2014-01-31 04:27:05 +04:00
# Reads important GPO parameters and updates Samba
# Copyright (C) Luke Morrison <luc785@.hotmail.com> 2013
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import sys
2020-08-28 17:38:41 +03:00
import os , shutil
2018-01-08 17:17:29 +03:00
import errno
2017-05-25 16:27:27 +03:00
import tdb
2021-07-20 18:13:06 +03:00
import pwd
2014-01-31 04:27:05 +04:00
sys . path . insert ( 0 , " bin/python " )
from samba import NTSTATUSError
2020-08-21 00:51:47 +03:00
from configparser import ConfigParser
2020-07-04 04:53:34 +03:00
from io import StringIO
2021-07-19 20:36:09 +03:00
import traceback
2020-09-11 23:29:46 +03:00
from samba . common import get_bytes
2017-02-25 00:19:48 +03:00
from abc import ABCMeta , abstractmethod
2017-06-08 20:47:57 +03:00
import xml . etree . ElementTree as etree
2017-11-21 13:44:12 +03:00
import re
2018-03-29 17:32:02 +03:00
from samba . net import Net
from samba . dcerpc import nbt
2018-12-14 00:37:11 +03:00
from samba . samba3 import libsmb_samba_internal as libsmb
from samba . samba3 import param as s3param
2018-03-29 17:32:02 +03:00
import samba . gpo as gpo
2018-06-13 23:45:09 +03:00
from samba . param import LoadParm
from uuid import UUID
2018-01-08 17:17:29 +03:00
from tempfile import NamedTemporaryFile
2018-08-09 18:47:38 +03:00
from samba . dcerpc import preg
from samba . dcerpc import misc
from samba . ndr import ndr_pack , ndr_unpack
2020-06-03 15:02:37 +03:00
from samba . credentials import SMB_SIGNING_REQUIRED
2017-06-08 20:47:57 +03:00
2017-06-13 01:00:38 +03:00
try :
from enum import Enum
GPOSTATE = Enum ( ' GPOSTATE ' , ' APPLY ENFORCE UNAPPLY ' )
except ImportError :
class GPOSTATE :
APPLY = 1
ENFORCE = 2
UNAPPLY = 3
2018-07-30 09:20:39 +03:00
2017-06-08 20:47:57 +03:00
class gp_log :
''' Log settings overwritten by gpo apply
2017-11-20 00:28:33 +03:00
The gp_log is an xml file that stores a history of gpo changes ( and the
original setting value ) .
2017-06-08 20:47:57 +03:00
The log is organized like so :
< gp >
< user name = " KDC-1$ " >
< applylog >
< guid count = " 0 " value = " { 31B2F340-016D-11D2-945F-00C04FB984F9} " / >
< / applylog >
< guid value = " { 31B2F340-016D-11D2-945F-00C04FB984F9} " >
< gp_ext name = " System Access " >
< attribute name = " minPwdAge " > - 864000000000 < / attribute >
< attribute name = " maxPwdAge " > - 36288000000000 < / attribute >
< attribute name = " minPwdLength " > 7 < / attribute >
< attribute name = " pwdProperties " > 1 < / attribute >
< / gp_ext >
< gp_ext name = " Kerberos Policy " >
< attribute name = " ticket_lifetime " > 1 d < / attribute >
< attribute name = " renew_lifetime " / >
< attribute name = " clockskew " > 300 < / attribute >
< / gp_ext >
< / guid >
< / user >
< / gp >
2017-11-20 00:28:33 +03:00
Each guid value contains a list of extensions , which contain a list of
attributes . The guid value represents a GPO . The attributes are the values
of those settings prior to the application of the GPO .
The list of guids is enclosed within a user name , which represents the user
the settings were applied to . This user may be the samaccountname of the
local computer , which implies that these are machine policies .
The applylog keeps track of the order in which the GPOs were applied , so
that they can be rolled back in reverse , returning the machine to the state
prior to policy application .
