[MIR] ADSys
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
adsys (Ubuntu) |
Fix Released
|
Critical
|
Unassigned |
Bug Description
[Availability]
Available on all archs, available starting hirsute. It will be backported to Focal once an FFe has been accepted.
[Rationale]
We are supporting GPO Active Directory support on ubuntu starting hirsute. This features allows for an administrator to configure their Active Directory server to deploy per-machine and per-user configurations, enforce rules and other domain policies.
Right now, dconf keys, sudo administration rights and computer and user scripts are supported.
This feature is built and use the krb5 tickets which are provided by SSSD. Basically:
- SSSD is dealing with user and machine registration/
- ADSys is handling GPO enforcement and support. The Ubuntu specific policies needs to be installed on the Active Directory server (they are contained in the daemon).
[Security]
The daemon is started is running as a root user to be able to enforce machine policies, like rebuilding dconf databases, setting profiles. User only interacts with the client side (both sides communicates over GRPC), which can be ran as any user.
Polkit is used to restrain access to some part of the API.
There is a PAM module to build on demand per-user policy once authenticated with SSSD. They are rejected if the authentication or not all affected policies could be downloaded.
[Quality assurance]
Joining a domain in the ubiquity desktop installer makes the machine joining the AD domain and install adsys functionality. The package will be seeded directly on the desktop ISO.
An extensive testsuite (more than 1k) is included and available as autopkgtests for rdepends. The whole stack is tested (even the client/daemon interaction) and coverage is measured (including in the small python script). However, tests with a real Active Directory server can only be done manually as there is no setup available in the autopkgtests infrastructure.
[Dependencies]
Main dependencies are libsmbclient, python3 (an embeeded script allows, via samba, connecting to AD LDAP) and SSSD/KRB5.
This is a Go package, and all dependencies are vendored, and versions are controlled via go.mod. We are using dependabot (from Github) to automatically get notified of any dependencies updates (and security issues), which opens a PR, rebuild and run all tests to report it there. We are thus able to quickly merge them.
[Standards compliance]
Standard debhelper packaging, including a systemd service.
[Maintenance]
The desktop team will maintain it.
* we commit to test no-change-rebuilds triggered by a dependent library/compiler and to fix any issues found for the lifetime of the release (including ESM when included)
* we will provide timely testing of no-change-rebuilds from the security team, fixing the rebuilt package as necessary
* we commit to provide updates to the security team for any affected vendored code for the lifetime of the release (including ESM when included)
* we will provide timely, high quality updates for the security team to sponsor to fix issues in the affected vendored code
[Background information]
ADSys is composed of:
- a daemon, named adsysd, running as root. This one will shutdown after a period of inactivity without any active request. It is socket activated.
- a client, named adsysctl (which is a symlink to adsysd and only differ behavior from its executable name), which is running as the user (or root on boot for machine update). This ones optionally wakes up adsysd, connect through an Unix socket with SO_PEERCRED to communicate current user running the process. We are using grpc to communicate between the client and service.
Each client request is validated through polkit, matching user name and permissions. The daemon will reject any unauthorized client connections. Note that all actions are always performed from executing the client, even the scheduled one by a cron.
The daemon contains a python embedded script that uses samba utilities to connect with GSSAPI to the AD LDAP server and list available GPOs. GPOs are then downloaded in a cache directory which isn’t accessible to users.
The daemon also contains all GPOs policies to install on the Active Directory side to reflect them in the UI. This could be accessed online or dumped directly via the command line tool. Finally, those are automatically refreshed for any supported LTSes and intermediate versions. The availability of features can be different cross-release and is supported in the daemon.
Many utilities for debugging, following daemon or per transaction logs, streamed via our GRPC protocol are available.
We have different sync point with the system:
- at boot, the system will refresh the machine GPOs and build rules enforcements
- on login via the PAM module, which will:
a. download the machine GPOs if we couldn‘t before (due to no network available on boot/issues with NTP sync) and build rules enforcements
b. download the user-speciifc GPOs and build rules enforcements
- refresh every 30 minutes (same timing than windows client) the machine and all connected AD users GPOs, and rebuild rules enforcements if needed.
An offline mode (similar to SSSD) is available, so that you can carry your machine away of the network. The last successfully applied rules will still be enforced. Connection will be denied if you hadn’t connected once.
Documentation is available online (https:/
Changed in adsys (Ubuntu): | |
assignee: | nobody → Matthias Klose (doko) |
Changed in adsys (Ubuntu): | |
assignee: | Matthias Klose (doko) → Lukas Märdian (slyon) |
Changed in adsys (Ubuntu): | |
assignee: | Lukas Märdian (slyon) → Ubuntu Security Team (ubuntu-security) |
description: | updated |
description: | updated |
[Summary]
Overall this is looking fine, but we need to make sure to fix a few things around it. As this is a go binary with many vendorized dependencies, you also need to explicitly state your commitment to support the security team with security and dependency updates. Please do so in this bug report. Furthermore, you might add a team subscription to this package's bugs (though that can be done by an AA later on).
I'd also like you to take a look at some recommendations like fixing autopkgtests, fixing some lintian warnings and trying to avoid the "sudo" call in debian/ control/ tests. Those can be fixed after promotion to main as well.
This does need a security review, so I'll assign ubuntu-security (root daemon, vendorized code)
List of specific binary packages to be promoted to main: adsys
So this will be a MIR team ACK, once the required TODOs are fulfilled.
Notes:
This is a go package with many (>50) vendorized dependencies, but the owning team is using "dependabot" (from GitHub) to keep track of dependency/security updates.
Required TODOs:
- This is a static go binary, therefore the owning team must state the following commitment explicitly:
* the owning team must state their commitment to test no-change-rebuilds triggered by a dependent library/compiler and to fix any issues found for the lifetime of the release (including ESM when included)
* the owning team must provide timely testing of no-change-rebuilds from the security team, fixing the rebuilt package as necessary
* the owning team must state their commitment to provide updates to the security team for any affected vendored code for the lifetime of the release (including ESM when included)
* the owning team will provide timely, high quality updates for the security team to sponsor to fix issues in the affected vendored code
Recomended TODOs: packages? ) notice- file-for- apache- license, hardening-no-pie) control/ tests
- Please add a team subscription (~desktop-
- Make autopkgtests pass (it's not a regression as the autopkgtests passed never before)
- Fix relevant lintian warnings (missing-
- check if you could be using the "needs-root" restriction instead of "sudo" in debian/
[Duplication]
There is no other package in main providing the same functionality.
[Dependencies]
OK:
- Build-dependency: debhelper-compat is pure virtual, dh-apport is only a build-dependency and therefore OK to be in universe
- no -dev/-debug/-doc packages that need exclusion
Problems:
- NONE
[Embedded sources and static linking]
OK:
- Special case: this is a Go package, using dh-golang
Problems:
- embedded source present (53 vendorized go depdendencies)
- static linking (Built-Using)
[Security] /ubuntu. com/security/ cve?q=& package= adsys&priority= &version= &status=
OK:
- history of CVEs does not look concerning, 0 CVEs so far, according to https:/
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port (but can be socket activated)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
Problems:
- does run a daemon as root (can be socket activated)
- does deal with system authenticatio...