From e47945a03562d4ed68c4455eddfc22ccee2497d4 Mon Sep 17 00:00:00 2001 Message-Id: From: Philipp Hahn Date: Tue, 8 Dec 2015 10:44:03 +0100 Subject: [PATCH] Bug #37995 sudo: Only enable for new installs Organization: Univention GmbH, Bremen, Germany Allow members of "Domain Administrators" to use sudo. A this gives those users root privileges, enable it only on fresh installs, not on upgrades! --- .../ucs-4.1-0/base/univention-dvd/debian/changelog | 6 +++++ .../base/univention-dvd/tasks/ucs410/task-ucs410 | 1 + .../ucs-4.1-0/base/univention-pam/debian/changelog | 6 +++++ .../ucs-4.1-0/base/univention-pam/debian/control | 3 ++- .../univention-pam/debian/univention-pam.postinst | 31 +++------------------- .../conffiles/etc/sudoers.d/univention | 2 +- .../base/univention-sudo/debian/changelog | 6 +++++ ...ntion-sudo.univention-config-registry-variables | 5 ++++ 8 files changed, 31 insertions(+), 29 deletions(-) create mode 100644 branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/univention-sudo.univention-config-registry-variables diff --git a/branches/ucs-4.1/ucs-4.1-0/base/univention-dvd/debian/changelog b/branches/ucs-4.1/ucs-4.1-0/base/univention-dvd/debian/changelog index 5d8451f..9e6f375 100644 --- a/branches/ucs-4.1/ucs-4.1-0/base/univention-dvd/debian/changelog +++ b/branches/ucs-4.1/ucs-4.1-0/base/univention-dvd/debian/changelog @@ -1,3 +1,9 @@ +univention-dvd (1.0.0-20) unstable; urgency=low + + * Bug #37995: Add univention-sudo + + -- Philipp Hahn Tue, 08 Dec 2015 10:43:11 +0100 + univention-dvd (1.0.0-19) unstable; urgency=low * Bug #37006 : add univention-nagios-s4-connector diff --git a/branches/ucs-4.1/ucs-4.1-0/base/univention-dvd/tasks/ucs410/task-ucs410 b/branches/ucs-4.1/ucs-4.1-0/base/univention-dvd/tasks/ucs410/task-ucs410 index f10b7f6..70aa110 100644 --- a/branches/ucs-4.1/ucs-4.1-0/base/univention-dvd/tasks/ucs410/task-ucs410 +++ b/branches/ucs-4.1/ucs-4.1-0/base/univention-dvd/tasks/ucs410/task-ucs410 @@ -62,6 +62,7 @@ openssh-blacklist python-univention-license univention-nagios-client univention-saml +univention-sudo screen univention-management-console-module-quota diff --git a/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/changelog b/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/changelog index 0b9ed8b..07372e9 100644 --- a/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/changelog +++ b/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/changelog @@ -1,3 +1,9 @@ +univention-pam (9.0.0-3) unstable; urgency=low + + * Bug #37995: Add sudo support + + -- Philipp Hahn Tue, 08 Dec 2015 10:34:13 +0100 + univention-pam (9.0.0-2) unstable; urgency=low * Bug #24840: add dependency on german wordlist for cracklib diff --git a/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/control b/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/control index b6eb79e..bbcacdb 100644 --- a/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/control +++ b/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/control @@ -22,7 +22,8 @@ Depends: ${misc:Depends}, python-univention-lib (>= 3.0.26-14), libnss-extrausers Recommends: - univention-home-mounter + univention-home-mounter, + univention-sudo, Description: UCS - login configuration This package contains the configuration for the pluggable authentication modules (PAM) and the network name switch diff --git a/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/univention-pam.postinst b/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/univention-pam.postinst index 7340b29..32f7ea3 100644 --- a/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/univention-pam.postinst +++ b/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/univention-pam.postinst @@ -39,18 +39,6 @@ ln -sf /etc/machine.secret /etc/libnss-ldap.secret # /etc/pam_ldap.secret is required for rootbinddn in /etc/pam_ldap.conf ln -sf /etc/machine.secret /etc/pam_ldap.secret -# Update to UCS 3.0, increase nscd cache sizes if pre 3.0 default values -# are used. Bug #21358 -if [ "$1" = configure -a -n "$2" ] && dpkg --compare-versions "$2" lt 5.0.15-1; then - if [ "$nscd_passwd_size" = "3001" -a "$nscd_group_size" = "3001" -a "$nscd_hosts_size" = "3001" ]; then - univention-config-registry set \ - nscd/passwd/size=6007 \ - nscd/group/size=56003 \ - nscd/hosts/size=6007 \ - nscd/group/maxdbsize=62914560 - fi -fi - univention-config-registry set \ nscd/passwd/size?6007 \ nscd/group/size?56003 \ @@ -114,13 +102,6 @@ if [ -e /etc/univention/templates/files/etc/pam.d/common-auth ]; then rm /etc/univention/templates/files/etc/pam.d/common-auth fi -if [ "$1" = configure -a -n "$2" ] && dpkg --compare-versions "$2" lt 6.0.2-1; then - if is_ucr_true nss/group/cachefile; then - /usr/lib/univention-pam/ldap-group-to-file.py - univention-config-registry set nscd/group/invalidate_cache_on_changes="false" - fi -fi - # Restart listener if [ -x "/etc/init.d/univention-directory-listener" ] ; then /etc/init.d/univention-directory-listener crestart @@ -138,14 +119,10 @@ univention-config-registry set \ 'security/limits/default/user/hard/nofile?32768' \ 'security/limits/group/Domain Users/hard/nproc?1000' -# Bug #32415, can be removed after 4.0-0 -if [ "$1" = configure -a -n "$2" ] && dpkg --compare-versions "$2" lt 8.0.1-2; then - if [ -n "$security_limits_user_default_user_soft_nofile" ]; then - ucr unset security/limits/user/default/user/soft/nofile - fi - if [ -n "$security_limits_user_default_user_hard_nofile" ]; then - ucr unset security/limits/user/default/user/hard/nofile - fi +# Bug #37995: Enable sudo only on new UCS-4.1 installs +if [ "$1" = configure ] && [ -n "$2" ] +then + univention-config-registry set auth/sudo?yes fi call_joinscript 11univention-pam.inst diff --git a/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/conffiles/etc/sudoers.d/univention b/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/conffiles/etc/sudoers.d/univention index 06233d6..67631d2 100644 --- a/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/conffiles/etc/sudoers.d/univention +++ b/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/conffiles/etc/sudoers.d/univention @@ -4,7 +4,7 @@ @!@ import re group = configRegistry.get("groups/default/domainadmins", "Domain Admins") -if group: +if group and configRegistry.is_true('auth/sudo'): da = re.sub(r'([ !=:,()\\])', r'\\\1', group) print "%{} ALL=(ALL:ALL) ALL".format(da) @!@ diff --git a/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/changelog b/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/changelog index 435d589..4df36fb 100644 --- a/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/changelog +++ b/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/changelog @@ -1,3 +1,9 @@ +univention-sudo (1.0.0-3) unstable; urgency=low + + * Bug #37995: Only enable for new installs + + -- Philipp Hahn Tue, 08 Dec 2015 10:43:36 +0100 + univention-sudo (1.0.0-2) unstable; urgency=low * move file permission from postinst to ucr conf, escape all forbidden diff --git a/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/univention-sudo.univention-config-registry-variables b/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/univention-sudo.univention-config-registry-variables new file mode 100644 index 0000000..cfe2c72 --- /dev/null +++ b/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/univention-sudo.univention-config-registry-variables @@ -0,0 +1,5 @@ +[auth/sudo] +Description[de]=Erlaubt die sudo Regeln für Domänenadministratoren. +Description[en]=Permits the sudo rules for domain administrators. +Type=bool +Categories=system-base -- 2.1.4