2017-06-08 20:47:57 +03:00
'''
def __init__ ( self , user , gpostore , db_log = None ) :
''' Initialize the gp_log
2017-11-20 00:28:33 +03:00
param user - the username ( or machine name ) that policies are
being applied to
param gpostore - the GPOStorage obj which references the tdb which
contains gp_logs
2017-06-08 20:47:57 +03:00
param db_log - ( optional ) a string to initialize the gp_log
'''
2017-06-13 01:00:38 +03:00
self . _state = GPOSTATE . APPLY
2017-06-08 20:47:57 +03:00
self . gpostore = gpostore
self . username = user
if db_log :
self . gpdb = etree . fromstring ( db_log )
else :
self . gpdb = etree . Element ( ' gp ' )
2017-11-20 16:41:19 +03:00
self . user = user
user_obj = self . gpdb . find ( ' user[@name= " %s " ] ' % user )
if user_obj is None :
user_obj = etree . SubElement ( self . gpdb , ' user ' )
user_obj . attrib [ ' name ' ] = user
2017-06-08 20:47:57 +03:00
2017-06-13 01:00:38 +03:00
def state ( self , value ) :
''' Policy application state
param value - APPLY , ENFORCE , or UNAPPLY
2017-11-20 00:28:33 +03:00
The behavior of the gp_log depends on whether we are applying policy ,
enforcing policy , or unapplying policy . During an apply , old settings
are recorded in the log . During an enforce , settings are being applied
but the gp_log does not change . During an unapply , additions to the log
should be ignored ( since function calls to apply settings are actually
2017-06-13 01:00:38 +03:00
reverting policy ) , but removals from the log are allowed .
'''
# If we're enforcing, but we've unapplied, apply instead
if value == GPOSTATE . ENFORCE :
2017-11-20 16:41:19 +03:00
user_obj = self . gpdb . find ( ' user[@name= " %s " ] ' % self . user )
apply_log = user_obj . find ( ' applylog ' )
2017-06-13 01:00:38 +03:00
if apply_log is None or len ( apply_log ) == 0 :
self . _state = GPOSTATE . APPLY
else :
self . _state = value
else :
self . _state = value
2017-06-08 20:47:57 +03:00
def set_guid ( self , guid ) :
''' Log to a different GPO guid
2017-11-20 00:28:33 +03:00
param guid - guid value of the GPO from which we ' re applying
policy
2017-06-08 20:47:57 +03:00
'''
2017-11-20 16:41:19 +03:00
self . guid = guid
user_obj = self . gpdb . find ( ' user[@name= " %s " ] ' % self . user )
obj = user_obj . find ( ' guid[@value= " %s " ] ' % guid )
if obj is None :
obj = etree . SubElement ( user_obj , ' guid ' )
obj . attrib [ ' value ' ] = guid
2017-06-13 01:00:38 +03:00
if self . _state == GPOSTATE . APPLY :
2017-11-20 16:41:19 +03:00
apply_log = user_obj . find ( ' applylog ' )
2017-06-13 01:00:38 +03:00
if apply_log is None :
2017-11-20 16:41:19 +03:00
apply_log = etree . SubElement ( user_obj , ' applylog ' )
2018-05-15 17:37:08 +03:00
prev = apply_log . find ( ' guid[@value= " %s " ] ' % guid )
if prev is None :
item = etree . SubElement ( apply_log , ' guid ' )
2018-07-30 09:18:25 +03:00
item . attrib [ ' count ' ] = ' %d ' % ( len ( apply_log ) - 1 )
2018-05-15 17:37:08 +03:00
item . attrib [ ' value ' ] = guid
2017-06-08 20:47:57 +03:00
def store ( self , gp_ext_name , attribute , old_val ) :
''' Store an attribute in the gp_log
param gp_ext_name - Name of the extension applying policy
param attribute - The attribute being modified
2017-11-20 00:28:33 +03:00
param old_val - The value of the attribute prior to policy
application
2017-06-08 20:47:57 +03:00
'''
2017-06-13 01:00:38 +03:00
