Fixed a bug due to which gsettings could not cache the specified URI

- Fix regression with kestroy for user credential cache
- Update system-policy-gpupdate PAM-rules to ignore applying group policies
  for local users and system users with uid less than 500
- Add control facilities to rule system-policy-gpupdate rules:
  + gpupdate-group-users
  + gpupdate-localusers
  + gpupdate-system-uids

dist/gpupdate-group-users

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+. /etc/control.d/functions
+
+CONFIG=/etc/pam.d/system-policy-gpupdate
+
+new_subst disabled \
+        '^[[:space:]]*session[[:space:]]+\[.*default=1.*\][[:space:]]+pam_succeed_if.so user ingroup users.*' \
+        's,^\([[:space:]]*session[[:space:]]\+\[.*\)default=[[:alnum:]]\+\(.*pam_succeed_if.so user ingroup users.*\)$,\1default=1\2,'
+new_subst enabled \
+        '^[[:space:]]*session[[:space:]]+\[.*default=ignore.*\][[:space:]]+pam_succeed_if.so user ingroup users.*' \
+        's,^\([[:space:]]*session[[:space:]]\+\[.*\)default=[[:alnum:]]\+\(.*pam_succeed_if.so user ingroup users.*\)$,\1default=ignore\2,'
+
+new_help disabled "Disable group policy applying for users in 'users' group only"
+new_help enabled "Enable group policy applying for users in 'users' group only"
+
+new_summary "Group policy applying for users in 'users' group only"
+
+control_subst "$CONFIG" "$*"

dist/gpupdate-localusers

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+. /etc/control.d/functions
+
+CONFIG=/etc/pam.d/system-policy-gpupdate
+
+new_subst disabled \
+        '^[[:space:]]*session[[:space:]]+\[.*success=2.*\][[:space:]]+pam_localuser.so' \
+        's,^\([[:space:]]*session[[:space:]]\+\[.*\)success=[[:alnum:]]\+\(.*pam_localuser.so.*\)$,\1success=2\2,'
+new_subst enabled \
+        '^[[:space:]]*session[[:space:]]+\[.*success=1.*\][[:space:]]+pam_localuser.so' \
+        's,^\([[:space:]]*session[[:space:]]\+\[.*\)success=[[:alnum:]]\+\(.*pam_localuser.so.*\)$,\1success=1\2,'
+
+new_help disabled 'Disable group policy applying for local users'
+new_help enabled 'Enable group policy applying for local users'
+
+new_summary 'Group policy applying for local users'
+
+control_subst "$CONFIG" "$*"

dist/gpupdate-system-uids

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+. /etc/control.d/functions
+
+CONFIG=/etc/pam.d/system-policy-gpupdate
+
+new_subst disabled \
+        '^[[:space:]]*session[[:space:]]+\[.*default=1.*\][[:space:]]+pam_succeed_if.so uid >= 500.*' \
+        's,^\([[:space:]]*session[[:space:]]\+\[.*\)default=[[:alnum:]]\+\(.*pam_succeed_if.so uid >= 500.*\)$,\1default=1\2,'
+new_subst enabled \
+        '^[[:space:]]*session[[:space:]]+\[.*default=ignore.*\][[:space:]]+pam_succeed_if.so uid >= 500.*' \
+        's,^\([[:space:]]*session[[:space:]]\+\[.*\)default=[[:alnum:]]\+\(.*pam_succeed_if.so uid >= 500.*\)$,\1default=ignore\2,'
+
+new_help disabled "Disable group policy applying for users with not system uids only"
+new_help enabled "Enable group policy applying for users with not system uids only"
+
+new_summary "Group policy applying for users with not system uids (greater or equal 500) only"
+
+control_subst "$CONFIG" "$*"

dist/system-policy-gpupdate

@@ -1,4 +1,12 @@
 #%PAM-1.0
+session		[success=2 perm_denied=ignore default=die]	pam_localuser.so
 session		required	pam_mkhomedir.so silent
+session		[default=1]	pam_permit.so
+session		[default=6]	pam_permit.so
+session		[success=1 default=ignore]	pam_succeed_if.so user ingroup users quiet
+session		[default=4]	pam_permit.so
+session		[success=1 default=ignore]	pam_succeed_if.so uid >= 500 quiet
+session		[default=2]	pam_permit.so
 -session	required	pam_oddjob_gpupdate.so
 session		optional	pam_env.so user_readenv=1 conffile=/etc/gpupdate/environment user_envfile=.gpupdate_environment
+session		required	pam_permit.so

gpoa/frontend/appliers/gsettings.py

@@ -96,7 +96,7 @@ class system_gsettings:
 def glib_map(value, glib_type):
     result_value = value
 
