Fix privilege permission which can not be set to disabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
adsys (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
Disallowing local administrator does not work as excepted:
- on some AD server, setting in the UI this key (and some other similars) to disabled, go to next GPO rule, then back to this one, AD will display the key as enabled.
- on the client machine, we can see that the key has no state and nothing is forcibly allowed or disallowed.
[Test case]
* Install the new admx/adml with this version on the AD server.
* On AD, go to disallow local administator, set it to disabled
* Go to next GPO rules and then go back
* The rule should still be disabled.
* On an Ubuntu machine connected with AD by adsys, with ua attached, force a machine refresh with adsysctl policy update -m.
* Check in adsysctl policy applied --all that the key is displayed as disabled
* Confirm that no local administrator (part of the sudo group) can run "sudo".
[Where problems could occur]
The privilege manager and other policies impacts both Windows and client:
- on Windows, this is in the admx/adml are statically generated and then shipped as thus. There is no runtime exercising this. The consequence of those generated files to be invalid is that Windows AD server will not show up "Ubuntu" in its GPO template.
- on the client, the privilege manager is the main consumer of those disabled key types. The other kinds of keys are not impacted.
[Additional informations]
* New test cases have been added for the client part.
description: | updated |
This bug was fixed in the package adsys - 0.8.5
---------------
adsys (0.8.5) kinetic; urgency=medium
[ Jean-Baptiste Lallement ]
[ Didier Roche ]
* Rename chapters to be in correct ascii order when viewed online.
Thanks to Anton Drastrup-Fjordbak.
* Include 22.04 in admx/adml for lts only releases. (LP: #1973745)
* Bump embedeed dependencies minor versions for both bug fixes and minor
security enhancements.
* Fix dconf keys not being readable by user after applying policy.
(LP: #1973748)
* Ensure we can execute machine and user scripts:
/run is now noexec on Ubuntu. Ensure that we can execute the scripts in
/run/adsys subdirectories. The scripts mecanism has been reviewed by the
security team, so we can reset them as executable. (LP: #1973751)
* Move integration tests under cmd/adsysd and admxgen binary to cmd/admxgen
to prepare future adwatchd daemon under cmd/ which will be SRUed with an
exception in next update. This is a no-op in the finale deploy binaries,
apart from admxgen which is now using Cobra. This binary though is not
shipped in any package and only used in CI.
* Fix privilege permission which can not be set to disabled. (LP: #1973752)
* Adaptation or new tests for all above changes.
* Add fuzz tests and include new potential crash fixes on invalid files
generated by Windows AD.
* CI fixes and changes (not impacting finale package):
- Move CI to Go 1.18 (package is already building with 1.18 in jammy).
- Fixes due to new github.
- Fix to generate all LTS releases in admx/adml (see above).
-- Didier Roche <email address hidden> Mon, 16 May 2022 14:09:36 +0200