diff --git a/oddjob-gpupdate.spec b/oddjob-gpupdate.spec index 88e35ad..6def348 100644 --- a/oddjob-gpupdate.spec +++ b/oddjob-gpupdate.spec @@ -1,37 +1,49 @@ -%define _unpackaged_files_terminate_build 1 - -Name: oddjob-gpupdate -Version: 0.2.0 -Release: alt1 -Summary: An oddjob helper which applies group policy objects - -Group: System/Servers -License: %bsdstyle -Url: https://github.com/altlinux/oddjob-gpupdate.git - -Source: %name-%version.tar -Patch: %name-%version-alt.patch - -Requires: oddjob - -BuildRequires(pre): rpm-build-licenses - -BuildRequires: xmlto -BuildRequires: libdbus-devel -BuildRequires: libxml2-devel -BuildRequires: libpam0-devel -BuildRequires: libselinux-devel +# +# spec file for package oddjob-gpupdate +# +# Copyright (c) 2022 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: oddjob-gpupdate +Version: 0.2.0 +Release: 0 +Summary: An oddjob helper which applies group policy objects +License: BSD-3-Clause +URL: https://github.com/openSUSE/oddjob-gpupdate.git +Source: %{name}-%{version}.tar.bz2 +Group: System/Servers +Requires: oddjob + +BuildRequires: autoconf +BuildRequires: dbus-1-devel +BuildRequires: libselinux-devel +BuildRequires: libtool +BuildRequires: libxml2-devel +BuildRequires: oddjob +BuildRequires: pam-devel +BuildRequires: xmlto %description This package contains the oddjob helper which can be used by the -pam_oddjob_gpupdate module to applies group policy objects at login-time. +pam_oddjob_gpupdate module to apply group policy objects at login-time. %prep %setup -%patch -p1 %build -%autoreconf +autoreconf -if %configure \ --disable-static \ --enable-pie \ @@ -41,23 +53,21 @@ pam_oddjob_gpupdate module to applies group policy objects at login-time. %make_build %install -%makeinstall_std - -mkdir -p %buildroot/%_lib/security -mv %buildroot%_libdir/security/pam_oddjob_gpupdate.so \ -%buildroot/%_lib/security/ -rm %buildroot%_libdir/security/pam_oddjob_gpupdate.la +%makeinstall %post -%post_service oddjobd - -%preun -%preun_service oddjobd +if test $1 -eq 1 ; then + killall -HUP dbus-daemon 2>&1 > /dev/null +fi +if [ -f /var/lock/subsys/oddjobd ] ; then + /bin/dbus-send --system --dest=com.redhat.oddjob /com/redhat/oddjob com.redhat.oddjob.reload +fi %files %doc COPYING src/gpupdatefor src/gpupdateforme %_libexecdir/oddjob/gpupdate -/%_lib/security/pam_oddjob_gpupdate.so +%_pam_moduledir/pam_oddjob_gpupdate.so +%exclude %_pam_moduledir/pam_oddjob_gpupdate.la %_mandir/*/pam_oddjob_gpupdate.* %_mandir/*/oddjob-gpupdate.* %_mandir/*/oddjobd-gpupdate.* @@ -65,4 +75,3 @@ rm %buildroot%_libdir/security/pam_oddjob_gpupdate.la %config(noreplace) %_sysconfdir/oddjobd.conf.d/oddjobd-gpupdate.conf %changelog - diff --git a/src/gpupdate.c b/src/gpupdate.c index a2a7436..296c9ce 100644 --- a/src/gpupdate.c +++ b/src/gpupdate.c @@ -56,6 +56,12 @@ static struct passwd *pwd; #define FLAG_QUIET (1 << 1) +enum Target +{ + Computer, + User +}; + /* * get_gpo_dir * @@ -66,10 +72,10 @@ static struct passwd *pwd; static const char * get_gpo_exe(void) { - return gpo_exe ? gpo_exe : "/usr/sbin/gpoa"; + return gpo_exe ? gpo_exe : "/usr/sbin/samba-gpupdate"; } -static int apply_gpo(const char *user) +static int apply_gpo(enum Target target, const char *user) { int status; pid_t pid = fork(); @@ -78,7 +84,11 @@ static int apply_gpo(const char *user) case -1: return 1; case 0: - execl(exe, exe, user, NULL); + if (target == Computer) { + execl(exe, exe, "--target=Computer", NULL); + } else if (target == User) { + execl(exe, exe, "--target=User", "-U", user, NULL); + } return 3; default: if (waitpid(pid, &status, 0) < 0) @@ -94,6 +104,7 @@ gpupdate(const char *user, int flags) int ret; struct stat st; const char *log_user = user; + enum Target target; /* Now make sure that the user or computer a) no user (computer) @@ -103,6 +114,12 @@ gpupdate(const char *user, int flags) 2) not an empty string 3) not already there */ if (user != NULL) { + // prevent any attempts to smuggle in command line switches + if (user[0] == '-') { + syslog(LOG_ERR, "rejecting suspicious username %s", user); + return HANDLER_INVALID_INVOCATION; + } + pwd = getpwnam(user); if (pwd == NULL) { syslog(LOG_ERR, "could not look up location of home directory " @@ -116,8 +133,10 @@ gpupdate(const char *user, int flags) pwd->pw_dir); } } + target = User; } else { - log_user = "computer"; + target = Computer; + user = NULL; } /* Figure out which executable we're using as a applier. */ exe = get_gpo_exe(); @@ -137,7 +156,7 @@ gpupdate(const char *user, int flags) return HANDLER_INVALID_INVOCATION; } } - ret = apply_gpo(user); + ret = apply_gpo(target, user); if (ret != 0) { syslog(LOG_ERR, "error applying GPO for %s (error code %d)", log_user, ret); @@ -154,7 +173,7 @@ main(int argc, char **argv) int oddjob_argc, ret, flags = 0; openlog(PACKAGE "-gpupdate", LOG_PID, LOG_DAEMON); - gpo_exe = "/usr/sbin/gpoa"; + gpo_exe = "/usr/sbin/samba-gpupdate"; while ((ret = getopt(argc, argv, "qp:")) != -1) { switch (ret) {