Bug 54341 - Radius Joinscript modifies wrong extended Attribute
Radius Joinscript modifies wrong extended Attribute
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Radius
UCS 5.0
Other Linux
: P5 enhancement (vote)
: UCS 5.0-1-errata
Assigned To: Philipp Hahn
Florian Best
:
Depends on: 25935
Blocks: 48692
  Show dependency treegraph
 
Reported: 2022-01-14 15:21 CET by Johannes Lohmer
Modified: 2022-01-26 17:21 CET (History)
8 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): bitesize
Max CVSS v3 score:
hahn: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Lohmer univentionstaff 2022-01-14 15:21:38 CET
The radius Joinscript: services/univention-radius/80univention-radius.inst modifies the wrong LDAP extended attribute in lines 299 and Following

The Bug probably only affects Systems that were initially shipped with the Joinscript version 1. Because the relevant section is only executed when updating from version 1 and not when installing version 2 or 3

In line 300 it should be "networkAccessGroups" instead of "NetworkAccessComputers"

The reason is that lines 305 and following are equivalent to lines 242 and following instead of 205 and following

Code:
200 »   --set name='networkAccessComputers' \
205 »   --set longDescription='Allow access via RADIUS (e.g. via IEEE 802.1x) for this computer.' \

237 »   --set name='networkAccessGroups' \
242 »   --set longDescription='Allow access via RADIUS (e.g. via IEEE 802.1x) for members of this group.' \

287 # update existing extended attributes created in version 1
288 if joinscript_check_specific_version_executed 1 ; then
289 »   echo "Updating RADIUS extended attributes..."
290 »   udm settings/extended_attribute modify "$@" \
291 »   »   --dn "cn=networkAccessComputers,cn=custom attributes,cn=univention,$ldap_base" \
292 »   »   --set groupName="RADIUS supplicant" \
293 »   »   --set translationGroupName='"de_DE" "RADIUS-Supplicant"' \
294 »   »   --set translationGroupName='"fr_FR" "Demandeur RADIUS"' \
295 »   »   --set groupPosition=1 \
296 »   »   --set longDescription='Allow access via RADIUS (e.g. via IEEE 802.1x) for this computer.' \
297 »   »   --set translationLongDescription='"de_DE" "Soll der Zugriff per RADIUS (z.B. über IEEE 802.1x) für diesen Computer erlaubt werden."' || exit "$?"
298 »   »   --set translationLongDescription='"fr_FR" "Autoriser l’accès via RADIUS (par exemple via IEEE 802.1x) pour cet ordinateur."' \
299 »   udm settings/extended_attribute modify "$@" \
300 »   »   --dn "cn=networkAccessComputers,cn=custom attributes,cn=univention,$ldap_base" \
301 »   »   --set groupName="RADIUS supplicant" \
302 »   »   --set translationGroupName='"de_DE" "RADIUS-Supplicant"' \
303 »   »   --set translationGroupName='"fr_FR" "Demandeur RADIUS"' \
304 »   »   --set groupPosition=1 \
305 »   »   --set longDescription='Allow access via RADIUS (e.g. via IEEE 802.1x) for members of this group.' \
306 »   »   --set translationLongDescription='"de_DE" "Soll der Zugriff per RADIUS (z.B. über IEEE 802.1x) für Mitglieder dieser Gruppe erlaubt werden."' || exit "    $?"
307 »   »   --set translationLongDescription='"fr_FR" "Autoriser l’accès via RADIUS (par exemple IEEE 802.1x) pour les membres de ce groupe."' \
308 fi

+++ This bug was initially created as a clone of Bug #25935 +++
Comment 2 Philipp Hahn univentionstaff 2022-01-20 19:43:05 CET
[5.0-1] 44ab1ed4b9 doc[radius]: Update Debian packaging
 services/univention-radius/debian/control                       | 37 +++++++++++++++++++++--------
 services/univention-radius/debian/rules                         |  6 ++---
 .../univention-radius/usr/lib/univention-freeradius/setupCA.sh  |  0
 3 files changed, 29 insertions(+), 14 deletions(-)