if self . _state == GPOSTATE . UNAPPLY or self . _state == GPOSTATE . ENFORCE :
return None
2017-11-20 16:41:19 +03:00
user_obj = self . gpdb . find ( ' user[@name= " %s " ] ' % self . user )
guid_obj = user_obj . find ( ' guid[@value= " %s " ] ' % self . guid )
assert guid_obj is not None , " gpo guid was not set "
ext = guid_obj . find ( ' gp_ext[@name= " %s " ] ' % gp_ext_name )
2017-06-08 20:47:57 +03:00
if ext is None :
2017-11-20 16:41:19 +03:00
ext = etree . SubElement ( guid_obj , ' gp_ext ' )
2017-06-08 20:47:57 +03:00
ext . attrib [ ' name ' ] = gp_ext_name
attr = ext . find ( ' attribute[@name= " %s " ] ' % attribute )
if attr is None :
attr = etree . SubElement ( ext , ' attribute ' )
attr . attrib [ ' name ' ] = attribute
2017-12-01 21:18:55 +03:00
attr . text = old_val
2017-06-08 20:47:57 +03:00
def retrieve ( self , gp_ext_name , attribute ) :
''' Retrieve a stored attribute from the gp_log
param gp_ext_name - Name of the extension which applied policy
param attribute - The attribute being retrieved
2017-11-20 00:28:33 +03:00
return - The value of the attribute prior to policy
application
2017-06-08 20:47:57 +03:00
'''
2017-11-20 16:41:19 +03:00
user_obj = self . gpdb . find ( ' user[@name= " %s " ] ' % self . user )
guid_obj = user_obj . find ( ' guid[@value= " %s " ] ' % self . guid )
assert guid_obj is not None , " gpo guid was not set "
ext = guid_obj . find ( ' gp_ext[@name= " %s " ] ' % gp_ext_name )
2017-06-08 20:47:57 +03:00
if ext is not None :
attr = ext . find ( ' attribute[@name= " %s " ] ' % attribute )
if attr is not None :
return attr . text
return None
2018-05-18 00:56:15 +03:00
def get_applied_guids ( self ) :
''' Return a list of applied ext guids
return - List of guids for gpos that have applied settings
to the system .
'''
guids = [ ]
user_obj = self . gpdb . find ( ' user[@name= " %s " ] ' % self . user )
if user_obj is not None :
apply_log = user_obj . find ( ' applylog ' )
2018-08-29 07:39:51 +03:00
if apply_log is not None :
guid_objs = apply_log . findall ( ' guid[@count] ' )
guids_by_count = [ ( g . get ( ' count ' ) , g . get ( ' value ' ) )
for g in guid_objs ]
guids_by_count . sort ( reverse = True )
guids . extend ( guid for count , guid in guids_by_count )
2018-05-18 00:56:15 +03:00
return guids
def get_applied_settings ( self , guids ) :
''' Return a list of applied ext guids
return - List of tuples containing the guid of a gpo , then
a dictionary of policies and their values prior
policy application . These are sorted so that the
most recently applied settings are removed first .
'''
ret = [ ]
user_obj = self . gpdb . find ( ' user[@name= " %s " ] ' % self . user )
for guid in guids :
guid_settings = user_obj . find ( ' guid[@value= " %s " ] ' % guid )
exts = guid_settings . findall ( ' gp_ext ' )
settings = { }
for ext in exts :
attr_dict = { }
attrs = ext . findall ( ' attribute ' )
for attr in attrs :
attr_dict [ attr . attrib [ ' name ' ] ] = attr . text
settings [ ext . attrib [ ' name ' ] ] = attr_dict
ret . append ( ( guid , settings ) )
return ret
2017-06-08 20:47:57 +03:00
def delete ( self , gp_ext_name , attribute ) :
''' Remove an attribute from the gp_log
2017-11-20 00:28:33 +03:00
param gp_ext_name - name of extension from which to remove the
attribute
2017-06-08 20:47:57 +03:00
param attribute - attribute to remove
'''
2017-11-20 16:41:19 +03:00
user_obj = self . gpdb . find ( ' user[@name= " %s " ] ' % self . user )