-    if glib_type == 'i' or glib_type == 'b':
+    if glib_type == 'i' or glib_type == 'b' or glib_type == 'q':
         result_value = GLib.Variant(glib_type, int(value))
     else:
         result_value = GLib.Variant(glib_type, value)

gpoa/frontend/gsettings_applier.py

@@ -20,6 +20,7 @@ import logging
 import os
 import pwd
 import subprocess
+import urllib.parse
 
 from gi.repository import (
       Gio
@@ -62,6 +63,7 @@ class gsettings_applier(applier_frontend):
     __registry_branch = 'Software\\BaseALT\\Policies\\GSettings\\'
     __registry_locks_branch = 'Software\\BaseALT\\Policies\\GSettingsLocks\\'
     __wallpaper_entry = 'Software\\BaseALT\\Policies\\GSettings\\org.mate.background.picture-filename'
+    __vino_authentication_methods_entry = 'Software\\BaseALT\\Policies\\GSettings\\org.gnome.Vino.authentication-methods'
     __global_schema = '/usr/share/glib-2.0/schemas'
     __override_priority_file = 'zzz_policy.gschema.override'
     __override_old_file = '0_policy.gschema.override'
@@ -117,11 +119,16 @@ class gsettings_applier(applier_frontend):
             rp = valuename.rpartition('.')
             schema = rp[0]
             path = rp[2]
+            data = setting.data
             lock = bool(self.locks[valuename]) if valuename in self.locks else None
             if setting.hive_key.lower() == self.__wallpaper_entry.lower():
-                self.update_file_cache(setting.data)
-                helper = self.uri_fetch_helper
-            self.gsettings.append(schema, path, setting.data, lock, helper)
+                check = urllib.parse.urlparse(setting.data)
+                if check.scheme:
+                    self.update_file_cache(setting.data)
+                    helper = self.uri_fetch_helper
+            elif setting.hive_key.lower() == self.__vino_authentication_methods_entry.lower():
+                data = [setting.data]
+            self.gsettings.append(schema, path, data, lock, helper)
 
         # Create GSettings policy with highest available priority
         self.gsettings.apply()
@@ -182,6 +189,7 @@ class gsettings_applier_user(applier_frontend):
     __module_enabled = True
     __registry_branch = 'Software\\BaseALT\\Policies\\GSettings\\'
     __wallpaper_entry = 'Software\\BaseALT\\Policies\\GSettings\\org.mate.background.picture-filename'
+    __vino_authentication_methods_entry = 'Software\\BaseALT\\Policies\\GSettings\\org.gnome.Vino.authentication-methods'
 
     def __init__(self, storage, file_cache, sid, username):
         self.storage = storage
@@ -264,8 +272,11 @@ class gsettings_applier_user(applier_frontend):
             rp = valuename.rpartition('.')
             schema = rp[0]
             path = rp[2]
+            data = setting.data
             helper = self.uri_fetch_helper if setting.hive_key.lower() == self.__wallpaper_entry.lower() else None
-            self.gsettings.append(user_gsetting(schema, path, setting.data, helper))
+            if setting.hive_key.lower() == self.__vino_authentication_methods_entry.lower():
+                data = [setting.data]
+            self.gsettings.append(user_gsetting(schema, path, data, helper))
 
         # Create GSettings policy with highest available priority
         for gsetting in self.gsettings:

gpoa/gpupdate-setup

@@ -31,17 +31,14 @@ from util.util import (
     , get_policy_variants
 )
 from util.config import GPConfig
+from util.paths import get_custom_policy_dir
 
 
 class Runner:
     __control_path = '/usr/sbin/control'
     __systemctl_path = '/bin/systemctl'
-    __etc_policy_dir = '/etc/local-policy'
-    __usr_policy_dir = '/usr/share/local-policy'
 
     def __init__(self):
-        self.etc_policies = get_policy_entries(self.__etc_policy_dir)
-        self.usr_policies = get_policy_entries(self.__usr_policy_dir)
         self.arguments = parse_arguments()
 