[5.0-1] f55f8a84ae style[radius]: shellcheck
 services/univention-radius/20univention-radius.uinst                          |  3 +++
 services/univention-radius/80univention-radius.inst                           | 15 +++++++--------
 services/univention-radius/debian/univention-radius.postinst                  |  1 +
 services/univention-radius/debian/univention-radius.postrm                    |  1 +
 services/univention-radius/usr/lib/univention-freeradius/setupCA.sh           |  4 ++++
 .../usr/lib/univention-server/server_password_change.d/univention-radius      |  3 +--
 6 files changed, 17 insertions(+), 10 deletions(-)

[5.0-1] f409e9f9d8 fix[radius]: networkAccessGroups in join script on update
 doc/errata/staging/univention-radius.yaml           | 12 ++++++++++++
 services/univention-radius/80univention-radius.inst |  6 +++---
 services/univention-radius/debian/changelog         |  6 ++++++
 3 files changed, 21 insertions(+), 3 deletions(-)

[5.0-1] 660f345586 fix[radius]: Fortify SUID wrapper
 services/univention-radius/.gitignore                       | 1 +
 services/univention-radius/Makefile                         | 8 ++------
 services/univention-radius/debian/univention-radius.install | 1 +
 3 files changed, 4 insertions(+), 6 deletions(-)

[5.0-1] 92218123e3 style[radius]: Log formatting
 services/univention-radius/modules/univention/radius/networkaccess.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

[5.0-1] 8c524cd6d6 style[radius]: build_access_dict
 services/univention-radius/modules/univention/radius/networkaccess.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

[5.0-1] 2cae780b26 refactor[radius]: evaluate_ldap_network_access
 services/univention-radius/modules/univention/radius/networkaccess.py | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

[5.0-1] 85079fae5f refactor[radius]: decode_stationId
 services/univention-radius/modules/univention/radius/networkaccess.py |  2 +-
 services/univention-radius/modules/univention/radius/utils.py         | 14 ++------------
 2 files changed, 3 insertions(+), 13 deletions(-)

[5.0-1] afaa1123b2 refactor[radius]: Drop duplicate UCR
 services/univention-radius/modules/univention/radius/networkaccess.py | 2 --
 1 file changed, 2 deletions(-)

[5.0-1] 898ef93222 doc[radius]: PEP-484 type annotations
 services/univention-radius/debian/control                             |  1 +
 services/univention-radius/listener/univention-radius.py              |  8 +++++++-
 services/univention-radius/modules/univention/radius/networkaccess.py | 22 +++++++++++++++++++---
 services/univention-radius/modules/univention/radius/pyMsChapV2.py    |  4 ++++
 services/univention-radius/modules/univention/radius/utils.py         |  2 ++
 services/univention-radius/usr/bin/univention-radius-check-access     |  1 +
 services/univention-radius/usr/bin/univention-radius-ntlm-auth        |  1 +
 7 files changed, 35 insertions(+), 4 deletions(-)

[5.0-1] 688b9721ee test[radius]: Convert to unit test
 services/univention-radius/debian/control                       |  4 +++
 services/univention-radius/debian/rules                         |  1 +
 services/univention-radius/debian/ucslint.overrides             |  4 +++
 services/univention-radius/modules/univention/__init__.py       |  1 +
 .../modules/univention/radius/networkaccess.py                  | 24 ++-----------
 .../univention-radius/modules/univention/radius/pyMsChapV2.py   | 31 ----------------
 services/univention-radius/modules/univention/radius/utils.py   | 55 +++++++++++++++++++++++++++++
 services/univention-radius/pytest.ini                           |  7 ++++
 services/univention-radius/setup.py                             |  2 +-
 services/univention-radius/tests/test_mschapv2.py               | 30 ++++++++++++++++
 ...
 11 files changed, 128 insertions(+), 54 deletions(-)

Package: univention-radius
Version: 7.0.1-4A~5.0.0.202201201939
Branch: ucs_5.0-0
Scope: errata5.0-1

