gpo: Apply Group Policy Sudo Rights

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/libgpo/admx/en-US/samba.adml b/libgpo/admx/en-US/samba.adml
index 570ed0598e42f133876a07312715df4703d5d773..577cb1aa0bbd0eefaea1388df2e26a3d205c3742 100755 (executable)
--- a/libgpo/admx/en-US/samba.adml
+++ b/libgpo/admx/en-US/samba.adml
@@ -12,10 +12,12 @@
       <string id="POL_825D441F_905E_4C7E_9E4B_03013697C6C1">Hourly</string>\r
       <string id="POL_D298F3BD_44D9_426D_AF11_3163D31582F6">Monthly</string>\r
       <string id="POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674">Weekly</string>\r
+      <string id="POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3">Sudo Rights</string>\r
       <string id="POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061_Help">This policy setting allows you to execute commands, either local or on remote storage, daily.</string>\r
       <string id="POL_825D441F_905E_4C7E_9E4B_03013697C6C1_Help">This policy setting allows you to execute commands, either local or on remote storage, hourly.</string>\r
       <string id="POL_D298F3BD_44D9_426D_AF11_3163D31582F6_Help">This policy setting allows you to execute commands, either local or on remote storage, monthly.</string>\r
       <string id="POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674_Help">This policy setting allows you to execute commands, either local or on remote storage, weekly.</string>\r
+      <string id="POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3_Help">This policy configures the sudoers file with the lines specified.</string>\r
     </stringTable>\r
     <presentationTable>\r
       <presentation id="POL_9320E11F_AC80_4A7D_A5C8_1C0F3F727061">\r
@@ -30,6 +32,9 @@
       <presentation id="POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674">\r
         <listBox refId="LST_1E7198A6_7850_4CAB_B656_BC18752564FC">Script and arguments</listBox>\r
       </presentation>\r
+      <presentation id="POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3">\r
+        <listBox refId="LST_4F4BA073_4F7B_4B64_A61D_8E75257A4B9F">Sudoers commands</listBox>\r
+      </presentation>\r
     </presentationTable>\r
   </resources>\r
 </policyDefinitionResources>\r

diff --git a/libgpo/admx/samba.admx b/libgpo/admx/samba.admx
index 265f4134a886d0b8719c91f7a7f2417ebd27465c..a4e26cf388f86b3e48d42507f99178ad08e2d602 100755 (executable)
--- a/libgpo/admx/samba.admx
+++ b/libgpo/admx/samba.admx
@@ -43,5 +43,12 @@
         <list id="LST_1E7198A6_7850_4CAB_B656_BC18752564FC" key="Software\Policies\Samba\Unix Settings\Weekly Scripts" valueName="Weekly Scripts" />\r
       </elements>\r
     </policy>\r
+    <policy name="POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3" class="Machine" displayName="$(string.POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3)" explainText="$(string.POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3_Help)" presentation="$(presentation.POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3)" key="Software\Policies\Samba\Unix Settings">\r
+      <parentCategory ref="CAT_7D8D7DC8_5A9D_4BE1_8227_F09CDD5AFFC6" />\r
+      <supportedOn ref="windows:SUPPORTED_WindowsVista" />\r
+      <elements>\r
+        <list id="LST_4F4BA073_4F7B_4B64_A61D_8E75257A4B9F" key="Software\Policies\Samba\Unix Settings\Sudo Rights" valueName="Sudo Rights" />\r
+      </elements>\r
+    </policy>\r
   </policies>\r
 </policyDefinitions>\r

diff --git a/python/samba/gp_sudoers_ext.py b/python/samba/gp_sudoers_ext.py
index 1033af1771bdf5de8dc6abf960dfb6b297977656..cbebc8f06e3c3d0ee2339701cc360ee2e6e536c7 100644 (file)
--- a/python/samba/gp_sudoers_ext.py
+++ b/python/samba/gp_sudoers_ext.py
@@ -14,9 +14,72 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import os
 from samba.gpclass import gp_pol_ext
+from base64 import b64encode
+from tempfile import NamedTemporaryFile
+from subprocess import Popen, PIPE
+from distutils.spawn import find_executable
+
+intro = '''
+### autogenerated by samba
+#
+# This file is generated by the gp_sudoers_ext Group Policy
+# Client Side Extension. To modify the contents of this file,
+# modify the appropriate Group Policy objects which apply
+# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
+#
+
+'''
+visudo = find_executable('visudo',
+        path='%s:%s' % (os.environ['PATH'], '/usr/sbin'))
 
