adsys (0.9.2~22.04.1) jammy-security; urgency=medium * No change build due to golang-1.18 update -- Nishit Majithia Thu, 27 Apr 2023 11:41:22 +0530 adsys (0.9.2~22.04) jammy; urgency=medium * Backport to jammy -- Didier Roche Thu, 04 Aug 2022 11:23:01 +0200 adsys (0.9.2) kinetic; urgency=medium * Update generators to fix FTBFS - shell out to mkdir instead of go's os.Mkdir which can bypass fakeroot's filesystem hijacking and cause unexpected behavior * Update dependencies to latest: - github.com/golangci/golangci-lint - google.golang.org/protobuf -- Gabriel Nagy Wed, 03 Aug 2022 11:00:39 +0300 adsys (0.9.1) kinetic; urgency=medium [ Didier Roche ] [ Gabriel Nagy ] * Fix loading policy content from uppercase folders (LP: #1982330) * Add GSettings power management keys (LP: #1982349) * Allow parsing policy entries with empty values (LP: #1982342) * Allow parsing policies with unsupported types (LP: #1982343) * Allow parsing policy entries with no data (LP: #1982345) * Lowercase target name when normalizing (LP: #1982347) * Annotate policies that require Ubuntu Pro (LP: #1982348) * Update dependencies to latest: - github.com/spf13/cobra - github.com/spf13/viper - github.com/stretchr/testify - github.com/charmbracelet/bubbletea - github.com/charmbracelet/bubbles - google.golang.org/grpc - github.com/golangci/golangci-lint - github.com/sirupsen/logrus -- Gabriel Nagy Thu, 21 Jul 2022 11:44:30 +0300 adsys (0.9.0) kinetic; urgency=medium [ Jean-Baptiste Lallement ] [ Didier Roche ] [ Gabriel Nagy ] * Add Active Directory Watch Daemon - adwatchd: (LP: #1982351) - Implement a Windows daemon that watches a list of configured directories for changes and bumps the relevant GPT.INI files. - Add adsys-windows binary package which includes the Windows daemon executable and the admx/adml policies. * Config detection now includes current executable directory * Fixes in generator build race * Update dependencies to latest: - github.com/spf13/cobra - github.com/stretchr/testify * CI updates: - switch to Go setup v3 - bump to really build with Golang 1.18 -- Gabriel Nagy Mon, 04 Jul 2022 16:36:52 +0300 adsys (0.8.6) kinetic; urgency=medium * Fix new build failures on 32 bits due to libsmbclient-dev no longer sets the large file support cflags in libsmbclient.h. Update to latest libsmbclient-go. * Update dependencies to latest: - google.golang.org/grpc - gopkg.in/ini.v1 - github.com/golangci/golangci-lint - github.com/spf13/viper - github.com/stretchr/testify -- Didier Roche Tue, 07 Jun 2022 16:17:12 +0200 adsys (0.8.5) kinetic; urgency=medium [ Jean-Baptiste Lallement ] [ Didier Roche ] * Rename chapters to be in correct ascii order when viewed online. Thanks to Anton Drastrup-Fjordbak. * Include 22.04 in admx/adml for lts only releases. (LP: #1973745) * Bump embedeed dependencies minor versions for both bug fixes and minor security enhancements. * Fix dconf keys not being readable by user after applying policy. (LP: #1973748) * Ensure we can execute machine and user scripts: /run is now noexec on Ubuntu. Ensure that we can execute the scripts in /run/adsys subdirectories. The scripts mechanism has been reviewed by the security team, so we can reset them as executable. (LP: #1973751) * Move integration tests under cmd/adsysd and admxgen binary to cmd/admxgen to prepare future adwatchd daemon under cmd/ which will be SRUed with an exception in next update. This is a no-op in the finale deploy binaries, apart from admxgen which is now using Cobra. This binary though is not shipped in any package and only used in CI. * Fix privilege permission which can not be set to disabled. (LP: #1973752) * Adaptation or new tests for all above changes. * Add fuzz tests and include new potential crash fixes on invalid files generated by Windows AD. * CI fixes and changes (not impacting finale package): - Move CI to Go 1.18 (package is already building with 1.18 in jammy). - Fixes due to new github. - Fix to generate all LTS releases in admx/adml (see above). -- Didier Roche Mon, 16 May 2022 14:09:36 +0200 adsys (0.8.4) jammy; urgency=medium * Sync refresh timer with Windows * Some lint fixes due to Go 1.18 * Fix image reference in documentation -- Didier Roche Wed, 06 Apr 2022 15:37:58 +0200 adsys (0.8.3) jammy; urgency=medium [ Jean-Baptiste Lallement ] [ Didier Roche ] * Use ua attached instead of a specific ua feature to gate optional features. * Added and updated documentation for privilege escalation and scripts support. * New linter version trigger fix. * Dependencies update for latest bug fixes: - github.com/golangci/golangci-lint - github.com/spf13/cobra-1.4.0 - github.com/stretchr/testify-1.7.1 - google.golang.org/protobuf-1.28.0 - google.golang.org/grpc-1.45.0 -- Didier Roche Wed, 23 Mar 2022 13:39:27 +0100 adsys (0.8.2) jammy; urgency=medium * Fix flaky "pick up config changes" tests on armhf and arm64 -- Didier Roche Thu, 10 Mar 2022 11:00:27 +0100 adsys (0.8.1) jammy; urgency=medium * Change chown logic on script directory and parents to avoid potential vulnerability. (LP: #1961458) * Separate readiness from session running to avoid unrefreshed user script directories after a logout without any new logins. * pam_adsys: Fix memory leak and identation. (LP: #1961459) * Adapt to newer samba, while keeping backward compatilibity for CI. Thanks Michael. (LP: #1962170) * Try to stabilize configuration detection change test by calling sync() to sync FHS to disk, and then, hoping we get the inotify update. Seems to fix flakyness on armhf. (LP: #1962510) * Enforce closing stderr on ppcel64 in tests with new samba to avoid hangs in race. * Fix linting issues discovered by new golangci-lint. * Misc syntax polish. * Dependencies update: - github.com/godbus/dbus/v5 - github.com/golangci/golangci-lint - gopkg.in/ini.v1 -- Didier Roche Tue, 08 Mar 2022 09:49:08 +0100 adsys (0.8) jammy; urgency=medium [ Jean-Baptiste Lallement ] [ Didier Roche ] * Add new types of GPOs support, with ubuntu advantage subscription integration. Recommends ubuntu-advantage-desktop-daemon. * Privilege escalation: support for privilege escalation and gives administrator access to users and groups registered in Active Directory. The administrator can also prevent any kind of local administrator on the machine. * Scripts integration: support for scripts in GPO when the computer boots and shuts down, and when the user logs on or off. - The computer scripts are ran as root, on startup (or first AD user login if we couldn’t fetch GPOs and had no cache) - The user scripts are ran with systemd user session, as the user. - A transactional state is handled: New versions of scripts or list of scripts are only updated when a given session is not opened. Said differently, the shutdown scripts for the machine will be the ones downloaded and enabled when the start scripts were ran. Similarly, the user logoff scripts will be the ones corresponding to the time when the log on scripts were executed. - Any failing scripts won’t stop the boot or log on. Similarly to Windows script support, this is not a security feature. * Support downloading assets from the Active Directory server. Those assets are located in the named directory at SYSVOL root. Those needs a GPT.INI, similarly to GPO, to control cache update. * Internal changes on how policies and cached are handled. Those changes are needed to enhance the model of caching with assets, while keeping a transactional behaviour. * Many new tests covering all the new and existing changes. * General cleanups: - More debugging and info messages. - In templates, policies define personalized notes and descriptions. Those are now used to generate the description of the policy. - Modernize, fix bugs and workarounds now that we are on at min Go 1.16, and prepare for 1.17 and new vendored dependencies versions. - Add more linting support and fix discovered issues. - Rewrite integration tests containers mimicking system services in python for better reliability and support via dbus-mock. Upgraded to a newer version. - Adapt to new GitHub infrastructure changes with new container repository, and change workflows adjustements by new linting rules. - Discare deprecated dconf keys for those releases. * Updated vendored go dependencies: - bluemonday - cobra - color - glamour - go-dbus - golangci-lint - grpc - ini - viper -- Didier Roche Mon, 07 Feb 2022 09:37:45 +0100 adsys (0.7.1) impish; urgency=medium * Fix user login name when being prefixed by domain (domain\user) or using default domain suffix. * Relax commands to always normalize to user@domain even if a previous form of entry is given * Fix pam module to always be loaded for those. * All users and machine update should not provide a target * Relax rule for hostname length when > 15 characters. Try first real name in AD and then fallback to 15 for NETBIOS compatibility if AD is configured in such a way. * Pull sss connection state dynamically, to switch between online and offline mode. * Misc smaller fixes in namings and entry permissive mode. * Add and adapt unit and integration tests for all the above, including docker test container. * Fixes for incoming Golang 1.17 tests Name() behaviour change * Make some integration tests more stable * Refresh policy definition file * Update vendored dependency via DEPENDABOT: - github.com/fsnotify/fsnotify - github.com/godbus/dbus - golang.org/x/text - google.golang.org/grpc - gopkg.in/ini.v1 - honnef.co/go/tools * CI: - switch back to hirsute for QA code check, as impish docker images have a broken libc. * Packaging fixes: - Ensure we always build with PIE - Fix autopkgtests by not running them as root - Ship NOTICE from a vendor dependency as being Apache2 licensed - Modernize gbp.conf -- Didier Roche Wed, 15 Sep 2021 10:30:27 +0200 adsys (0.7) impish; urgency=medium [ Jean-Baptiste Lallement ] [ Didier Roche ] * Depends on sssd offline status to try fetching the GPOs - request to sssd in what status we are in - if we are online, do the samba/ldap requests as we used to do, but with a contextual timeout. * Allow empty ad_server in sssd.conf. * Fix