Univention Bugzilla – Bug 51993
OX usertemplate sets Domain Admins as primary Group
Last modified: 2020-09-11 14:21:55 CEST
New installations of OX App Suite since version 7.10.3-ucs3 published on 11.06.2020 set the primaryGroup attribute "Domain Admins" instead of "Domain Users". Fix the pertaining code part and install package setup code that will fix existing installations during the package update.
git:d9a12ee39900877ddf771fddc2521739659050eb Bug #50469
The user template creation code was fixed and an update procedure written that fixes existing installations. A new app version 7.10.3-ucs8 (oxseforucs_20200910185149) has been created. A new git branch "dtroeder/7.10.3-ucs8" has been branched of the git tag "release-7.10.3-ucs7". The README_UPDATE_* files of both 7.10.3-ucs8 and 7.10.4-ucs1 contain a text that explain the situation, the risk and how to detect such users: 7.10.3-ucs8: http://appcenter-test.software-univention.de/univention-repository/4.4/maintained/component/oxseforucs_20200910185149/README_UPDATE_EN 7.10.4-ucs1: http://appcenter-test.software-univention.de/univention-repository/4.4/maintained/component/oxseforucs_20200826130851/README_UPDATE_DE The univention-ox package has been updated and builds have been placed in both 7.10.3-ucs8 and 7.10.4-ucs1: 7.10.3-ucs8: univention-ox 11.0.0-66.1 7.10.4-ucs1: univention-ox 11.0.0-71 [4.4] 9cf77acb Bug #51993: fix wrong group in ox user template [4.4] 04d829f3 Bug #51993: changelog [4.4] e1cbcd77 Bug #51912, Bug #51993: advisory [4.4] 289e56bd Bug #51993: add security notice and release notes for 7.10.3-ucs8 [dtroeder/7.10.3-ucs8] c9b1688e Bug #51993: fix wrong group in ox user template [dtroeder/7.10.3-ucs8] 5808ad8e Bug #51993: README_UPDATE_* for 7.10.3-ucs8 [dtroeder/7.10.3-ucs8] 4c891335 Bug #51775: changelog
The Debian package version in the 7.10.3-ucs8 app has been fixed (was to low). The README_UPDATE_* have been improved with a section on how to fix over-privileged users. 7.10.3-ucs8: univention-ox 11.0.0-67.1 [4.4] cd8c4f8b Bug #51993: improve readme [dtroeder/7.10.3-ucs8] 1cb21e19 Bug #51993: Fix package version [dtroeder/7.10.3-ucs8] 1025e226 Bug #51993: improve readme
QA -> All OK -> VERIFY Code -> Looks Good Changelogs -> OK README -> OK Functionality -> Tested with Testapp-Center 4.4/oxseforucs=7.10.3-ucs8 Reproduce error by installing an ox old version: $ udm settings/usertemplate list | egrep 'primaryGroup:' primaryGroup: cn=Domain Admins,cn=groups,dc=wenzel-univention,dc=intranet $ udm users/user list --filter uid=t.person | egrep 'primaryGroup:' primaryGroup: cn=Domain Admins,cn=groups,dc=wenzel-univention,dc=intranet $ univention-app install 4.4/oxseforucs=7.10.3-ucs8 During the installation, /usr/share/univention-ox/list-domain-admins is run and logged to /var/log/univention/join.log (see below) $ udm settings/usertemplate list | egrep 'primaryGroup:' primaryGroup: cn=Domain Users,cn=groups,dc=wenzel-univention,dc=intranet if user was created with wrong ox user template: $ /usr/share/univention-ox/list-domain-admins Looking for OX users that have 'Domain Admins' as primary group and have been created after 2020-06-11 (release of OX App Suite version 7.10.3-ucs3): Creation date | 'username' (email) --------------------+------------------------------------------ 2020-09-11 10:38:32 | 't.person' (t.person@wenzel-univention.intranet) udm users/user list --filter uid=t.person2 | egrep 'primaryGroup:' primaryGroup: cn=Domain Users,cn=groups,dc=wenzel-univention,dc=intranet -> new users created with the ox user-template receive the Domain Users primarygroup as expected.
OX App Suite version 7.10.3-ucs8 has been released.