 ** Changed in: realmd (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) ** Bug watch added: gitlab.freedesktop.org/realmd/realmd/-/issues #27 https://gitlab.freedesktop.org/realmd/realmd/-/issues/27 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-2704 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868154 Title: [MIR] realmd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1868154/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868154] Re: [MIR] realmd
** Description changed: - I request that the realmd package be included in the main repository. I've checked the following things: --- 1. Availability: realmd is already in universe. It's compiled for all platforms. 2. Rationale: This is used by many enterprise or organizations that use Microsoft's Active Directory as their main directory system. This package is the most sensible way to have Linux machines join an AD domain. As security policies become tighter, more enterprises are requiring the Linux machines use Active Directory for authentication. 3. Security: The changelog goes from 2013 to Oct 2019. It has been supported for a while and is receiving updates. 4. Quality Assurance: The realm tool is well documented. It asks no debconf questions that I'm aware of. I'm using it in production systems. It's been very stable. I've reviewed the debian and ubuntu bugs for realmd. I don't see any show- stopper bugs. The bugs that are open are no longer applicable or have workarounds. The packages have no exotic hardware dependencies. 5. UI Standards: This is a backend package. UI standards don't apply. --- I'm not fluent enough with Ubuntu packaging to handle the in-depth package checking. + + Note this MIR is related to MIR in bug 1868159 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868154 Title: [MIR] realmd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1868154/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868154] Re: [MIR] realmd
Ubuntu server is subscribed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868154 Title: [MIR] realmd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1868154/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868154] Re: [MIR] realmd
This still needs server team agreement for ownership (per comment 2), but while that's being evaluated I'll put this on the security team, to review in parallel. ** Changed in: realmd (Ubuntu) Assignee: Dan Streetman (ddstreet) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868154 Title: [MIR] realmd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1868154/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868154] Re: [MIR] realmd
Having used realmd while updating the Ubuntu Server Guide, I must say it's a very useful tool, and I wouldn't want to join an Active Directory domain without it (and adcli). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868154 Title: [MIR] realmd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1868154/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868154] Re: [MIR] realmd
And to clarify, after the above is addressed, this still does need a security review. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868154 Title: [MIR] realmd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1868154/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868154] Re: [MIR] realmd
Follow up: After discussion with MIR team, the issues I identified do need to be addressed, specifically: 1. While we can't force upstream to create a new release, we can pull upstream bug fixes, which I feel should be done. Preferably in Debian, but at minimum upstream bugfix commits should be added to the Ubuntu packages and a Debian bug opened. 2. I believe the realmd package should have any packages that it might 'auto-install' listed in its Recommends: Additionally, MIR does require that a reliable team does need to subscribe to all the package's bug reports. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868154 Title: [MIR] realmd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1868154/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1868154] Re: [MIR] realmd
[Summary] This package is acceptable for MIR, with 2 concerns: 1) There has been no upstream release in years and neither Debian nor Ubuntu has actively pulled upstream bug fixes since the last upstream release. I would prefer to see more upstream bug fixes pulled into the Debian (and/or Ubuntu) package. Obviously, it would also be good for upstream to produce a new release, but that's out of scope here. 2) The 'realm' command may install other packages (e.g. adcli or samba) as needed, which is not ideal; I would prefer needed packages are added as actual dependencies. However, since needed packages can vary based on configuration (i.e. adcli or samba), it is arguably ok to attempt to install only needed deps from the 'realm' command. I would prefer if all packages that might be installed are listed as Recommends: so it's clear from the packaging perspective. This does need a security review, so I'll assign ubuntu-security after the next MIR team mtg, if the team agrees with my review. Notes/TODOs: As I'm new to the MIR team, I am making this approval conditional on MIR team review of my review at the next MIR team mtg. [Duplication] - There is no other package in main providing the same functionality - Note: it is possible perform manual configuration/steps for similar functionality; this package automates and simplifies much of the manual work. [Dependencies] OK: - no other Dependencies to MIR due to this - does have Build-Depends: in universe, but all runtime deps are in main - no -dev/-debug/-doc packages that need exclusion [Embedded sources and static linking] OK: - no embedded source present - Note, see Upstream red flags section - no static linking [Security] OK: - history of CVEs does not look concerning - does not use webkit1,2 - does not use lib*v8 directly - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop Problems: - does parse data formats - does run a daemon as root - does deal with system authentication (eg, pam), etc) [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - added forced error to src pkg to verify - The package has a team bug subscriber - MIR requestor is subscribed to all realmd bugs in Ubuntu - translation is present - not a python package, no extra constraints to consider int hat regard - does include a single python3 script, but used only for build testing - no new python2 dependency - not golang package Problems: - does not have a test suite that runs as autopkgtest - this is probably ok, since there are build-time tests run, and this is a relatively simple package [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking not applicable for this kind of code. - does not provide any libs - d/watch is present and looks ok - the current release is packaged - However, as noted in Problems, last upstream relase was ~3.5 years ago - promoting this does not seem to cause issues for MOTUs that so far maintained the package - All maintenance work has been done in Debian, not Ubuntu - no massive Lintian warnings - d/rules is rather clean - Does not have Built-Using - Not Go Package Problems: - Upstream update history is slow - however, it is steady and consistent - of concern is last upstream release was ~3.5 years ago - Debian update history is slow - all Debian updates since last upstream release are fixes for build or test failures - does not appear to contain any bug fixes from upstream git since last upstream release - Ubuntu update history is nonexistent - no Ubuntu patches to package since Trusty [Upstream red flags] OK: - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks Problems: - single Errors during the build - manpage xml uses missing linkend ref; this is a minor issue that doesn't prevent manpage creation and can be ignored, but also could be easily fixed - embedded source file present - this embeds 'tap-driver' script from the 'cockpit' project, but it is used only for build-time testing. - important open bugs (crashers, etc) in Debian or Ubuntu - https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1333694 this does not appear to still be a bug in the latest release ** Changed in: realmd (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868154 Title: [MIR] realmd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1868154/+subscriptions
[Bug 1868154] Re: [MIR] realmd
** Changed in: realmd (Ubuntu) Assignee: (unassigned) => Dan Streetman (ddstreet) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868154 Title: [MIR] realmd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1868154/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