guid_obj = user_obj . find ( ' guid[@value= " %s " ] ' % self . guid )
assert guid_obj is not None , " gpo guid was not set "
ext = guid_obj . find ( ' gp_ext[@name= " %s " ] ' % gp_ext_name )
2017-06-08 20:47:57 +03:00
if ext is not None :
attr = ext . find ( ' attribute[@name= " %s " ] ' % attribute )
if attr is not None :
ext . remove ( attr )
if len ( ext ) == 0 :
2017-11-20 16:41:19 +03:00
guid_obj . remove ( ext )
2017-06-08 20:47:57 +03:00
def commit ( self ) :
''' Write gp_log changes to disk '''
self . gpostore . store ( self . username , etree . tostring ( self . gpdb , ' utf-8 ' ) )
2018-07-30 09:20:39 +03:00
2017-06-08 20:47:57 +03:00
class GPOStorage :
def __init__ ( self , log_file ) :
if os . path . isfile ( log_file ) :
self . log = tdb . open ( log_file )
2017-05-25 16:27:27 +03:00
else :
2018-08-29 04:30:59 +03:00
self . log = tdb . Tdb ( log_file , 0 , tdb . DEFAULT , os . O_CREAT | os . O_RDWR )
2017-05-25 16:27:27 +03:00
2017-06-08 20:47:57 +03:00
def start ( self ) :
self . log . transaction_start ( )
def get_int ( self , key ) :
2017-05-25 16:27:27 +03:00
try :
2018-11-06 22:55:22 +03:00
return int ( self . log . get ( get_bytes ( key ) ) )
2017-05-25 16:27:27 +03:00
except TypeError :
2017-06-08 20:47:57 +03:00
return None
def get ( self , key ) :
2018-11-06 22:55:22 +03:00
return self . log . get ( get_bytes ( key ) )
2017-06-08 20:47:57 +03:00
def get_gplog ( self , user ) :
2018-11-06 22:55:22 +03:00
return gp_log ( user , self , self . log . get ( get_bytes ( user ) ) )
2017-06-08 20:47:57 +03:00
def store ( self , key , val ) :
2018-11-06 22:55:22 +03:00
self . log . store ( get_bytes ( key ) , get_bytes ( val ) )
2017-06-08 20:47:57 +03:00
def cancel ( self ) :
self . log . transaction_cancel ( )
2017-05-25 16:27:27 +03:00
2017-06-08 20:47:57 +03:00
def delete ( self , key ) :
2018-11-06 22:55:22 +03:00
self . log . delete ( get_bytes ( key ) )
2017-05-25 16:27:27 +03:00
def commit ( self ) :
2017-06-08 20:47:57 +03:00
self . log . transaction_commit ( )
2017-05-25 16:27:27 +03:00
def __del__ ( self ) :
2017-06-08 20:47:57 +03:00
self . log . close ( )
2017-05-25 16:27:27 +03:00
2018-07-30 09:20:39 +03:00
2014-01-31 04:27:05 +04:00
class gp_ext ( object ) :
2017-02-25 00:19:48 +03:00
__metaclass__ = ABCMeta
2021-07-20 18:13:06 +03:00
def __init__ ( self , logger , lp , creds , username , store ) :
2018-03-29 18:07:53 +03:00
self . logger = logger
2018-05-16 19:58:29 +03:00
self . lp = lp
self . creds = creds
2021-07-20 18:13:06 +03:00
self . username = username
self . gp_db = store . get_gplog ( username )
2018-03-29 18:07:53 +03:00
2018-05-09 22:16:38 +03:00
@abstractmethod
def process_group_policy ( self , deleted_gpo_list , changed_gpo_list ) :
pass
2017-02-25 00:19:48 +03:00
@abstractmethod
2018-03-29 17:05:21 +03:00
def read ( self , policy ) :
2017-02-25 00:19:48 +03:00
pass
2014-01-31 04:27:05 +04:00
2018-05-16 19:58:29 +03:00
def parse ( self , afile ) :
2018-05-16 19:37:09 +03:00
local_path = self . lp . cache_path ( ' gpo_cache ' )
data_file = os . path . join ( local_path , check_safe_path ( afile ) . upper ( ) )
if os . path . exists ( data_file ) :
2018-08-09 18:47:38 +03:00
return self . read ( data_file )
2018-05-16 19:37:09 +03:00
return None
2018-03-29 17:05:21 +03:00
2017-06-08 20:47:57 +03:00
@abstractmethod
def __str__ ( self ) :
pass
2014-01-31 04:27:05 +04:00
2020-07-06 17:25:23 +03:00