 def parse_arguments():
@@ -192,13 +189,13 @@ def disable_gp():
         runcmd(cmd_set_local_policy)
     runcmd(cmd_disable_gpupdate_service)
     runcmd(cmd_disable_gpupdate_user_service)
+    config.set_local_policy_template()
+    config.set_backend()
 
 def enable_gp(policy_name, backend_type):
     '''
     Consistently enable group policy services
     '''
-    policy_dir = '/usr/share/local-policy'
-    etc_policy_dir = '/etc/local-policy'
     cmd_set_gpupdate_policy = ['/usr/sbin/control', 'system-policy', 'gpupdate']
     cmd_gpoa_nodomain = ['/usr/sbin/gpoa', '--nodomain', '--loglevel', '5']
     cmd_enable_gpupdate_service = ['/bin/systemctl', 'enable', 'gpupdate.service']
@@ -206,18 +203,17 @@ def enable_gp(policy_name, backend_type):
 
     config = GPConfig()
 
+    custom_policy_dir = get_custom_policy_dir()
+    if not os.path.isdir(custom_policy_dir):
+        os.makedirs(custom_policy_dir)
+
     target_policy_name = get_default_policy_name()
     if policy_name:
         if validate_policy_name(policy_name):
             target_policy_name = policy_name
-
     print (target_policy_name)
-    default_policy_name = os.path.join(policy_dir, target_policy_name)
 
-    if not os.path.isdir(etc_policy_dir):
-        os.makedirs(etc_policy_dir)
-
-    config.set_local_policy_template(default_policy_name)
+    config.set_local_policy_template(target_policy_name)
     config.set_backend(backend_type)
 
     # Enable oddjobd_gpupdate in PAM config

gpoa/messages/__init__.py

@@ -133,6 +133,10 @@ def debug_code(code):
     debug_ids[60] = 'Running GPOA by root for user'
     debug_ids[61] = 'The GPOA process was started for computer'
     debug_ids[62] = 'Path not resolved as UNC URI'
+    debug_ids[63] = 'Delete HKLM branch key'
+    debug_ids[64] = 'Delete HKCU branch key'
+    debug_ids[65] = 'Delete HKLM branch key error'
+    debug_ids[66] = 'Delete HKCU branch key error'
 
     return debug_ids.get(code, 'Unknown debug code')
 

gpoa/storage/record_types.py

@@ -22,7 +22,9 @@ class samba_preg(object):
     '''
     def __init__(self, preg_obj, policy_name):
         self.policy_name = policy_name
-        self.hive_key = '{}\\{}'.format(preg_obj.keyname, preg_obj.valuename)
+        self.keyname = preg_obj.keyname
+        self.valuename = preg_obj.valuename
+        self.hive_key = '{}\\{}'.format(self.keyname, self.valuename)
         self.type = preg_obj.type
         self.data = preg_obj.data
 
@@ -41,7 +43,9 @@ class samba_hkcu_preg(object):
     def __init__(self, sid, preg_obj, policy_name):
         self.sid = sid
         self.policy_name = policy_name
-        self.hive_key = '{}\\{}'.format(preg_obj.keyname, preg_obj.valuename)
+        self.keyname = preg_obj.keyname
+        self.valuename = preg_obj.valuename
+        self.hive_key = '{}\\{}'.format(self.keyname, self.valuename)
         self.type = preg_obj.type
         self.data = preg_obj.data
 

gpoa/storage/sqlite_registry.py

@@ -68,6 +68,8 @@ class sqlite_registry(registry):
             , Column('id', Integer, primary_key=True)
             , Column('hive_key', String(65536, collation='NOCASE'),
                 unique=True)
+            , Column('keyname', String(collation='NOCASE'))
+            , Column('valuename', String(collation='NOCASE'))
             , Column('policy_name', String)
             , Column('type', Integer)
             , Column('data', String)
@@ -78,6 +80,8 @@ class sqlite_registry(registry):
             , Column('id', Integer, primary_key=True)
             , Column('sid', String)
             , Column('hive_key', String(65536, collation='NOCASE'))
+            , Column('keyname', String(collation='NOCASE'))
+            , Column('valuename', String(collation='NOCASE'))
             , Column('policy_name', String)
             , Column('type', Integer)
             , Column('data', String)
@@ -240,16 +244,52 @@ class sqlite_registry(registry):
         log('D19', logdata)
         self._info_upsert(ientry)
 
