From: David Mulder Date: Tue, 3 Nov 2020 17:45:45 +0000 (-0700) Subject: gpo: Apply Group Policy Sudo Rights from VGP X-Git-Tag: samba-4.14.0rc1~178 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9b44f7a71ec7772fbb47167e0ba4d5c51397cfad;p=thirdparty%2Fsamba.git gpo: Apply Group Policy Sudo Rights from VGP This adds a Group Policy extension which applies Sudo rights set by Vintela Group Policy in the SYSVOL. Signed-off-by: David Mulder Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Sat Dec 19 08:11:50 UTC 2020 on sn-devel-184 --- diff --git a/python/samba/vgp_sudoers_ext.py b/python/samba/vgp_sudoers_ext.py index 3b751538784..278f3558cc2 100644 --- a/python/samba/vgp_sudoers_ext.py +++ b/python/samba/vgp_sudoers_ext.py @@ -14,9 +14,88 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +import os from samba.gpclass import gp_xml_ext +from base64 import b64encode +from tempfile import NamedTemporaryFile +from subprocess import Popen, PIPE +from samba.gp_sudoers_ext import visudo, intro class vgp_sudoers_ext(gp_xml_ext): + def __str__(self): + return 'VGP/Unix Settings/Sudo Rights' + def process_group_policy(self, deleted_gpo_list, changed_gpo_list, sdir='/etc/sudoers.d'): - pass + for guid, settings in deleted_gpo_list: + self.gp_db.set_guid(guid) + if str(self) in settings: + for attribute, sudoers in settings[str(self)].items(): + if os.path.exists(sudoers): + os.unlink(sudoers) + self.gp_db.delete(str(self), attribute) + self.gp_db.commit() + + for gpo in changed_gpo_list: + if gpo.file_sys_path: + self.gp_db.set_guid(gpo.name) + xml = 'MACHINE/VGP/VTLA/Sudo/SudoersConfiguration/manifest.xml' + path = os.path.join(gpo.file_sys_path, xml) + xml_conf = self.parse(path) + if not xml_conf: + continue + policy = xml_conf.find('policysetting') + data = policy.find('data') + for entry in data.findall('sudoers_entry'): + command = entry.find('command').text + user = entry.find('user').text + principals = [p.text for p in entry.find('listelement').findall('principal')] + nopassword = entry.find('password') == None + np_entry = ' NOPASSWD:' if nopassword else '' + p = '%s ALL=(%s)%s %s' % (','.join(principals), user, np_entry, command) + attribute = b64encode(p.encode()).decode() + old_val = self.gp_db.retrieve(str(self), attribute) + if not old_val: + contents = intro + contents += '%s\n' % p + with NamedTemporaryFile() as f: + with open(f.name, 'w') as w: + w.write(contents) + sudo_validation = \ + Popen([visudo, '-c', '-f', f.name], + stdout=PIPE, stderr=PIPE).wait() + if sudo_validation == 0: + with NamedTemporaryFile(prefix='gp_', + delete=False, + dir=sdir) as f: + with open(f.name, 'w') as w: + w.write(contents) + self.gp_db.store(str(self), + attribute, + f.name) + else: + self.logger.warn('Sudoers apply "%s" failed' + % p) + self.gp_db.commit() + + def rsop(self, gpo): + output = {} + xml = 'MACHINE/VGP/VTLA/Sudo/SudoersConfiguration/manifest.xml' + if gpo.file_sys_path: + path = os.path.join(gpo.file_sys_path, xml) + xml_conf = self.parse(path) + if not xml_conf: + return output + policy = xml_conf.find('policysetting') + data = policy.find('data') + for entry in data.findall('sudoers_entry'): + command = entry.find('command').text + user = entry.find('user').text + principals = [p.text for p in entry.find('listelement').findall('principal')] + nopassword = entry.find('password') == None + np_entry = ' NOPASSWD:' if nopassword else '' + p = '%s ALL=(%s)%s %s' % (','.join(principals), user, np_entry, command) + if str(self) not in output.keys(): + output[str(self)] = [] + output[str(self)].append(p) + return output diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo deleted file mode 100644 index 4be23fb2004..00000000000 --- a/selftest/knownfail.d/gpo +++ /dev/null @@ -1 +0,0 @@ -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_sudoers diff --git a/source4/scripting/bin/samba-gpupdate b/source4/scripting/bin/samba-gpupdate index dfbb1901457..85300e15655 100755 --- a/source4/scripting/bin/samba-gpupdate +++ b/source4/scripting/bin/samba-gpupdate @@ -34,6 +34,7 @@ from samba.gp_sec_ext import gp_krb_ext, gp_access_ext from samba.gp_ext_loader import get_gp_client_side_extensions from samba.gp_scripts_ext import gp_scripts_ext from samba.gp_sudoers_ext import gp_sudoers_ext +from samba.vgp_sudoers_ext import vgp_sudoers_ext from samba.gp_smb_conf_ext import gp_smb_conf_ext from samba.gp_msgs_ext import gp_msgs_ext import logging @@ -89,6 +90,7 @@ if __name__ == "__main__": gp_extensions.append(gp_krb_ext) gp_extensions.append(gp_scripts_ext) gp_extensions.append(gp_sudoers_ext) + gp_extensions.append(vgp_sudoers_ext) gp_extensions.append(gp_smb_conf_ext) gp_extensions.append(gp_msgs_ext) gp_extensions.extend(machine_exts)