@abstractmethod
def rsop ( self , gpo ) :
return { }
2018-07-30 09:20:39 +03:00
2018-03-29 17:25:05 +03:00
class gp_inf_ext ( gp_ext ) :
2018-08-09 18:47:38 +03:00
def read ( self , data_file ) :
2020-07-06 17:13:57 +03:00
policy = open ( data_file , ' rb ' ) . read ( )
2020-08-21 00:51:47 +03:00
inf_conf = ConfigParser ( interpolation = None )
2018-07-30 09:18:03 +03:00
inf_conf . optionxform = str
2018-03-29 17:25:05 +03:00
try :
2020-07-06 17:13:57 +03:00
inf_conf . readfp ( StringIO ( policy . decode ( ) ) )
except UnicodeDecodeError :
2018-03-29 17:25:05 +03:00
inf_conf . readfp ( StringIO ( policy . decode ( ' utf-16 ' ) ) )
2018-05-18 01:23:51 +03:00
return inf_conf
2018-03-29 17:25:05 +03:00
2018-07-30 09:21:29 +03:00
2018-08-09 18:47:38 +03:00
class gp_pol_ext ( gp_ext ) :
def read ( self , data_file ) :
raw = open ( data_file , ' rb ' ) . read ( )
return ndr_unpack ( preg . file , raw )
2020-11-03 20:44:27 +03:00
class gp_xml_ext ( gp_ext ) :
def read ( self , data_file ) :
raw = open ( data_file , ' rb ' ) . read ( )
try :
return etree . fromstring ( raw . decode ( ) )
except UnicodeDecodeError :
return etree . fromstring ( raw . decode ( ' utf-16 ' ) )
2018-03-29 17:32:02 +03:00
''' Fetch the hostname of a writable DC '''
2018-07-30 09:20:39 +03:00
2018-03-29 17:32:02 +03:00
def get_dc_hostname ( creds , lp ) :
net = Net ( creds = creds , lp = lp )
cldap_ret = net . finddc ( domain = lp . get ( ' realm ' ) , flags = ( nbt . NBT_SERVER_LDAP |
2018-07-30 09:16:12 +03:00
nbt . NBT_SERVER_DS ) )
2018-03-29 17:32:02 +03:00
return cldap_ret . pdc_dns_name
2018-07-30 09:21:29 +03:00
2018-03-29 17:32:02 +03:00
''' Fetch a list of GUIDs for applicable GPOs '''
2018-07-30 09:20:39 +03:00
2021-07-20 18:13:06 +03:00
def get_gpo_list ( dc_hostname , creds , lp , username ) :
2018-03-29 17:32:02 +03:00
gpos = [ ]
ads = gpo . ADS_STRUCT ( dc_hostname , lp , creds )
if ads . connect ( ) :
2021-07-20 18:13:06 +03:00
# username is DOM\\SAM, but get_gpo_list expects SAM
gpos = ads . get_gpo_list ( username . split ( ' \\ ' ) [ - 1 ] )
2018-03-29 17:32:02 +03:00
return gpos
2018-01-08 17:17:29 +03:00
def cache_gpo_dir ( conn , cache , sub_dir ) :
loc_sub_dir = sub_dir . upper ( )
local_dir = os . path . join ( cache , loc_sub_dir )
try :
os . makedirs ( local_dir , mode = 0o755 )
except OSError as e :
if e . errno != errno . EEXIST :
raise
for fdata in conn . list ( sub_dir ) :
2018-12-14 00:37:11 +03:00
if fdata [ ' attrib ' ] & libsmb . FILE_ATTRIBUTE_DIRECTORY :
2018-01-08 17:17:29 +03:00
cache_gpo_dir ( conn , cache , os . path . join ( sub_dir , fdata [ ' name ' ] ) )
else :
local_name = fdata [ ' name ' ] . upper ( )
f = NamedTemporaryFile ( delete = False , dir = local_dir )
fname = os . path . join ( sub_dir , fdata [ ' name ' ] ) . replace ( ' / ' , ' \\ ' )
f . write ( conn . loadfile ( fname ) )
f . close ( )
os . rename ( f . name , os . path . join ( local_dir , local_name ) )
def check_safe_path ( path ) :
dirs = re . split ( ' /| \\ \\ ' , path )
2021-03-09 21:13:40 +03:00
if ' sysvol ' in path . lower ( ) :
ldirs = re . split ( ' /| \\ \\ ' , path . lower ( ) )
dirs = dirs [ ldirs . index ( ' sysvol ' ) + 1 : ]
2018-07-30 09:22:34 +03:00
if ' .. ' not in dirs :
2018-01-08 17:17:29 +03:00
return os . path . join ( * dirs )
raise OSError ( path )
2018-07-30 09:20:39 +03:00
2018-01-08 17:17:29 +03:00
