This bug was fixed in the package adsys - 0.9.2~20.04
---------------
adsys (0.9.2~20.04) focal; urgency=medium
* Backport to focal
- Build with Go 1.16
- Move debhelper compat to 12
- Do not recommends ubuntu-advantage-desktop-daemon as it’s not available
on focal yet.
adsys (0.9.2) kinetic; urgency=medium
* Update generators to fix FTBFS
- shell out to mkdir instead of go's os.Mkdir which can bypass fakeroot's
filesystem hijacking and cause unexpected behavior
* Update dependencies to latest:
- github.com/golangci/golangci-lint
- google.golang.org/protobuf
adsys (0.9.1) kinetic; urgency=medium
[ Didier Roche ]
[ Gabriel Nagy ]
* Fix loading policy content from uppercase folders (LP: #1982330)
* Add GSettings power management keys (LP: #1982349)
* Allow parsing policy entries with empty values (LP: #1982342)
* Allow parsing policies with unsupported types (LP: #1982343)
* Allow parsing policy entries with no data (LP: #1982345)
* Lowercase target name when normalizing (LP: #1982347)
* Annotate policies that require Ubuntu Pro (LP: #1982348)
* Update dependencies to latest:
- github.com/spf13/cobra
- github.com/spf13/viper
- github.com/stretchr/testify
- github.com/charmbracelet/bubbletea
- github.com/charmbracelet/bubbles
- google.golang.org/grpc
- github.com/golangci/golangci-lint
- github.com/sirupsen/logrus
adsys (0.9.0) kinetic; urgency=medium
[ Jean-Baptiste Lallement ]
[ Didier Roche ]
[ Gabriel Nagy ]
* Add Active Directory Watch Daemon - adwatchd: (LP: #1982351)
- Implement a Windows daemon that watches a list of configured directories
for changes and bumps the relevant GPT.INI files.
- Add adsys-windows binary package which includes the Windows daemon
executable and the admx/adml policies.
* Config detection now includes current executable directory
* Fixes in generator build race
* Update dependencies to latest:
- github.com/spf13/cobra
- github.com/stretchr/testify
* CI updates:
- switch to Go setup v3
- bump to really build with Golang 1.18
adsys (0.8.6) kinetic; urgency=medium
* Fix new build failures on 32 bits due to libsmbclient-dev no longer sets
the large file support cflags in libsmbclient.h.
Update to latest libsmbclient-go.
* Update dependencies to latest:
- google.golang.org/grpc
- gopkg.in/ini.v1
- github.com/golangci/golangci-lint
- github.com/spf13/viper
- github.com/stretchr/testify
adsys (0.8.5) kinetic; urgency=medium
[ Jean-Baptiste Lallement ]
[ Didier Roche ]
* Rename chapters to be in correct ascii order when viewed online.
Thanks to Anton Drastrup-Fjordbak.
* Include 22.04 in admx/adml for lts only releases. (LP: #1973745)
* Bump embedeed dependencies minor versions for both bug fixes and minor
security enhancements.
* Fix dconf keys not being readable by user after applying policy.
(LP: #1973748)
* Ensure we can execute machine and user scripts:
/run is now noexec on Ubuntu. Ensure that we can execute the scripts in
/run/adsys subdirectories. The scripts mechanism has been reviewed by the
security team, so we can reset them as executable. (LP: #1973751)
* Move integration tests under cmd/adsysd and admxgen binary to cmd/admxgen
to prepare future adwatchd daemon under cmd/ which will be SRUed with an
exception in next update. This is a no-op in the finale deploy binaries,
apart from admxgen which is now using Cobra. This binary though is not
shipped in any package and only used in CI.
* Fix privilege permission which can not be set to disabled. (LP: #1973752)
* Adaptation or new tests for all above changes.
* Add fuzz tests and include new potential crash fixes on invalid files
generated by Windows AD.
* CI fixes and changes (not impacting finale package):
- Move CI to Go 1.18 (package is already building with 1.18 in jammy).
- Fixes due to new github.
