|
 |
1bb595 |
From 69e1f5fe79806a530e90c8af09bedd3b9e6b4dac Mon Sep 17 00:00:00 2001
|
|
|
1bb595 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
1bb595 |
Date: Fri, 10 Jul 2020 15:30:29 +0200
|
|
|
1bb595 |
Subject: [PATCH] GPO: respect ad_gpo_implicit_deny when evaluation rules
|
|
|
1bb595 |
MIME-Version: 1.0
|
|
|
1bb595 |
Content-Type: text/plain; charset=UTF-8
|
|
|
1bb595 |
Content-Transfer-Encoding: 8bit
|
|
|
1bb595 |
|
|
|
1bb595 |
Currently if setting ad_gpo_implicit_deny to 'True' is rejected access
|
|
|
1bb595 |
if no GPOs applied to the host since in this case there are obvious not
|
|
|
1bb595 |
allow rules available.
|
|
|
1bb595 |
|
|
|
1bb595 |
But according to the man page we have to be more strict "When this
|
|
|
1bb595 |
option is set to True users will be allowed access only when explicitly
|
|
|
1bb595 |
allowed by a GPO rule". So if GPOs apply and no allow rules are present
|
|
|
1bb595 |
we have to reject access as well.
|
|
|
1bb595 |
|
|
|
1bb595 |
Resolves: https://github.com/SSSD/sssd/issues/5061
|
|
|
1bb595 |
|
|
|
1bb595 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
1bb595 |
---
|
|
|
1bb595 |
src/man/sssd-ad.5.xml | 59 +++++++++++++++++++++++++++++++++++++++
|
|
|
1bb595 |
src/providers/ad/ad_gpo.c | 13 +++++++--
|
|
|
1bb595 |
2 files changed, 69 insertions(+), 3 deletions(-)
|
|
|
1bb595 |
|
|
|
1bb595 |
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
|
|
|
1bb595 |
index 5c2f46546..fbd4985d7 100644
|
|
|
1bb595 |
--- a/src/man/sssd-ad.5.xml
|
|
|
1bb595 |
+++ b/src/man/sssd-ad.5.xml
|
|
|
1bb595 |
@@ -477,9 +477,68 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
|
|
|
1bb595 |
built-in Administrators group if no GPO rules
|
|
|
1bb595 |
apply to them.
|
|
|
1bb595 |
</para>
|
|
|
1bb595 |
+
|
|
|
1bb595 |
<para>
|
|
|
1bb595 |
Default: False
|
|
|
1bb595 |
</para>
|
|
|
1bb595 |
+
|
|
|
1bb595 |
+ <para>
|
|
|
1bb595 |
+ The following 2 tables should illustrate when a user
|
|
|
1bb595 |
+ is allowed or rejected based on the allow and deny
|
|
|
1bb595 |
+ login rights defined on the server-side and the
|
|
|
1bb595 |
+ setting of ad_gpo_implicit_deny.