def check_refresh_gpo_list ( dc_hostname , lp , creds , gpos ) :
2018-12-14 00:37:11 +03:00
# the SMB bindings rely on having a s3 loadparm
s3_lp = s3param . get_context ( )
s3_lp . load ( lp . configfile )
2020-06-03 15:02:37 +03:00
# Force signing for the connection
saved_signing_state = creds . get_smb_signing ( )
creds . set_smb_signing ( SMB_SIGNING_REQUIRED )
2020-05-28 19:11:31 +03:00
conn = libsmb . Conn ( dc_hostname , ' sysvol ' , lp = s3_lp , creds = creds )
2020-06-03 15:02:37 +03:00
# Reset signing state
creds . set_smb_signing ( saved_signing_state )
2018-01-08 17:17:29 +03:00
cache_path = lp . cache_path ( ' gpo_cache ' )
for gpo in gpos :
if not gpo . file_sys_path :
continue
cache_gpo_dir ( conn , cache_path , check_safe_path ( gpo . file_sys_path ) )
2018-07-30 09:20:39 +03:00
2018-05-15 23:00:07 +03:00
def get_deleted_gpos_list ( gp_db , gpos ) :
applied_gpos = gp_db . get_applied_guids ( )
current_guids = set ( [ p . name for p in gpos ] )
deleted_gpos = [ guid for guid in applied_gpos if guid not in current_guids ]
return gp_db . get_applied_settings ( deleted_gpos )
2018-01-08 17:17:29 +03:00
def gpo_version ( lp , path ) :
# gpo.gpo_get_sysvol_gpt_version() reads the GPT.INI from a local file,
# read from the gpo client cache.
gpt_path = lp . cache_path ( os . path . join ( ' gpo_cache ' , path ) )
return int ( gpo . gpo_get_sysvol_gpt_version ( gpt_path ) [ 1 ] )
2018-07-30 09:20:39 +03:00
2021-07-20 18:13:06 +03:00
def apply_gp ( lp , creds , logger , store , gp_extensions , username , target , force = False ) :
gp_db = store . get_gplog ( username )
2018-03-29 17:32:02 +03:00
dc_hostname = get_dc_hostname ( creds , lp )
2021-07-20 18:13:06 +03:00
gpos = get_gpo_list ( dc_hostname , creds , lp , username )
2018-05-15 23:00:07 +03:00
del_gpos = get_deleted_gpos_list ( gp_db , gpos )
2018-01-08 17:17:29 +03:00
try :
check_refresh_gpo_list ( dc_hostname , lp , creds , gpos )
except :
2018-07-30 09:22:01 +03:00
logger . error ( ' Failed downloading gpt cache from \' %s \' using SMB '
2018-07-30 09:16:12 +03:00
% dc_hostname )
2018-01-08 17:17:29 +03:00
return
2018-03-29 17:32:02 +03:00
2018-05-16 18:54:38 +03:00
if force :
changed_gpos = gpos
gp_db . state ( GPOSTATE . ENFORCE )
else :
changed_gpos = [ ]
for gpo_obj in gpos :
if not gpo_obj . file_sys_path :
continue
guid = gpo_obj . name
path = check_safe_path ( gpo_obj . file_sys_path ) . upper ( )
version = gpo_version ( lp , path )
if version != store . get_int ( guid ) :
logger . info ( ' GPO %s has changed ' % guid )
changed_gpos . append ( gpo_obj )
gp_db . state ( GPOSTATE . APPLY )
2018-05-09 22:16:38 +03:00
store . start ( )
for ext in gp_extensions :
try :
2021-07-20 18:13:06 +03:00
ext = ext ( logger , lp , creds , username , store )
if target == ' Computer ' :
ext . process_group_policy ( del_gpos , changed_gpos )
else :
drop_privileges ( creds . get_principal ( ) , ext . process_group_policy ,
del_gpos , changed_gpos )
2018-05-09 22:16:38 +03:00
except Exception as e :
logger . error ( ' Failed to apply extension %s ' % str ( ext ) )
2021-07-19 20:36:09 +03:00
logger . error ( ' Message was: %s : %s ' % ( type ( e ) . __name__ , str ( e ) ) )
logger . debug ( traceback . format_exc ( ) )
2018-05-09 22:16:38 +03:00
continue
for gpo_obj in gpos :
if not gpo_obj . file_sys_path :
continue
guid = gpo_obj . name
path = check_safe_path ( gpo_obj . file_sys_path ) . upper ( )
