Ubuntu
adsys package

Fix privilege permission which can not be set to disabled

Bug #1973752 reported by Didier Roche-Tolomelli
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
adsys (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
Disallowing local administrator does not work as excepted:
- on some AD server, setting in the UI this key (and some other similars) to disabled, go to next GPO rule, then back to this one, AD will display the key as enabled.
- on the client machine, we can see that the key has no state and nothing is forcibly allowed or disallowed.

[Test case]
* Install the new admx/adml with this version on the AD server.
* On AD, go to disallow local administator, set it to disabled
* Go to next GPO rules and then go back
* The rule should still be disabled.
* On an Ubuntu machine connected with AD by adsys, with ua attached, force a machine refresh with adsysctl policy update -m.
* Check in adsysctl policy applied --all that the key is displayed as disabled
* Confirm that no local administrator (part of the sudo group) can run "sudo".

[Where problems could occur]
The privilege manager and other policies impacts both Windows and client:
- on Windows, this is in the admx/adml are statically generated and then shipped as thus. There is no runtime exercising this. The consequence of those generated files to be invalid is that Windows AD server will not show up "Ubuntu" in its GPO template.
- on the client, the privilege manager is the main consumer of those disabled key types. The other kinds of keys are not impacted.

[Additional informations]
* New test cases have been added for the client part.

See original description
Didier Roche-Tolomelli (didrocks)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package adsys - 0.8.5

---------------
adsys (0.8.5) kinetic; urgency=medium

  [ Jean-Baptiste Lallement ]
  [ Didier Roche ]
  * Rename chapters to be in correct ascii order when viewed online.
    Thanks to Anton Drastrup-Fjordbak.
  * Include 22.04 in admx/adml for lts only releases. (LP: #1973745)
  * Bump embedeed dependencies minor versions for both bug fixes and minor
    security enhancements.
  * Fix dconf keys not being readable by user after applying policy.
    (LP: #1973748)
  * Ensure we can execute machine and user scripts:
    /run is now noexec on Ubuntu. Ensure that we can execute the scripts in
    /run/adsys subdirectories. The scripts mecanism has been reviewed by the
    security team, so we can reset them as executable. (LP: #1973751)
  * Move integration tests under cmd/adsysd and admxgen binary to cmd/admxgen
    to prepare future adwatchd daemon under cmd/ which will be SRUed with an
    exception in next update. This is a no-op in the finale deploy binaries,
    apart from admxgen which is now using Cobra. This binary though is not
    shipped in any package and only used in CI.
  * Fix privilege permission which can not be set to disabled. (LP: #1973752)
  * Adaptation or new tests for all above changes.
  * Add fuzz tests and include new potential crash fixes on invalid files
    generated by Windows AD.
  * CI fixes and changes (not impacting finale package):
    - Move CI to Go 1.18 (package is already building with 1.18 in jammy).
    - Fixes due to new github.
    - Fix to generate all LTS releases in admx/adml (see above).

 -- Didier Roche <email address hidden> Mon, 16 May 2022 14:09:36 +0200

Changed in adsys (Ubuntu):
status: New → Fix Released
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Didier, or anyone else affected,

Accepted adsys into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/adsys/0.8.5~22.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in adsys (Ubuntu Jammy):
status: New → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (adsys/0.8.5~22.04)

All autopkgtests for the newly accepted adsys (0.8.5~22.04) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

adsys/0.8.5~22.04 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#adsys

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Jean-Baptiste Lallement (jibel) wrote :

I successfully verified that this is fixed in Jammy and didn't introduce any regression with adsys 0.8.5~22.04.

Marking as verification-done

tags: added: verification-done-jammy
removed: verification-needed-jammy
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package adsys - 0.8.5~22.04

---------------
adsys (0.8.5~22.04) jammy; urgency=medium

  [ Jean-Baptiste Lallement ]
  [ Didier Roche ]
  * Rename chapters to be in correct ascii order when viewed online.
    Thanks to Anton Drastrup-Fjordbak.
  * Include 22.04 in admx/adml for lts only releases. (LP: #1973745)
  * Bump embedeed dependencies minor versions for both bug fixes and minor
    security enhancements.
  * Fix dconf keys not being readable by user after applying policy.
    (LP: #1973748)
  * Ensure we can execute machine and user scripts:
    /run is now noexec on Ubuntu. Ensure that we can execute the scripts in
    /run/adsys subdirectories. The scripts mecanism has been reviewed by the
    security team, so we can reset them as executable. (LP: #1973751)
  * Move integration tests under cmd/adsysd and admxgen binary to cmd/admxgen
    to prepare future adwatchd daemon under cmd/ which will be SRUed with an
    exception in next update. This is a no-op in the finale deploy binaries,
    apart from admxgen which is now using Cobra. This binary though is not
    shipped in any package and only used in CI.
  * Fix privilege permission which can not be set to disabled. (LP: #1973752)
  * Adaptation or new tests for all above changes.
  * Add fuzz tests and include new potential crash fixes on invalid files
    generated by Windows AD.
  * CI fixes and changes (not impacting finale package):
    - Move CI to Go 1.18 (package is already building with 1.18 in jammy).
    - Fixes due to new github.
    - Fix to generate all LTS releases in admx/adml (see above).