dependencies between service and relax adsys-boot retrials. * Pam to request machine update if no machine cache is available.a * Print N/A when no Active Server was found. * Refresh policy definition files * Updates to latest release of viper, cobra, protobuf, grpc. * Use cobra 2.0 completion. * Adapt and add new tests to previous changes * Reenable LTO optimization. -- Didier Roche Mon, 19 Jul 2021 13:01:07 +0200 adsys (0.6) impish; urgency=medium [ Jean-Baptiste Lallement ] [ Didier Roche ] * Add a new status command, returning current user connected, mode, last refresh time and applied configuration * Add a new doc command, which allows listing the documentation or write a specific chapter on the terminal or disk. * Add a new debus hidden (system) command, which allows dumping adsys-gpolist and (in the future) various multiple debugging tools for a specific AD setup * Advance CI completion for users, machines and other contextual strings (requesting the service for available valid items, based on context). * Hook up CI to update online documentation (on github) and local offline one in two ways (updating the local doc will update the online one and vice-versa) * Write the whole documentation for setting up and using adsys * Refactor configuration handling and const location * Only start machine GPO download on boot (blocking) if we have AD configured * Fix pam integration by setting correct linker property * Fallback to sssd discovery active AD server * Fix GDM dconf keys to use for screen customization * New adsysservice to properly shutdown authorizer and move service dbus handling * Integrate gosec to CI and multiple fixes * Serialize adsys-gpolist and admx/adml in binary * Misc fixes in listing Active Directory GPO, multiple error cases graceful handling and fix some Windows requirements like spec names. * Small fixes and error message reformulation * Update all dependencies to latest version and hook up Dependabot in CI * Multiple CI enhancements * Fix for admx generation, allowing pointing at keys not present in a release if filtered out * Tighten build and package depdencies. * Tests: - add more configuration for integration tests - fix protobuf namespace conflicts - multiple refactoring - ensure local dbus are properly shutdown - fix some racy tests but being more relax on times - allow coverage for python code and subprocesses - add many new tests, including integration tests - replace wharthogs.biz domain by example.com. Thanks Paul Mars -- Didier Roche Mon, 21 Jun 2021 14:16:16 +0200 adsys (0.5) hirsute; urgency=medium [ Jean-Baptiste Lallement ] [ Didier Roche ] * Add integration tests to cover (all but policy update command): - command line parsing and handling - interaction between daemon and client * Add tests and coverage support for python embedded code to interact with samba (ldap AD connection). * Create a samba mock to test adsys-gpolist. * Add a container to control and tests polkitd with our uninstalled, current version in branch .policy file on its own couple of system dbus. * Abstract many test helpers in their own function to be more reusable. * Code cleanup (races, shutdown handling and other fixes) detected via the new tests. * CI coverage integration. * Various CI fixes on tagged version. -- Didier Roche Fri, 16 Apr 2021 09:53:07 +0200 adsys (0.4) hirsute; urgency=medium [ Jean-Baptiste Lallement ] [ Didier Roche ] * Disable LTO to fix FTBFS * Fix Version test on released package * Fix timeout idler race * Add tests for logstreamer * Misc cleanups -- Didier Roche Thu, 01 Apr 2021 10:23:52 +0200 adsys (0.3) hirsute; urgency=medium [ Jean-Baptiste Lallement ] [ Didier Roche ] * Fix namespace in admx files to avoid conflict with Windows one. * Special case GDM user as a machine to support login screen configuration in both admx and policy daemon side. * CI fixes and additions for admx generation and tests. Enable devel (hirsute) series. * Multiple gosec fixes. * Add missing samba dependencies to packaging * Graceful stop handling fixes. * Lot of new tests * Multiple fixes/races discovered by tests -- Didier Roche Thu, 25 Mar 2021 10:58:58 +0100 adsys (0.2) hirsute; urgency=medium [ Jean-Baptiste Lallement ] [ Didier Roche ] * Fix FTBFS due to race: - workaround amd64 mkdirall while creating directory for pam module integration - fix sigchild flag capture, including additional flags on non amd64, before restoring them after each samba call to workaround libsamba signals override. * Fix utf-16 and memory management when .pol windows file are more than 4106 size long (-8 header bytes > 4096). * Fix GPO list order when a policy is enforced * Embed GPO list python helper inside the go binary * Fix emptying a GPO after setting value doesn’t reset the applied policy * Fix multi-lines support while dumping applied policies * Internal: rename "default" dconf metadata to "empty" for clarity -- Didier Roche Thu, 25 Feb 2021 10:11:13 +0100 adsys (0.1) hirsute; urgency=medium * Initial release -- Didier Roche Fri, 08 Jan 2021 16:35:16 +0100