From: David Mulder Date: Fri, 26 Jun 2020 18:35:20 +0000 (-0600) Subject: gpo: Apply Group Policy Sudo Rights X-Git-Tag: talloc-2.3.2~929 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=88b6266168ace52f66ded9cedaea1a02eea6e441;p=thirdparty%2Fsamba.git gpo: Apply Group Policy Sudo Rights Signed-off-by: David Mulder Reviewed-by: Douglas Bagnall --- diff --git a/libgpo/admx/en-US/samba.adml b/libgpo/admx/en-US/samba.adml index 570ed0598e4..577cb1aa0bb 100755 --- a/libgpo/admx/en-US/samba.adml +++ b/libgpo/admx/en-US/samba.adml @@ -12,10 +12,12 @@ Hourly Monthly Weekly + Sudo Rights This policy setting allows you to execute commands, either local or on remote storage, daily. This policy setting allows you to execute commands, either local or on remote storage, hourly. This policy setting allows you to execute commands, either local or on remote storage, monthly. This policy setting allows you to execute commands, either local or on remote storage, weekly. + This policy configures the sudoers file with the lines specified. @@ -30,6 +32,9 @@ Script and arguments + + Sudoers commands + diff --git a/libgpo/admx/samba.admx b/libgpo/admx/samba.admx index 265f4134a88..a4e26cf388f 100755 --- a/libgpo/admx/samba.admx +++ b/libgpo/admx/samba.admx @@ -43,5 +43,12 @@ + + + + + + + diff --git a/python/samba/gp_sudoers_ext.py b/python/samba/gp_sudoers_ext.py index 1033af1771b..cbebc8f06e3 100644 --- a/python/samba/gp_sudoers_ext.py +++ b/python/samba/gp_sudoers_ext.py @@ -14,9 +14,72 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +import os from samba.gpclass import gp_pol_ext +from base64 import b64encode +from tempfile import NamedTemporaryFile +from subprocess import Popen, PIPE +from distutils.spawn import find_executable + +intro = ''' +### autogenerated by samba +# +# This file is generated by the gp_sudoers_ext Group Policy +# Client Side Extension. To modify the contents of this file, +# modify the appropriate Group Policy objects which apply +# to this machine. DO NOT MODIFY THIS FILE DIRECTLY. +# + +''' +visudo = find_executable('visudo', + path='%s:%s' % (os.environ['PATH'], '/usr/sbin')) class gp_sudoers_ext(gp_pol_ext): + def __str__(self): + return 'Unix Settings/Sudo Rights' + def process_group_policy(self, deleted_gpo_list, changed_gpo_list, sdir='/etc/sudoers.d'): - pass + for gpo in deleted_gpo_list: + self.gp_db.set_guid(gpo[0]) + if str(self) in gpo[1]: + for attribute, sudoers in gpo[1][str(self)].items(): + os.unlink(sudoers) + self.gp_db.delete(str(self), attribute) + self.gp_db.commit() + + for gpo in changed_gpo_list: + if gpo.file_sys_path: + section = 'Software\\Policies\\Samba\\Unix Settings\\Sudo Rights' + self.gp_db.set_guid(gpo.name) + pol_file = 'MACHINE/Registry.pol' + path = os.path.join(gpo.file_sys_path, pol_file) + pol_conf = self.parse(path) + if not pol_conf: + continue + for e in pol_conf.entries: + if e.keyname == section and e.data.strip(): + attribute = b64encode(e.data.encode()).decode() + old_val = self.gp_db.retrieve(str(self), attribute) + if not old_val: + contents = intro + contents += '%s\n' % e.data + with NamedTemporaryFile() as f: + with open(f.name, 'w') as w: + w.write(contents) + sudo_validation = \ + Popen([visudo, '-c', '-f', f.name], + stdout=PIPE, stderr=PIPE).wait() + if sudo_validation == 0: + with NamedTemporaryFile(prefix='gp_', + delete=False, + dir=sdir) as f: + with open(f.name, 'w') as w: + w.write(contents) + self.gp_db.store(str(self), + attribute, + f.name) + else: + self.logger.warn('Sudoers apply "%s" failed' + % e.data) + self.gp_db.commit() diff --git a/selftest/knownfail b/selftest/knownfail index 1611abfb45c..6c005d1f4de 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -396,4 +396,3 @@ ^samba.tests.ntlmdisabled.python\(ktest\).python2.ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\) ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python3.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python2.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_sudoers diff --git a/source4/scripting/bin/samba-gpupdate b/source4/scripting/bin/samba-gpupdate index 68dfad1ed87..e239a4e015e 100755 --- a/source4/scripting/bin/samba-gpupdate +++ b/source4/scripting/bin/samba-gpupdate @@ -33,6 +33,7 @@ from samba.gpclass import apply_gp, unapply_gp, GPOStorage from samba.gp_sec_ext import gp_sec_ext from samba.gp_ext_loader import get_gp_client_side_extensions from samba.gp_scripts_ext import gp_scripts_ext +from samba.gp_sudoers_ext import gp_sudoers_ext import logging if __name__ == "__main__": @@ -82,6 +83,7 @@ if __name__ == "__main__": if opts.target == 'Computer': gp_extensions.append(gp_sec_ext(logger, lp, creds, store)) gp_extensions.append(gp_scripts_ext(logger, lp, creds, store)) + gp_extensions.append(gp_sudoers_ext(logger, lp, creds, store)) for ext in machine_exts: gp_extensions.append(ext(logger, lp, creds, store)) elif opts.target == 'User':