version = gpo_version ( lp , path )
2018-03-29 17:32:02 +03:00
store . store ( guid , ' %i ' % version )
2018-05-09 22:16:38 +03:00
store . commit ( )
2018-03-29 17:32:02 +03:00
2018-07-30 09:20:39 +03:00
2021-07-20 18:13:06 +03:00
def unapply_gp ( lp , creds , logger , store , gp_extensions , username , target ) :
gp_db = store . get_gplog ( username )
2018-03-29 17:32:02 +03:00
gp_db . state ( GPOSTATE . UNAPPLY )
2018-05-18 01:48:47 +03:00
# Treat all applied gpos as deleted
del_gpos = gp_db . get_applied_settings ( gp_db . get_applied_guids ( ) )
store . start ( )
for ext in gp_extensions :
try :
2021-07-20 18:13:06 +03:00
ext = ext ( logger , lp , creds , username , store )
if target == ' Computer ' :
ext . process_group_policy ( del_gpos , [ ] )
else :
drop_privileges ( username , ext . process_group_policy ,
del_gpos , [ ] )
2018-05-18 01:48:47 +03:00
except Exception as e :
logger . error ( ' Failed to unapply extension %s ' % str ( ext ) )
logger . error ( ' Message was: ' + str ( e ) )
continue
store . commit ( )
2018-03-29 17:32:02 +03:00
2018-07-30 09:20:39 +03:00
2020-07-06 17:25:23 +03:00
def __rsop_vals ( vals , level = 4 ) :
if type ( vals ) == dict :
ret = [ ' ' * level + ' [ %s ] = %s ' % ( k , __rsop_vals ( v , level + 2 ) )
for k , v in vals . items ( ) ]
2021-06-28 18:06:09 +03:00
return ' \n ' + ' \n ' . join ( ret )
2020-07-06 17:25:23 +03:00
elif type ( vals ) == list :
ret = [ ' ' * level + ' [ %s ] ' % __rsop_vals ( v , level + 2 ) for v in vals ]
2021-06-28 18:06:09 +03:00
return ' \n ' + ' \n ' . join ( ret )
2020-07-06 17:25:23 +03:00
else :
return vals
2021-07-20 18:13:06 +03:00
def rsop ( lp , creds , logger , store , gp_extensions , username , target ) :
2020-07-06 17:25:23 +03:00
dc_hostname = get_dc_hostname ( creds , lp )
2021-07-20 18:13:06 +03:00
gpos = get_gpo_list ( dc_hostname , creds , lp , username )
2020-07-06 17:25:23 +03:00
check_refresh_gpo_list ( dc_hostname , lp , creds , gpos )
print ( ' Resultant Set of Policy ' )
print ( ' %s Policy \n ' % target )
2020-08-28 17:38:41 +03:00
term_width = shutil . get_terminal_size ( fallback = ( 120 , 50 ) ) [ 0 ]
2020-07-06 17:25:23 +03:00
for gpo in gpos :
2021-02-26 19:43:30 +03:00
if gpo . display_name . strip ( ) == ' Local Policy ' :
continue # We never apply local policy
2020-07-06 17:25:23 +03:00
print ( ' GPO: %s ' % gpo . display_name )
print ( ' = ' * term_width )
for ext in gp_extensions :
2021-07-20 18:13:06 +03:00
ext = ext ( logger , lp , creds , username , store )
2021-02-26 19:43:30 +03:00
cse_name_m = re . findall ( " ' ([ \ w \ .]+) ' " , str ( type ( ext ) ) )
if len ( cse_name_m ) > 0 :
cse_name = cse_name_m [ - 1 ] . split ( ' . ' ) [ - 1 ]
else :
cse_name = ext . __module__ . split ( ' . ' ) [ - 1 ]
print ( ' CSE: %s ' % cse_name )
2020-07-06 17:25:23 +03:00
print ( ' ' + ( ' - ' * int ( term_width / 2 ) ) )
for section , settings in ext . rsop ( gpo ) . items ( ) :
print ( ' Policy Type: %s ' % section )
print ( ' ' + ( ' - ' * int ( term_width / 2 ) ) )
2021-06-28 18:06:09 +03:00
print ( __rsop_vals ( settings ) . lstrip ( ' \n ' ) )
2020-07-06 17:25:23 +03:00
print ( ' ' + ( ' - ' * int ( term_width / 2 ) ) )
print ( ' ' + ( ' - ' * int ( term_width / 2 ) ) )
print ( ' %s \n ' % ( ' = ' * term_width ) )
2018-06-13 23:45:09 +03:00
def parse_gpext_conf ( smb_conf ) :
lp = LoadParm ( )
if smb_conf is not None :
lp . load ( smb_conf )
else :