- Fix to generate all LTS releases in admx/adml (see above).
adsys (0.8.4) jammy; urgency=medium
* Sync refresh timer with Windows
* Some lint fixes due to Go 1.18
* Fix image reference in documentation
adsys (0.8.3) jammy; urgency=medium
[ Jean-Baptiste Lallement ]
[ Didier Roche ]
* Use ua attached instead of a specific ua feature to gate optional
features.
* Added and updated documentation for privilege escalation and scripts
support.
* New linter version trigger fix.
* Dependencies update for latest bug fixes:
- github.com/golangci/golangci-lint
- github.com/spf13/cobra-1.4.0
- github.com/stretchr/testify-1.7.1
- google.golang.org/protobuf-1.28.0
- google.golang.org/grpc-1.45.0
adsys (0.8.2) jammy; urgency=medium
* Fix flaky "pick up config changes" tests on armhf and arm64
adsys (0.8.1) jammy; urgency=medium
* Change chown logic on script directory and parents to avoid potential
vulnerability. (LP: #1961458)
* Separate readiness from session running to avoid unrefreshed user script
directories after a logout without any new logins.
* pam_adsys: Fix memory leak and identation. (LP: #1961459)
* Adapt to newer samba, while keeping backward compatilibity for CI.
Thanks Michael. (LP: #1962170)
* Try to stabilize configuration detection change test by calling sync() to
sync FHS to disk, and then, hoping we get the inotify update. Seems to fix
flakyness on armhf. (LP: #1962510)
* Enforce closing stderr on ppcel64 in tests with new samba to avoid hangs
in race.
* Fix linting issues discovered by new golangci-lint.
* Misc syntax polish.
* Dependencies update:
- github.com/godbus/dbus/v5
- github.com/golangci/golangci-lint
- gopkg.in/ini.v1
-- Gabriel Nagy <[email protected]> Thu, 04 Aug 2022 12:25:29
+0300
** Changed in: adsys (Ubuntu Focal)
Status: Fix Committed => Fix Released
** Changed in: adsys (Ubuntu Jammy)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to adsys in Ubuntu.
https://bugs.launchpad.net/bugs/1982347
Title:
Username is case sensitive when applying policies on login
Status in adsys package in Ubuntu:
Fix Released
Status in adsys source package in Focal:
Fix Released
Status in adsys source package in Jammy:
Fix Released
Bug description:
[Impact]
When logging in (either via login or ssh) to an AD account using
different case combinations, adsysd uses the specified account name
instead of the lowercase one reported by getent/whoami to apply the
GPOs. I believe this comes from the pam_get_item call here:
https://github.com/ubuntu/adsys/blob/e3316e5e37970a07f09fa6df553ddac096c91255/pam/pam_adsys.c#L266
This works but has the unintended side effect of producing multiple
dconf profile files for each variant of the username, and caching
policies as well:
root@ubuntu2204:~# ls /etc/dconf/profile/ | grep -i administrator
[email protected]
[email protected]
[email protected]
root@ubuntu2204:~# ls /var/cache/adsys/policies/ | grep -i administrator
[email protected]
[email protected]
[email protected]
Of course this all stems from the username retrieved by PAM so there
might be more unintended side-effects, the dconf one being the easiest
to observe.
To ensure an unified experience, when a target name is normalized from
e.g. DOMAIN\User to User@DOMAIN, it will also be lowercased.
[Test Plan]
Reproduction:
* With adsys set up, log in on the Ubuntu client using an AD account,
alternating cases
* Observe multiple files created at /var/cache/adsys/policies
With the fix applied, remove *all* cached policies at
/var/cache/adsys/policies and attempt to login with different case
combinations of the AD account, e.g.:
[email protected]
[email protected]
[email protected]
[email protected]
As root, check the contents of /var/cache/adsys/policies - you should
only see a lowercase entry: [email protected]
[Where problems could occur]
Target name normalization is exercised by the code that dumps policies
applied for a given user, and by the code that updates or creates a
policy for a given user. If this happens to cause a bug, it will
render the core part of adsys unusable.
We believe this is highly unlikely given that in some cases, adsys
already used the lowercase variant of the username to apply and
display policies.
[Other Info]
This issue was initially reported on GitHub at
https://github.com/ubuntu/adsys/issues/378
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/1982347/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