|
|
|
1bb595 |
+ </para>
|
|
|
1bb595 |
+ <informaltable frame='all'>
|
|
|
1bb595 |
+ <tgroup cols='3'>
|
|
|
1bb595 |
+ <colspec colname='c1' align='center'/>
|
|
|
1bb595 |
+ <colspec colname='c2' align='center'/>
|
|
|
1bb595 |
+ <colspec colname='c3' align='center'/>
|
|
|
1bb595 |
+
|
|
|
1bb595 |
+ <row><entry namest='c1' nameend='c3' align='center'>
|
|
|
1bb595 |
+ ad_gpo_implicit_deny = False (default)</entry></row>
|
|
|
1bb595 |
+ <row><entry>allow-rules</entry><entry>deny-rules</entry>
|
|
|
1bb595 |
+ <entry>results</entry></row>
|
|
|
1bb595 |
+
|
|
|
1bb595 |
+
|
|
|
1bb595 |
+ <row><entry>missing</entry><entry>missing</entry>
|
|
|
1bb595 |
+ <entry><para>all users are allowed</para>
|
|
|
1bb595 |
+ </entry></row>
|
|
|
1bb595 |
+ <row><entry>missing</entry><entry>present</entry>
|
|
|
1bb595 |
+ <entry><para>only users not in deny-rules are
|
|
|
1bb595 |
+ allowed</para></entry></row>
|
|
|
1bb595 |
+ <row><entry>present</entry><entry>missing</entry>
|
|
|
1bb595 |
+ <entry><para>only users in allow-rules are
|
|
|
1bb595 |
+ allowed</para></entry></row>
|
|
|
1bb595 |
+ <row><entry>present</entry><entry>present</entry>
|
|
|
1bb595 |
+ <entry><para>only users in allow-rules and not in
|
|
|
1bb595 |
+ deny-rules are allowed</para></entry></row>
|
|
|
1bb595 |
+ </tgroup></informaltable>
|
|
|
1bb595 |
+
|
|
|
1bb595 |
+ <informaltable frame='all'>
|
|
|
1bb595 |
+ <tgroup cols='3'>
|
|
|
1bb595 |
+ <colspec colname='c1' align='center'/>
|
|
|
1bb595 |
+ <colspec colname='c2' align='center'/>
|
|
|
1bb595 |
+ <colspec colname='c3' align='center'/>
|
|
|
1bb595 |
+
|
|
|
1bb595 |
+ <row><entry namest='c1' nameend='c3' align='center'>
|
|
|
1bb595 |
+ ad_gpo_implicit_deny = True</entry></row>
|
|
|
1bb595 |
+ <row><entry>allow-rules</entry><entry>deny-rules</entry>
|
|
|
1bb595 |
+ <entry>results</entry></row>
|
|
|
1bb595 |
+
|
|
|
1bb595 |
+
|
|
|
1bb595 |
+ <row><entry>missing</entry><entry>missing</entry>
|
|
|
1bb595 |
+ <entry><para>no users are allowed</para>
|
|
|
1bb595 |
+ </entry></row>
|
|
|
1bb595 |
+ <row><entry>missing</entry><entry>present</entry>
|
|
|
1bb595 |
+ <entry><para>no users are allowed</para>
|
|
|
1bb595 |
+ </entry></row>
|
|
|
1bb595 |
+ <row><entry>present</entry><entry>missing</entry>
|
|
|
1bb595 |
+ <entry><para>only users in allow-rules are
|
|
|
1bb595 |
+ allowed</para></entry></row>
|
|
|
1bb595 |
+ <row><entry>present</entry><entry>present</entry>
|
|
|
1bb595 |
+ <entry><para>only users in allow-rules and not in
|
|
|
1bb595 |
+ deny-rules are allowed</para></entry></row>
|
|
|
1bb595 |
+ </tgroup></informaltable>
|
|
|
1bb595 |
</listitem>
|
|
|
1bb595 |
</varlistentry>
|
|
|
1bb595 |
|
|
|
1bb595 |
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
|
|
1bb595 |
index 2c6aa7fa6..0cf5da2a1 100644
|
|
|
1bb595 |
--- a/src/providers/ad/ad_gpo.c
|
|
|
1bb595 |
+++ b/src/providers/ad/ad_gpo.c
|
|
|
1bb595 |
@@ -1531,6 +1531,7 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx,
|
|
|
1bb595 |
enum gpo_access_control_mode gpo_mode,
|
|
|
1bb595 |
enum gpo_map_type gpo_map_type,
|
|
|
1bb595 |
const char *user,
|
|
|
1bb595 |
+ bool gpo_implicit_deny,
|
|
|
1bb595 |
struct sss_domain_info *domain,
|
|
|
1bb595 |
