sssd/0014-GPO-Add-gpo_implicit_deny-option.patch
Michal Židek c0971b7e39 Backport a bunch of upstream fixes
- Resolves: upstream#3821 - crash related to sbus_router_destructor()
- Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref
- Resolves: upstream#3819 - sssd only sets the SELinux login context if it
                            differs from the default
- Resolves: upstream#3807 - The sbus codegen script relies on "python" which
                            might not be available on all distributions
- Resolves: upstream#3820 - sudo: search with lower cased name for case
                            insensitive domains
- Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from
                            an allow-any default to a deny-any default when it
                            can't find any GPOs to apply to a user login.
- Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort
                            startup
- Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11
                            also for local account authentication
- Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup
- Resolves: upstream#3826 - Remove references of sss_user/group/add/del
                            commands in man pages since local provider is
                            deprecated
- Resolves: upstream#3827 - SSSD should log to syslog if a domain is not
                            started due to a misconfiguration
- Resolves: upstream#3830 - Printing incorrect information about domain with
                            sssctl utility
- Resolves: upstream#3489 - p11_child should work wit openssl1.0+
- Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary
                            changes in nsswitch.conf
- Resovles: upstream#3650 - RFE: Require smartcard authentication
- Resolves: upstream#3334 - sssctl config-check does not check any special
                            characters in domain name of domain section
- Resolves: upstream#3849 - Files: The files provider always enumerates
                            which causes duplicate when running getent passwd
- Related: upstream#3855 - session not recording for local user when groups
                           defined
- Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb
- Related: upstream#3493 - Remove the pysss.local interface
2018-10-24 14:40:58 +02:00

131 lines
5.2 KiB
Diff

From 3bd67c772c951f33422261ef658a104ccecc9561 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Tue, 3 Jul 2018 20:03:39 +0200
Subject: [PATCH 19/83] GPO: Add gpo_implicit_deny option
This option (when set to True) can be used to deny access to
users even if there is not applicable GPO. Normally users are
allowed access in this situation.
Resolves:
https://pagure.io/SSSD/sssd/issue/3701
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/config/cfg_rules.ini | 1 +
src/man/sssd-ad.5.xml | 21 +++++++++++++++++++++
src/providers/ad/ad_common.h | 1 +
src/providers/ad/ad_gpo.c | 13 ++++++++++++-
src/providers/ad/ad_opts.c | 1 +
5 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 36e83a9..78f215e 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -437,6 +437,7 @@ option = ad_enable_dns_sites
option = ad_enabled_domains
option = ad_enable_gc
option = ad_gpo_access_control
+option = ad_gpo_implicit_deny
option = ad_gpo_cache_timeout
option = ad_gpo_default_right
option = ad_gpo_map_batch
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index f43c7fc..0eac382 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -418,6 +418,27 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
</varlistentry>
<varlistentry>
+ <term>ad_gpo_implicit_deny (boolean)</term>
+ <listitem>
+ <para>
+ Normally when no applicable GPOs are found the
+ users are allowed access. When this option is set
+ to True users will be allowed access only when
+ explicitly allowed by a GPO rule. Otherwise users
+ will be denied access. This can be used to harden
+ security but be careful when using this option
+ because it can deny access even to users in the
+ built-in Administrators group if no GPO rules
+ apply to them.
+ </para>
+ <para>
+ Default: False (seconds)
+ </para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
<term>ad_gpo_cache_timeout (integer)</term>
<listitem>
<para>
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index dd440da..2c52c99 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -52,6 +52,7 @@ enum ad_basic_opt {
AD_ACCESS_FILTER,
AD_ENABLE_GC,
AD_GPO_ACCESS_CONTROL,
+ AD_GPO_IMPLICIT_DENY,
AD_GPO_CACHE_TIMEOUT,
AD_GPO_MAP_INTERACTIVE,
AD_GPO_MAP_REMOTE_INTERACTIVE,
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index d568643..f3be723 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1586,6 +1586,7 @@ struct ad_gpo_access_state {
struct ldb_context *ldb_ctx;
struct ad_access_ctx *access_ctx;
enum gpo_access_control_mode gpo_mode;
+ bool gpo_implicit_deny;
enum gpo_map_type gpo_map_type;
struct sdap_id_conn_ctx *conn;
struct sdap_id_op *sdap_op;
@@ -1712,6 +1713,8 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
state->gpo_mode = ctx->gpo_access_control_mode;
state->gpo_timeout_option = ctx->gpo_cache_timeout;
state->ad_hostname = dp_opt_get_string(ctx->ad_options, AD_HOSTNAME);
+ state->gpo_implicit_deny = dp_opt_get_bool(ctx->ad_options,
+ AD_GPO_IMPLICIT_DENY);
state->access_ctx = ctx;
state->opts = ctx->sdap_access_ctx->id_ctx->opts;
state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
@@ -2171,7 +2174,15 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
}
}
- ret = EOK;
+ if (state->gpo_implicit_deny == true) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "No applicable GPOs have been found and ad_gpo_implicit_deny"
+ " is set to 'true'. The user will be denied access.\n");
+ ret = ERR_ACCESS_DENIED;
+ } else {
+ ret = EOK;
+ }
+
goto done;
}
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
index ac93327..c1d9cd7 100644
--- a/src/providers/ad/ad_opts.c
+++ b/src/providers/ad/ad_opts.c
@@ -38,6 +38,7 @@ struct dp_option ad_basic_opts[] = {
{ "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING},
{ "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING },
+ { "ad_gpo_implicit_deny", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
{ "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
--
2.9.5