+    def _delete_hklm_keyname(self, keyname):
+        '''
+        Delete PReg hive_key from HKEY_LOCAL_MACHINE
+        '''
+        logdata = dict({'keyname': keyname})
+        try:
+            (self
+                .db_session
+                .query(samba_preg)
+                .filter(samba_preg.keyname == keyname)
+                .delete(synchronize_session=False))
+            self.db_session.commit()
+            log('D65', logdata)
+        except Exception as exc:
+            log('D63', logdata)
+
     def add_hklm_entry(self, preg_entry, policy_name):
         '''
         Write PReg entry to HKEY_LOCAL_MACHINE
         '''
         pentry = samba_preg(preg_entry, policy_name)
-        if not pentry.hive_key.rpartition('\\')[2].startswith('**'):
+        if not pentry.valuename.startswith('**'):
             self._hklm_upsert(pentry)
         else:
             logdata = dict({'key': pentry.hive_key})
-            log('D27', logdata)
+            if pentry.valuename.lower() == '**delvals.':
+                self._delete_hklm_keyname(pentry.keyname)
+            else:
+                log('D27', logdata)
+
+    def _delete_hkcu_keyname(self, keyname, sid):
+        '''
+        Delete PReg hive_key from HKEY_CURRENT_USER
+        '''
+        logdata = dict({'sid': sid, 'keyname': keyname})
+        try:
+            (self
+                .db_session
+                .query(samba_hkcu_preg)
+                .filter(samba_hkcu_preg.sid == sid)
+                .filter(samba_hkcu_preg.keyname == keyname)
+                .delete(synchronize_session=False))
+            self.db_session.commit()
+            log('D66', logdata)
+        except:
+            log('D64', logdata)
 
     def add_hkcu_entry(self, preg_entry, sid, policy_name):
         '''
@@ -257,11 +297,14 @@ class sqlite_registry(registry):
         '''
         hkcu_pentry = samba_hkcu_preg(sid, preg_entry, policy_name)
         logdata = dict({'sid': sid, 'policy': policy_name, 'key': hkcu_pentry.hive_key})
-        if not hkcu_pentry.hive_key.rpartition('\\')[2].startswith('**'):
+        if not hkcu_pentry.valuename.startswith('**'):
             log('D26', logdata)
             self._hkcu_upsert(hkcu_pentry)
         else:
-            log('D51', logdata)
+            if hkcu_pentry.valuename.lower() == '**delvals.':
+                self._delete_hkcu_keyname(hkcu_pentry.keyname, sid)
+            else:
+                log('D51', logdata)
 
     def add_shortcut(self, sid, sc_obj, policy_name):
         '''

gpoa/util/config.py

@@ -45,7 +45,7 @@ class GPConfig:
 
         return 'samba'
 
-    def set_backend(self, backend_name):
+    def set_backend(self, backend_name='local'):
         self.full_config['gpoa']['backend'] = backend_name
         self.write_config()
 
@@ -71,7 +71,7 @@ class GPConfig:
 
         return get_default_policy_name()
 
-    def set_local_policy_template(self, template_name):
+    def set_local_policy_template(self, template_name='default'):
         self.full_config['gpoa']['local-policy'] = template_name
         self.write_config()
 

gpoa/util/kerberos.py

@@ -59,8 +59,9 @@ def machine_kdestroy(cache_name=None):
     if cache_name:
         kdestroy_cmd.extend(['-c', cache_name])
 
-    proc = subprocess.Popen(kdestroy_cmd, stderr=subprocess.DEVNULL)
-    proc.wait()
+    if cache_name or 'KRB5CCNAME' in os.environ:
+        proc = subprocess.Popen(kdestroy_cmd, stderr=subprocess.DEVNULL)
+        proc.wait()
 
     if cache_name and os.path.exists(cache_name):
         os.unlink(cache_name)

gpoa/util/paths.py

@@ -26,23 +26,31 @@ from .config import GPConfig
 from .exceptions import NotUNCPathError
 