char **allowed_sids,
|
|
|
1bb595 |
int allowed_size,
|
|
|
1bb595 |
@@ -1575,7 +1576,7 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx,
|
|
|
1bb595 |
group_sids[j]);
|
|
|
1bb595 |
}
|
|
|
1bb595 |
|
|
|
1bb595 |
- if (allowed_size == 0) {
|
|
|
1bb595 |
+ if (allowed_size == 0 && !gpo_implicit_deny) {
|
|
|
1bb595 |
access_granted = true;
|
|
|
1bb595 |
} else {
|
|
|
1bb595 |
access_granted = check_rights(allowed_sids, allowed_size, user_sid,
|
|
|
1bb595 |
@@ -1694,6 +1695,7 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx,
|
|
|
1bb595 |
enum gpo_access_control_mode gpo_mode,
|
|
|
1bb595 |
enum gpo_map_type gpo_map_type,
|
|
|
1bb595 |
const char *user,
|
|
|
1bb595 |
+ bool gpo_implicit_deny,
|
|
|
1bb595 |
struct sss_domain_info *user_domain,
|
|
|
1bb595 |
struct sss_domain_info *host_domain)
|
|
|
1bb595 |
{
|
|
|
1bb595 |
@@ -1732,8 +1734,8 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx,
|
|
|
1bb595 |
|
|
|
1bb595 |
/* perform access check with the final resultant allow_sids and deny_sids */
|
|
|
1bb595 |
ret = ad_gpo_access_check(mem_ctx, gpo_mode, gpo_map_type, user,
|
|
|
1bb595 |
- user_domain, allow_sids, allow_size, deny_sids,
|
|
|
1bb595 |
- deny_size);
|
|
|
1bb595 |
+ gpo_implicit_deny, user_domain,
|
|
|
1bb595 |
+ allow_sids, allow_size, deny_sids, deny_size);
|
|
|
1bb595 |
|
|
|
1bb595 |
if (ret != EOK) {
|
|
|
1bb595 |
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
1bb595 |
@@ -1918,6 +1920,7 @@ immediately:
|
|
|
1bb595 |
static errno_t
|
|
|
1bb595 |
process_offline_gpos(TALLOC_CTX *mem_ctx,
|
|
|
1bb595 |
const char *user,
|
|
|
1bb595 |
+ bool gpo_implicit_deny,
|
|
|
1bb595 |
enum gpo_access_control_mode gpo_mode,
|
|
|
1bb595 |
struct sss_domain_info *user_domain,
|
|
|
1bb595 |
struct sss_domain_info *host_domain,
|
|
|
1bb595 |
@@ -1930,6 +1933,7 @@ process_offline_gpos(TALLOC_CTX *mem_ctx,
|
|
|
1bb595 |
gpo_mode,
|
|
|
1bb595 |
gpo_map_type,
|
|
|
1bb595 |
user,
|
|
|
1bb595 |
+ gpo_implicit_deny,
|
|
|
1bb595 |
user_domain,
|
|
|
1bb595 |
host_domain);
|
|
|
1bb595 |
if (ret != EOK) {
|
|
|
1bb595 |
@@ -1976,6 +1980,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
|
|
1bb595 |
DEBUG(SSSDBG_TRACE_FUNC, "Preparing for offline operation.\n");
|
|
|
1bb595 |
ret = process_offline_gpos(state,
|
|
|
1bb595 |
state->user,
|
|
|
1bb595 |
+ state->gpo_implicit_deny,
|
|
|
1bb595 |
state->gpo_mode,
|
|
|
1bb595 |
state->user_domain,
|
|
|
1bb595 |
state->host_domain,
|
|
|
1bb595 |
@@ -2102,6 +2107,7 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq)
|
|
|
1bb595 |
DEBUG(SSSDBG_TRACE_FUNC, "Preparing for offline operation.\n");
|
|
|
1bb595 |
ret = process_offline_gpos(state,
|
|
|
1bb595 |
state->user,
|
|
|
1bb595 |
+ state->gpo_implicit_deny,
|
|
|
1bb595 |
state->gpo_mode,
|
|
|
1bb595 |
state->user_domain,
|
|
|
1bb595 |
state->host_domain,
|
|
|
1bb595 |
@@ -2766,6 +2772,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
|
|
|
1bb595 |
state->gpo_mode,
|
|
|
1bb595 |
state->gpo_map_type,
|
|
|
1bb595 |
state->user,
|
|
|
1bb595 |
+ state->gpo_implicit_deny,
|
|
|
1bb595 |
state->user_domain,
|
|
|
1bb595 |
state->host_domain);
|
|
|
1bb595 |
if (ret != EOK) {
|
|
|
1bb595 |
--
|
|
|
1bb595 |
2.21.3
|
|
|
1bb595 |
|