c0971b7e39
- Resolves: upstream#3821 - crash related to sbus_router_destructor() - Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref - Resolves: upstream#3819 - sssd only sets the SELinux login context if it differs from the default - Resolves: upstream#3807 - The sbus codegen script relies on "python" which might not be available on all distributions - Resolves: upstream#3820 - sudo: search with lower cased name for case insensitive domains - Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from an allow-any default to a deny-any default when it can't find any GPOs to apply to a user login. - Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort startup - Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11 also for local account authentication - Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup - Resolves: upstream#3826 - Remove references of sss_user/group/add/del commands in man pages since local provider is deprecated - Resolves: upstream#3827 - SSSD should log to syslog if a domain is not started due to a misconfiguration - Resolves: upstream#3830 - Printing incorrect information about domain with sssctl utility - Resolves: upstream#3489 - p11_child should work wit openssl1.0+ - Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary changes in nsswitch.conf - Resovles: upstream#3650 - RFE: Require smartcard authentication - Resolves: upstream#3334 - sssctl config-check does not check any special characters in domain name of domain section - Resolves: upstream#3849 - Files: The files provider always enumerates which causes duplicate when running getent passwd - Related: upstream#3855 - session not recording for local user when groups defined - Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb - Related: upstream#3493 - Remove the pysss.local interface
131 lines
5.2 KiB
Diff
131 lines
5.2 KiB
Diff
From 3bd67c772c951f33422261ef658a104ccecc9561 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
|
Date: Tue, 3 Jul 2018 20:03:39 +0200
|
|
Subject: [PATCH 19/83] GPO: Add gpo_implicit_deny option
|
|
|
|
This option (when set to True) can be used to deny access to
|
|
users even if there is not applicable GPO. Normally users are
|
|
allowed access in this situation.
|
|
|
|
Resolves:
|
|
https://pagure.io/SSSD/sssd/issue/3701
|
|
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
---
|
|
src/config/cfg_rules.ini | 1 +
|
|
src/man/sssd-ad.5.xml | 21 +++++++++++++++++++++
|
|
src/providers/ad/ad_common.h | 1 +
|
|
src/providers/ad/ad_gpo.c | 13 ++++++++++++-
|
|
src/providers/ad/ad_opts.c | 1 +
|
|
5 files changed, 36 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
index 36e83a9..78f215e 100644
|
|
--- a/src/config/cfg_rules.ini
|
|
+++ b/src/config/cfg_rules.ini
|
|
@@ -437,6 +437,7 @@ option = ad_enable_dns_sites
|
|
option = ad_enabled_domains
|
|
option = ad_enable_gc
|
|
option = ad_gpo_access_control
|
|
+option = ad_gpo_implicit_deny
|
|
option = ad_gpo_cache_timeout
|
|
option = ad_gpo_default_right
|
|
option = ad_gpo_map_batch
|
|
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
|
|
index f43c7fc..0eac382 100644
|
|
--- a/src/man/sssd-ad.5.xml
|
|
+++ b/src/man/sssd-ad.5.xml
|
|
@@ -418,6 +418,27 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
+ <term>ad_gpo_implicit_deny (boolean)</term>
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Normally when no applicable GPOs are found the
|
|
+ users are allowed access. When this option is set
|
|
+ to True users will be allowed access only when
|
|
+ explicitly allowed by a GPO rule. Otherwise users
|
|
+ will be denied access. This can be used to harden
|
|
+ security but be careful when using this option
|
|
+ because it can deny access even to users in the
|
|
+ built-in Administrators group if no GPO rules
|
|
+ apply to them.
|
|
+ </para>
|
|
+ <para>
|
|
+ Default: False (seconds)
|
|
+ </para>
|
|
+ </listitem>
|
|
+ </varlistentry>
|
|
+
|
|
+
|
|
+ <varlistentry>
|
|
<term>ad_gpo_cache_timeout (integer)</term>
|
|
<listitem>
|
|
<para>
|
|
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
|
|
index dd440da..2c52c99 100644
|
|
--- a/src/providers/ad/ad_common.h
|
|
+++ b/src/providers/ad/ad_common.h
|
|
@@ -52,6 +52,7 @@ enum ad_basic_opt {
|
|
AD_ACCESS_FILTER,
|
|
AD_ENABLE_GC,
|
|
AD_GPO_ACCESS_CONTROL,
|
|
+ AD_GPO_IMPLICIT_DENY,
|
|
AD_GPO_CACHE_TIMEOUT,
|
|
AD_GPO_MAP_INTERACTIVE,
|
|
AD_GPO_MAP_REMOTE_INTERACTIVE,
|
|
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
|
index d568643..f3be723 100644
|
|
--- a/src/providers/ad/ad_gpo.c
|
|
+++ b/src/providers/ad/ad_gpo.c
|
|
@@ -1586,6 +1586,7 @@ struct ad_gpo_access_state {
|
|
struct ldb_context *ldb_ctx;
|
|
struct ad_access_ctx *access_ctx;
|
|
enum gpo_access_control_mode gpo_mode;
|
|
+ bool gpo_implicit_deny;
|
|
enum gpo_map_type gpo_map_type;
|
|
struct sdap_id_conn_ctx *conn;
|
|
struct sdap_id_op *sdap_op;
|
|
@@ -1712,6 +1713,8 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
|
|
state->gpo_mode = ctx->gpo_access_control_mode;
|
|
state->gpo_timeout_option = ctx->gpo_cache_timeout;
|
|
state->ad_hostname = dp_opt_get_string(ctx->ad_options, AD_HOSTNAME);
|
|
+ state->gpo_implicit_deny = dp_opt_get_bool(ctx->ad_options,
|
|
+ AD_GPO_IMPLICIT_DENY);
|
|
state->access_ctx = ctx;
|
|
state->opts = ctx->sdap_access_ctx->id_ctx->opts;
|
|
state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
|
|
@@ -2171,7 +2174,15 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
|
|
}
|
|
}
|
|
|
|
- ret = EOK;
|
|
+ if (state->gpo_implicit_deny == true) {
|
|
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
+ "No applicable GPOs have been found and ad_gpo_implicit_deny"
|
|
+ " is set to 'true'. The user will be denied access.\n");
|
|
+ ret = ERR_ACCESS_DENIED;
|
|
+ } else {
|
|
+ ret = EOK;
|
|
+ }
|
|
+
|
|
goto done;
|
|
}
|
|
|
|
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
|
|
index ac93327..c1d9cd7 100644
|
|
--- a/src/providers/ad/ad_opts.c
|
|
+++ b/src/providers/ad/ad_opts.c
|
|
@@ -38,6 +38,7 @@ struct dp_option ad_basic_opts[] = {
|
|
{ "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING},
|
|
{ "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
|
|
{ "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING },
|
|
+ { "ad_gpo_implicit_deny", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
|
{ "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
|
|
{ "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
|
{ "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
|
--
|
|
2.9.5
|
|
|