 class gp_sudoers_ext(gp_pol_ext):
+    def __str__(self):
+        return 'Unix Settings/Sudo Rights'
+
     def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
             sdir='/etc/sudoers.d'):
-        pass
+        for gpo in deleted_gpo_list:
+            self.gp_db.set_guid(gpo[0])
+            if str(self) in gpo[1]:
+                for attribute, sudoers in gpo[1][str(self)].items():
+                    os.unlink(sudoers)
+                    self.gp_db.delete(str(self), attribute)
+            self.gp_db.commit()
+
+        for gpo in changed_gpo_list:
+            if gpo.file_sys_path:
+                section = 'Software\\Policies\\Samba\\Unix Settings\\Sudo Rights'
+                self.gp_db.set_guid(gpo.name)
+                pol_file = 'MACHINE/Registry.pol'
+                path = os.path.join(gpo.file_sys_path, pol_file)
+                pol_conf = self.parse(path)
+                if not pol_conf:
+                    continue
+                for e in pol_conf.entries:
+                    if e.keyname == section and e.data.strip():
+                        attribute = b64encode(e.data.encode()).decode()
+                        old_val = self.gp_db.retrieve(str(self), attribute)
+                        if not old_val:
+                            contents = intro
+                            contents += '%s\n' % e.data
+                            with NamedTemporaryFile() as f:
+                                with open(f.name, 'w') as w:
+                                    w.write(contents)
+                                sudo_validation = \
+                                        Popen([visudo, '-c', '-f', f.name],
+                                            stdout=PIPE, stderr=PIPE).wait()
+                            if sudo_validation == 0:
+                                with NamedTemporaryFile(prefix='gp_',
+                                                        delete=False,
+                                                        dir=sdir) as f:
+                                    with open(f.name, 'w') as w:
+                                        w.write(contents)
+                                    self.gp_db.store(str(self),
+                                                     attribute,
+                                                     f.name)
+                            else:
+                                self.logger.warn('Sudoers apply "%s" failed'
+                                        % e.data)
+                        self.gp_db.commit()

diff --git a/selftest/knownfail b/selftest/knownfail
index 1611abfb45cacc1c4e977f7e8dafcdf6098ad494..6c005d1f4deb7afc6db6269b44e5d59870d5710a 100644 (file)
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -396,4 +396,3 @@
 ^samba.tests.ntlmdisabled.python\(ktest\).python2.ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\)
 ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python3.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\)
 ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python2.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\)
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_sudoers

diff --git a/source4/scripting/bin/samba-gpupdate b/source4/scripting/bin/samba-gpupdate
index 68dfad1ed87dd3407f4167127ac2c1bc76e6ef9d..e239a4e015e3dc360e219a288a9e0662dc15879d 100755 (executable)
--- a/source4/scripting/bin/samba-gpupdate
+++ b/source4/scripting/bin/samba-gpupdate
@@ -33,6 +33,7 @@ from samba.gpclass import apply_gp, unapply_gp, GPOStorage
 from samba.gp_sec_ext import gp_sec_ext
 from samba.gp_ext_loader import get_gp_client_side_extensions
 from samba.gp_scripts_ext import gp_scripts_ext
+from samba.gp_sudoers_ext import gp_sudoers_ext
 import logging
 
 if __name__ == "__main__":
@@ -82,6 +83,7 @@ if __name__ == "__main__":
     if opts.target == 'Computer':
         gp_extensions.append(gp_sec_ext(logger, lp, creds, store))
         gp_extensions.append(gp_scripts_ext(logger, lp, creds, store))
+        gp_extensions.append(gp_sudoers_ext(logger, lp, creds, store))
         for ext in machine_exts:
             gp_extensions.append(ext(logger, lp, creds, store))
     elif opts.target == 'User':