[5.0-1] f834208713 Bug #54341: univention-radius 7.0.1-4A~5.0.0.202201201939
 doc/errata/staging/univention-radius.yaml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)
Comment 3 Julia Bremer univentionstaff 2022-01-21 08:39:15 CET
One of our diagnostic checks is currently failing:

###################### Start 31_file_permissions #######################
## Check failed: 31_file_permissions - Überprüfe Datei Berechtigungen ##
Datei '/etc/freeradius/ssl' hat den Besitzer 'freerad:freerad', während 'root:freerad' erwartet war.
####################### End 31_file_permissions ########################

I assume this change was made deliberately, so I would ask you to adjust the diagnostic check as well :)
Comment 4 Philipp Hahn univentionstaff 2022-01-21 09:27:41 CET
(In reply to Julia Bremer from comment #3)
> One of our diagnostic checks is currently failing:
...
> Datei '/etc/freeradius/ssl' hat den Besitzer 'freerad:freerad', während
> 'root:freerad' erwartet war.
...
> I assume this change was made deliberately, so I would ask you to adjust the
> diagnostic check as well :)

The check was right and I broke it; thanks for the info.
Fixed:

[5.0-1] da497333c1 fix[radius]: /etc/freeradius/ssl permissions
 services/univention-radius/80univention-radius.inst | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

Package: univention-radius
Version: 7.0.1-4A~5.0.0.202201210910
Branch: ucs_5.0-0
Scope: errata5.0-1

[5.0-1] d4b119ea29 Bug #54341: univention-radius 7.0.1-4A~5.0.0.202201210910
 doc/errata/staging/univention-radius.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


OK: univention-run-diagnostic-checks -t 31_file_permissions --username Administrator --bindpwdfile <(echo univention)
OK: ucs-test -E dangerous -s radius -c -F raw
Comment 5 Julia Bremer univentionstaff 2022-01-24 09:22:54 CET
###################### Start 31_file_permissions #######################
## Check failed: 31_file_permissions - Überprüfe Datei Berechtigungen ##
Datei '/etc/freeradius/ssl' hat Datei-Modus 2775, 2755 war erwartet.
####################### End 31_file_permissions ########################

The diagnostic check is still unhappy (for another reason)
Since friday
Comment 6 Philipp Hahn univentionstaff 2022-01-24 09:50:44 CET
(In reply to Julia Bremer from comment #5)
> ## Check failed: 31_file_permissions - Überprüfe Datei Berechtigungen ##
> Datei '/etc/freeradius/ssl' hat Datei-Modus 2775, 2755 war erwartet.

[5.0-1] 748fe8c920 fix[radius]: /etc/freeradius/ssl permissions 2
 services/univention-radius/80univention-radius.inst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Package: univention-radius
Version: 7.0.1-4A~5.0.0.202201240936
Branch: ucs_5.0-0
Scope: errata5.0-1

[5.0-1] b72b4918b5 Bug #54341: univention-radius 7.0.1-4A~5.0.0.202201240936
 doc/errata/staging/univention-radius.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

OK: univention-run-diagnostic-checks -t 31_file_permissions --username Administrator --bindpwdfile <(echo univention)
OK: ucs-test -E dangerous -s radius -c -F raw
Comment 7 Philipp Hahn univentionstaff 2022-01-25 15:58:21 CET
[5.0-1] 899ec4f2b5 doc[radius]: Fix spelling mistakes
 services/univention-radius/80univention-radius.inst | 2 +-
 services/univention-radius/debian/control           | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

Package: univention-radius
Version: 7.0.1-4A~5.0.0.202201251556
Branch: ucs_5.0-0
Scope: errata5.0-1

[5.0-1] 85130afe00 Bug #54341: univention-radius 7.0.1-4A~5.0.0.202201251556
 doc/errata/staging/univention-radius.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 8 Florian Best univentionstaff 2022-01-25 16:00:13 CET
OK: text changes
OK: joinscript
OK: file permissions
OK: YAML