From cc0c784d3ab914593356b4b1a0ca924c9dc4b9fa Mon Sep 17 00:00:00 2001 From: David Mulder Date: Wed, 16 Nov 2022 10:46:11 -0700 Subject: [PATCH] gp: Make samba-tool gpo manage sudoers list backward compatible Ensure `samba-tool gpo manage sudoers list` is backward compatible with the GPME sudo rules. Signed-off-by: David Mulder Reviewed-by: Jeremy Allison --- python/samba/netcmd/gpo.py | 60 ++++++++++++++++++++++++++------------ selftest/knownfail.d/gpo | 1 - 2 files changed, 42 insertions(+), 19 deletions(-) delete mode 100644 selftest/knownfail.d/gpo diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py index eefce9d8d0e..95de55b02d7 100644 --- a/python/samba/netcmd/gpo.py +++ b/python/samba/netcmd/gpo.py @@ -1847,6 +1847,42 @@ samba-tool gpo manage sudoers list {31B2F340-016D-11D2-945F-00C04FB984F9} 'SudoersConfiguration\\manifest.xml']) try: xml_data = ET.fromstring(conn.loadfile(vgp_xml)) + except NTSTATUSError as e: + # STATUS_OBJECT_NAME_INVALID, STATUS_OBJECT_NAME_NOT_FOUND, + # STATUS_OBJECT_PATH_NOT_FOUND + if e.args[0] in [0xC0000033, 0xC0000034, 0xC000003A]: + # The file doesn't exist, so there is nothing to list + xml_data = None + elif e.args[0] == 0xC0000022: # STATUS_ACCESS_DENIED + raise CommandError("The authenticated user does " + "not have sufficient privileges") + else: + raise + + if xml_data is not None: + policy = xml_data.find('policysetting') + data = policy.find('data') + for entry in data.findall('sudoers_entry'): + command = entry.find('command').text + user = entry.find('user').text + listelements = entry.findall('listelement') + principals = [] + for listelement in listelements: + principals.extend(listelement.findall('principal')) + if len(principals) > 0: + uname = ','.join([u.text if u.attrib['type'] == 'user' \ + else '%s%%' % u.text for u in principals]) + else: + uname = 'ALL' + nopassword = entry.find('password') is None + np_entry = ' NOPASSWD:' if nopassword else '' + p = '%s ALL=(%s)%s %s' % (uname, user, np_entry, command) + self.outf.write('%s\n' % p) + + pol_file = '\\'.join([realm.lower(), 'Policies', gpo, + 'MACHINE\\Registry.pol']) + try: + pol_data = ndr_unpack(preg.file, conn.loadfile(pol_file)) except NTSTATUSError as e: # STATUS_OBJECT_NAME_INVALID, STATUS_OBJECT_NAME_NOT_FOUND, # STATUS_OBJECT_PATH_NOT_FOUND @@ -1857,24 +1893,12 @@ samba-tool gpo manage sudoers list {31B2F340-016D-11D2-945F-00C04FB984F9} "not have sufficient privileges") raise - policy = xml_data.find('policysetting') - data = policy.find('data') - for entry in data.findall('sudoers_entry'): - command = entry.find('command').text - user = entry.find('user').text - listelements = entry.findall('listelement') - principals = [] - for listelement in listelements: - principals.extend(listelement.findall('principal')) - if len(principals) > 0: - uname = ','.join([u.text if u.attrib['type'] == 'user' \ - else '%s%%' % u.text for u in principals]) - else: - uname = 'ALL' - nopassword = entry.find('password') is None - np_entry = ' NOPASSWD:' if nopassword else '' - p = '%s ALL=(%s)%s %s' % (uname, user, np_entry, command) - self.outf.write('%s\n' % p) + # Also list the policies set from the GPME + keyname = b'Software\\Policies\\Samba\\Unix Settings\\Sudo Rights' + for entry in pol_data.entries: + if get_bytes(entry.keyname) == keyname and \ + get_string(entry.data).strip(): + self.outf.write('%s\n' % entry.data) class cmd_remove_sudoers(Command): """Removes a Samba Sudoers Group Policy from the sysvol diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo deleted file mode 100644 index 1c578f3bc2c..00000000000 --- a/selftest/knownfail.d/gpo +++ /dev/null @@ -1 +0,0 @@ -^samba.tests.samba_tool.gpo.samba.tests.samba_tool.gpo.GpoCmdTestCase.test_sudoers_list