 -- Didier Roche <email address hidden> Mon, 16 May 2022 14:09:36 +0200

Changed in adsys (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for adsys has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Didier, or anyone else affected,

Accepted adsys into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/adsys/0.9.2~20.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in adsys (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Jean-Baptiste Lallement (jibel) wrote :

Verified successfully on Focal with adsys 0.9.2~20.04.

Marking as verification-done

tags: added: verification-done verification-done-focal
removed: verification-needed verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (5.7 KiB)

This bug was fixed in the package adsys - 0.9.2~20.04

---------------
adsys (0.9.2~20.04) focal; urgency=medium

  * Backport to focal
    - Build with Go 1.16
    - Move debhelper compat to 12
    - Do not recommends ubuntu-advantage-desktop-daemon as it’s not available
      on focal yet.

adsys (0.9.2) kinetic; urgency=medium

  * Update generators to fix FTBFS
    - shell out to mkdir instead of go's os.Mkdir which can bypass fakeroot's
      filesystem hijacking and cause unexpected behavior
  * Update dependencies to latest:
    - github.com/golangci/golangci-lint
    - google.golang.org/protobuf

adsys (0.9.1) kinetic; urgency=medium

  [ Didier Roche ]
  [ Gabriel Nagy ]
  * Fix loading policy content from uppercase folders (LP: #1982330)
  * Add GSettings power management keys (LP: #1982349)
  * Allow parsing policy entries with empty values (LP: #1982342)
  * Allow parsing policies with unsupported types (LP: #1982343)
  * Allow parsing policy entries with no data (LP: #1982345)
  * Lowercase target name when normalizing (LP: #1982347)
  * Annotate policies that require Ubuntu Pro (LP: #1982348)
  * Update dependencies to latest:
    - github.com/spf13/cobra
    - github.com/spf13/viper
    - github.com/stretchr/testify
    - github.com/charmbracelet/bubbletea
    - github.com/charmbracelet/bubbles
    - google.golang.org/grpc
    - github.com/golangci/golangci-lint
    - github.com/sirupsen/logrus

adsys (0.9.0) kinetic; urgency=medium

  [ Jean-Baptiste Lallement ]
  [ Didier Roche ]
  [ Gabriel Nagy ]
  * Add Active Directory Watch Daemon - adwatchd: (LP: #1982351)
    - Implement a Windows daemon that watches a list of configured directories
      for changes and bumps the relevant GPT.INI files.
    - Add adsys-windows binary package which includes the Windows daemon
      executable and the admx/adml policies.
  * Config detection now includes current executable directory
  * Fixes in generator build race
  * Update dependencies to latest:
    - github.com/spf13/cobra
    - github.com/stretchr/testify
  * CI updates:
    - switch to Go setup v3
    - bump to really build with Golang 1.18

adsys (0.8.6) kinetic; urgency=medium

  * Fix new build failures on 32 bits due to libsmbclient-dev no longer sets
    the large file support cflags in libsmbclient.h.
    Update to latest libsmbclient-go.
  * Update dependencies to latest:
    - google.golang.org/grpc
    - gopkg.in/ini.v1
    - github.com/golangci/golangci-lint
    - github.com/spf13/viper
    - github.com/stretchr/testify

adsys (0.8.5) kinetic; urgency=medium

  [ Jean-Baptiste Lallement ]
  [ Didier Roche ]
  * Rename chapters to be in correct ascii order when viewed online.
    Thanks to Anton Drastrup-Fjordbak.
  * Include 22.04 in admx/adml for lts only releases. (LP: #1973745)
  * Bump embedeed dependencies minor versions for both bug fixes and minor
    security enhancements.
  * Fix dconf keys not being readable by user after applying policy.
    (LP: #1973748)
  * Ensure we can execute machine and user scripts:
    /run is now noexec on Ubuntu. Ensure that we can execute the scripts in
    /run/adsys subdirectories. The scripts mechanism has been reviewed by the...

Read more...

Changed in adsys (Ubuntu Focal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.