Use samba-gpupdate to apply policy

oddjob-gpupdate.spec

@@ -1,37 +1,49 @@
-%define _unpackaged_files_terminate_build 1
-
-Name: oddjob-gpupdate
-Version: 0.2.0
-Release: alt1
-Summary: An oddjob helper which applies group policy objects
-
-Group: System/Servers
-License: %bsdstyle
-Url: https://github.com/altlinux/oddjob-gpupdate.git
-
-Source: %name-%version.tar
-Patch: %name-%version-alt.patch
-
-Requires: oddjob
-
-BuildRequires(pre): rpm-build-licenses
-
-BuildRequires: xmlto
-BuildRequires: libdbus-devel
-BuildRequires: libxml2-devel
-BuildRequires: libpam0-devel
-BuildRequires: libselinux-devel
+#
+# spec file for package oddjob-gpupdate
+#
+# Copyright (c) 2022 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+Name:           oddjob-gpupdate
+Version:        0.2.0
+Release:        0
+Summary:        An oddjob helper which applies group policy objects
+License:        BSD-3-Clause
+URL:            https://github.com/openSUSE/oddjob-gpupdate.git
+Source:         %{name}-%{version}.tar.bz2
+Group:          System/Servers
+Requires:       oddjob
+
+BuildRequires:  autoconf
+BuildRequires:  dbus-1-devel
+BuildRequires:  libselinux-devel
+BuildRequires:  libtool
+BuildRequires:  libxml2-devel
+BuildRequires:  oddjob
+BuildRequires:  pam-devel
+BuildRequires:  xmlto
 
 %description
 This package contains the oddjob helper which can be used by the
-pam_oddjob_gpupdate module to applies group policy objects at login-time.
+pam_oddjob_gpupdate module to apply group policy objects at login-time.
 
 %prep
 %setup
-%patch -p1
 
 %build
-%autoreconf
+autoreconf -if
 %configure \
     --disable-static \
     --enable-pie \
@@ -41,28 +53,25 @@ pam_oddjob_gpupdate module to applies group policy objects at login-time.
 %make_build
 
 %install
-%makeinstall_std
-
-mkdir -p %buildroot/%_lib/security
-mv %buildroot%_libdir/security/pam_oddjob_gpupdate.so \
-%buildroot/%_lib/security/
-rm %buildroot%_libdir/security/pam_oddjob_gpupdate.la
+%makeinstall
 
 %post
-%post_service oddjobd
-
-%preun
-%preun_service oddjobd
+if test $1 -eq 1 ; then
+	killall -HUP dbus-daemon 2>&1 > /dev/null
+fi
+if [ -f /var/lock/subsys/oddjobd ] ; then
+	/bin/dbus-send --system --dest=com.redhat.oddjob /com/redhat/oddjob com.redhat.oddjob.reload
+fi
 
 %files
 %doc COPYING src/gpupdatefor src/gpupdateforme
 %_libexecdir/oddjob/gpupdate
-/%_lib/security/pam_oddjob_gpupdate.so
+%_pam_moduledir/pam_oddjob_gpupdate.so
+%exclude %_pam_moduledir/pam_oddjob_gpupdate.la
 %_mandir/*/pam_oddjob_gpupdate.*
 %_mandir/*/oddjob-gpupdate.*
 %_mandir/*/oddjobd-gpupdate.*
 %config(noreplace) %_sysconfdir/dbus-*/system.d/oddjob-gpupdate.conf
 %config(noreplace) %_sysconfdir/oddjobd.conf.d/oddjobd-gpupdate.conf
 
 %changelog
-

src/gpupdate.c

@@ -56,6 +56,12 @@ static struct passwd *pwd;
 
 #define FLAG_QUIET	(1 << 1)
 
+enum Target
+{
+	Computer,
+	User
+};
+
 /*
  * get_gpo_dir
  *
@@ -66,10 +72,10 @@ static struct passwd *pwd;
 static const char *
 get_gpo_exe(void)
 {
-	return gpo_exe ? gpo_exe : "/usr/sbin/gpoa";
+	return gpo_exe ? gpo_exe : "/usr/sbin/samba-gpupdate";
 }
 
-static int apply_gpo(const char *user)
+static int apply_gpo(enum Target target, const char *user)
 {
 	int status;
 	pid_t pid = fork();
@@ -78,7 +84,11 @@ static int apply_gpo(const char *user)
 	case -1:
 		return 1;
 	case 0:
-		execl(exe, exe, user, NULL);
+		if (target == Computer) {
+			execl(exe, exe, "--target=Computer", NULL);
+		} else if (target == User) {
+			execl(exe, exe, "--target=User", "-U", user, NULL);
+		}
 		return 3;
 	default:
 		if (waitpid(pid, &status, 0) < 0)
@@ -94,6 +104,7 @@ gpupdate(const char *user, int flags)
 	int ret;
 	struct stat st;
 	const char *log_user = user;
+	enum Target target;
 
 	/* Now make sure that the user or computer
 	   a) no user (computer)
@@ -103,6 +114,12 @@ gpupdate(const char *user, int flags)
 	      2) not an empty string
 	      3) not already there */
 	if (user != NULL) {
+		// prevent any attempts to smuggle in command line switches
+		if (user[0] == '-') {
+			syslog(LOG_ERR, "rejecting suspicious username %s", user);
+			return HANDLER_INVALID_INVOCATION;
+		}
+
 		pwd = getpwnam(user);
 		if (pwd == NULL) {
 			syslog(LOG_ERR, "could not look up location of home directory "
@@ -116,8 +133,10 @@ gpupdate(const char *user, int flags)
 				       pwd->pw_dir);
 			}
 		}
+		target = User;
 	} else {
-		log_user = "computer";
+		target = Computer;
+		user = NULL;
 	}
 	/* Figure out which executable we're using as a applier. */
 	exe = get_gpo_exe();
@@ -137,7 +156,7 @@ gpupdate(const char *user, int flags)
 				return HANDLER_INVALID_INVOCATION;
 			}
 		}
-		ret = apply_gpo(user);
+		ret = apply_gpo(target, user);
 		if (ret != 0) {
 			syslog(LOG_ERR,
 			       "error applying GPO for %s (error code %d)", log_user, ret);
@@ -154,7 +173,7 @@ main(int argc, char **argv)
 	int oddjob_argc, ret, flags = 0;
 
 	openlog(PACKAGE "-gpupdate", LOG_PID, LOG_DAEMON);
-	gpo_exe = "/usr/sbin/gpoa";
+	gpo_exe = "/usr/sbin/samba-gpupdate";
 
 	while ((ret = getopt(argc, argv, "qp:")) != -1) {
 		switch (ret) {