lp . load_default ( )
ext_conf = lp . state_path ( ' gpext.conf ' )
2020-08-21 00:51:47 +03:00
parser = ConfigParser ( interpolation = None )
2018-06-13 23:45:09 +03:00
parser . read ( ext_conf )
return lp , parser
2018-07-30 09:20:39 +03:00
2018-06-13 23:45:09 +03:00
def atomic_write_conf ( lp , parser ) :
ext_conf = lp . state_path ( ' gpext.conf ' )
2018-11-06 22:55:22 +03:00
with NamedTemporaryFile ( mode = " w+ " , delete = False , dir = os . path . dirname ( ext_conf ) ) as f :
2018-06-13 23:45:09 +03:00
parser . write ( f )
os . rename ( f . name , ext_conf )
2018-07-30 09:20:39 +03:00
2018-06-13 23:45:09 +03:00
def check_guid ( guid ) :
# Check for valid guid with curly braces
if guid [ 0 ] != ' { ' or guid [ - 1 ] != ' } ' or len ( guid ) != 38 :
return False
try :
UUID ( guid , version = 4 )
except ValueError :
return False
return True
2018-07-30 09:20:39 +03:00
2018-06-13 23:45:09 +03:00
def register_gp_extension ( guid , name , path ,
smb_conf = None , machine = True , user = True ) :
# Check that the module exists
if not os . path . exists ( path ) :
return False
if not check_guid ( guid ) :
return False
lp , parser = parse_gpext_conf ( smb_conf )
2018-07-30 09:22:34 +03:00
if guid not in parser . sections ( ) :
2018-06-13 23:45:09 +03:00
parser . add_section ( guid )
parser . set ( guid , ' DllName ' , path )
parser . set ( guid , ' ProcessGroupPolicy ' , name )
2018-11-06 22:55:22 +03:00
parser . set ( guid , ' NoMachinePolicy ' , " 0 " if machine else " 1 " )
parser . set ( guid , ' NoUserPolicy ' , " 0 " if user else " 1 " )
2018-06-13 23:45:09 +03:00
atomic_write_conf ( lp , parser )
return True
2018-06-13 23:46:05 +03:00
2018-07-30 09:20:39 +03:00
2018-06-13 23:46:30 +03:00
def list_gp_extensions ( smb_conf = None ) :
_ , parser = parse_gpext_conf ( smb_conf )
results = { }
for guid in parser . sections ( ) :
results [ guid ] = { }
results [ guid ] [ ' DllName ' ] = parser . get ( guid , ' DllName ' )
results [ guid ] [ ' ProcessGroupPolicy ' ] = \
parser . get ( guid , ' ProcessGroupPolicy ' )
results [ guid ] [ ' MachinePolicy ' ] = \
not int ( parser . get ( guid , ' NoMachinePolicy ' ) )
results [ guid ] [ ' UserPolicy ' ] = not int ( parser . get ( guid , ' NoUserPolicy ' ) )
return results
2018-07-30 09:20:39 +03:00
2018-06-13 23:46:05 +03:00
def unregister_gp_extension ( guid , smb_conf = None ) :
if not check_guid ( guid ) :
return False
lp , parser = parse_gpext_conf ( smb_conf )
if guid in parser . sections ( ) :
parser . remove_section ( guid )
atomic_write_conf ( lp , parser )
return True
2021-07-20 18:13:06 +03:00
def set_privileges ( username , uid , gid ) :
'''
Set current process privileges
'''
os . setegid ( gid )
os . seteuid ( uid )
def drop_privileges ( username , func , * args ) :
'''
Run supplied function with privileges for specified username .
'''
current_uid = os . getuid ( )
if not current_uid == 0 :
raise Exception ( ' Not enough permissions to drop privileges ' )
user_uid = pwd . getpwnam ( username ) . pw_uid
user_gid = pwd . getpwnam ( username ) . pw_gid
# Drop privileges
set_privileges ( username , user_uid , user_gid )
# We need to catch exception in order to be able to restore
# privileges later in this function
out = None
exc = None
try :
out = func ( * args )
except Exception as e :
exc = e
# Restore privileges
set_privileges ( ' root ' , current_uid , 0 )
if exc :
raise exc
return out