chown of script directory and contents

Thanks for raising this, I don’t really understand the implication of the directory change as then, any user process can create things in that directory, but as this directory is only then dealt by user process, this is fine?

Let me explain to you what happens to user scripts:
- adsysd get the policies, and for each user, copy the scripts in their own directory, with the UID of the user so that they will be to execute it. Note that machine scripts won’t change any UID. If the directory already exists, nothing is done (that prevents refreshing machine scripts until log off, see below).
- then, on log on, there is a systemd user script which execute "adsysd run-scripts", a separate process, as the user thus, which takes that directory and executes all scripts one after another, as the user
- finally, on log off, the systemd service will stop, and ExecStop will rerun adsysd run-scripts, still as the user, but for logoff (the script list may be different). Then, it will delete the user directory.
-> That way, next logon, adsys will reinstall new version (or maybe the same that were cache) scripts, ready to be executed.

So, we need to delete that directory on logoff. This directory will never have scripts executed as root (apart from machine scripts, which is totally different as we don’t change the owner for them). And anyway, those scripts are executed by a systemd job, not by the adsysd "root" daemon itself.

Does it make sense? Happy to have a chat to:
1. Understand the security issue (let’s use this to learn something, especially dark corners of security :p)
2. To see how we can safely fullfil our needs.

https://docs.google.com/document/d/1DOEIoIqol9WBtcdbB_fNb9pBkqmNCwd5RTSjc1UopvI

Mind having a look https://github.com/ubuntu/adsys/pull/287 ?

FYI, the branch is not private as the version with script support is only in jammy and focal-proposed. So no real use-case yet.

This bug was fixed in the package adsys - 0.8.1

---------------
adsys (0.8.1) jammy; urgency=medium

  * Change chown logic on script directory and parents to avoid potential
    vulnerability. (LP: #1961458)
  * Separate readiness from session running to avoid unrefreshed user script
    directories after a logout without any new logins.
  * pam_adsys: Fix memory leak and identation. (LP: #1961459)
  * Adapt to newer samba, while keeping backward compatilibity for CI.
    Thanks Michael. (LP: #1962170)
  * Try to stabilize configuration detection change test by calling sync() to
    sync FHS to disk, and then, hoping we get the inotify update. Seems to fix
    flakyness on armhf. (LP: #1962510)
  * Enforce closing stderr on ppcel64 in tests with new samba to avoid hangs
    in race.
  * Fix linting issues discovered by new golangci-lint.
  * Misc syntax polish.
  * Dependencies update:
    - github.com/godbus/dbus/v5
    - github.com/golangci/golangci-lint
    - gopkg.in/ini.v1

 -- Didier Roche <email address hidden> Tue, 08 Mar 2022 09:49:08 +0100

This private bug report is referenced in the changelog of adsys in the Focal unapproved queue. For the SRU to be accepted all the bug reports referenced in the changelog need to be public. Can you make this one public or create another bug which is public and reupload adsys?

This private bug report is referenced in the changelog of adsys in the Focal unapproved queue. For the SRU to be accepted all the bug reports referenced in the changelog need to be public. Can you make this one public or create another bug which is public and reupload adsys referencing the new bug report?

Brian, sorry, the bug is open now. Thanks

Hello Seth, or anyone else affected,

Accepted adsys into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/adsys/0.9.2~20.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Verified successfully on Focal with adsys 0.9.2~20.04.

Marking as verification-done

The verification of the Stable Release Update for adsys has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package adsys - 0.9.2~20.04

---------------
adsys (0.9.2~20.04) focal; urgency=medium

  * Backport to focal
    - Build with Go 1.16
    - Move debhelper compat to 12
    - Do not recommends ubuntu-advantage-desktop-daemon as it’s not available
      on focal yet.

adsys (0.9.2) kinetic; urgency=medium

  * Update generators to fix FTBFS
    - shell out to mkdir instead of go's os.Mkdir which can bypass fakeroot's
      filesystem hijacking and cause unexpected behavior
  * Update dependencies to latest:
    - github.com/golangci/golangci-lint
    - google.golang.org/protobuf

adsys (0.9.1) kinetic; urgency=medium

  [ Didier Roche ]
  [ Gabriel Nagy ]
  * Fix loading policy content from uppercase folders (LP: #1982330)
  * Add GSettings power management keys (LP: #1982349)
  * Allow parsing policy entries with empty values (LP: #1982342)
  * Allow parsing policies with unsupported types (LP: #1982343)
  * Allow parsing policy entries with no data (LP: #1982345)
  * Lowercase target name when normalizing (LP: #1982347)
  * Annotate policies that require Ubuntu Pro (LP: #1982348)
  * Update dependencies to latest:
    - github.com/spf13/cobra
    - github.com/spf13/viper
    - github.com/stretchr/testify
    - github.com/charmbracelet/bubbletea
    - github.com/charmbracelet/bubbles
    - google.golang.org/grpc
    - github.com/golangci/golangci-lint
    - github.com/sirupsen/logrus

adsys (0.9.0) kinetic; urgency=medium

  [ Jean-Baptiste Lallement ]
  [ Didier Roche ]
  [ Gabriel Nagy ]
  * Add Active Directory Watch Daemon - adwatchd: (LP: #1982351)
    - Implement a Windows daemon that watches a list of configured directories
      for changes and bumps the relevant GPT.INI files.
    - Add adsys-windows binary package which includes the Windows daemon
      executable and the admx/adml policies.
  * Config detection now includes current executable directory
  * Fixes in generator build race
  * Update dependencies to latest:
    - github.com/spf13/cobra
    - github.com/stretchr/testify
  * CI updates:
    - switch to Go setup v3
    - bump to really build with Golang 1.18

adsys (0.8.6) kinetic; urgency=medium

  * Fix new build failures on 32 bits due to libsmbclient-dev no longer sets
    the large file support cflags in libsmbclient.h.
    Update to latest libsmbclient-go.
  * Update dependencies to latest:
    - google.golang.org/grpc
    - gopkg.in/ini.v1
    - github.com/golangci/golangci-lint
    - github.com/spf13/viper
    - github.com/stretchr/testify

adsys (0.8.5) kinetic; urgency=medium

  [ Jean-Baptiste Lallement ]
  [ Didier Roche ]
  * Rename chapters to be in correct ascii order when viewed online.
    Thanks to Anton Drastrup-Fjordbak.
  * Include 22.04 in admx/adml for lts only releases. (LP: #1973745)
  * Bump embedeed dependencies minor versions for both bug fixes and minor
    security enhancements.
  * Fix dconf keys not being readable by user after applying policy.
    (LP: #1973748)
  * Ensure we can execute machine and user scripts:
    /run is now noexec on Ubuntu. Ensure that we can execute the scripts in
    /run/adsys subdirectories. The scripts mechanism has been reviewed by the...