 
-def local_policy_path():
+def get_custom_policy_dir():
     '''
-    Returns path pointing to Default Policy directory.
+    Returns path pointing to Custom Policy directory.
+    '''
+    return '/etc/local-policy'
+
+def local_policy_path(default_template_name="default"):
+    '''
+    Returns path pointing to Local Policy template directory.
     '''
     local_policy_dir = '/usr/share/local-policy'
-    local_policy_default = '{}/default'.format(local_policy_dir)
 
     config = GPConfig()
-    local_policy_system = '{}/{}'.format(local_policy_dir, config.get_local_policy_template())
+    local_policy_template = config.get_local_policy_template()
+    local_policy_template_path = os.path.join(local_policy_dir, local_policy_template)
+    local_policy_default = os.path.join(local_policy_dir, default_template_name)
 
     result_path = pathlib.Path(local_policy_default)
-    if os.path.exists(local_policy_system):
-        result_path = pathlib.Path(local_policy_system)
+    if os.path.exists(local_policy_template):
+        result_path = pathlib.Path(local_policy_template)
+    elif os.path.exists(local_policy_template_path):
+        result_path = pathlib.Path(local_policy_template_path)
 
     return pathlib.Path(result_path)
 
-
 def cache_dir():
     '''
     Returns path pointing to gpupdate's cache directory

gpupdate.spec

@@ -1,8 +1,8 @@
 %define _unpackaged_files_terminate_build 1
 
 Name: gpupdate
-Version: 0.9.4
-Release: alt1
+Version: 0.9.8
+Release: alt0.dev1
 
 Summary: GPT applier
 License: GPLv3+
@@ -74,6 +74,14 @@ install -Dm0644 dist/%name.ini %buildroot%_sysconfdir/%name/%name.ini
 install -Dm0644 doc/gpoa.1 %buildroot/%_man1dir/gpoa.1
 install -Dm0644 doc/gpupdate.1 %buildroot/%_man1dir/gpupdate.1
 
+for i in gpupdate-localusers \
+	 gpupdate-group-users \
+	 gpupdate-system-uids
+do
+	install -pD -m755 "dist/$i" \
+		"%buildroot%_sysconfdir/control.d/facilities/$i"
+done
+
 %preun
 %preun_service gpupdate
 
@@ -83,7 +91,7 @@ install -Dm0644 doc/gpupdate.1 %buildroot/%_man1dir/gpupdate.1
 # Remove storage in case we've lost compatibility between versions.
 # The storage will be regenerated on GPOA start.
 %define active_policy %_sysconfdir/local-policy/active
-%triggerpostun -- %name < 0.8.0
+%triggerpostun -- %name < 0.9.6
 rm -f %_cachedir/%name/registry.sqlite
 if test -L %active_policy; then
 	sed -i "s|^\s*local-policy\s*=.*|local-policy = $(readlink -f %active_policy)|" \
@@ -104,6 +112,7 @@ fi
 %_man1dir/gpupdate.1.*
 /usr/lib/systemd/user/%name-user.service
 %dir %_sysconfdir/%name
+%_sysconfdir/control.d/facilities/*
 %config(noreplace) %_sysconfdir/%name/environment
 %config(noreplace) %_sysconfdir/%name/%name.ini
 %config(noreplace) %_sysconfdir/pam.d/system-policy-%name
@@ -116,6 +125,22 @@ fi
 %exclude %python3_sitelibdir/gpoa/test
 
 %changelog
+* Wed Sep 29 2021 Evgeny Sinelnikov <sin@altlinux.org> 0.9.7-alt1
+- Fix regression with kestroy for user credential cache
+- Update system-policy-gpupdate PAM-rules to ignore applying group policies
+  for local users and system users with uid less than 500
+- Add control facilities to rule system-policy-gpupdate rules:
+  + gpupdate-group-users
+  + gpupdate-localusers
+  + gpupdate-system-uids
+
+* Mon Sep 20 2021 Evgeny Sinelnikov <sin@altlinux.org> 0.9.6-alt1
+- Add support changed GPO List Processing for '**DelVals.' value name
+
+* Tue Sep 14 2021 Evgeny Sinelnikov <sin@altlinux.org> 0.9.5-alt1
+- Refix local policy path detection
+- gpupdate-setup: revert settings to default when disabled
+
 * Tue Sep 14 2021 Evgeny Sinelnikov <sin@altlinux.org> 0.9.4-alt1
 - Add improvement with new local-policy system-policy control
 - Fix gpupdate-setup and user service installation regressions