-
adsys (0.9.2~22.04.2) jammy; urgency=medium
[ Didier Roche ]
[ Matthew Ruffell ]
* Fix processing of domain names to correctly parse '-' characters
when creating valid dbus object paths, enabling domains with
'-' to work, e.g. "test-example.com". (LP: #2020834)
- internal/ad/ad.go
-- Matthew Ruffell <email address hidden> Fri, 26 May 2023 15:52:48 +1200
-
adsys (0.9.2~22.04.1) jammy-security; urgency=medium
* No change build due to golang-1.18 update
-- Nishit Majithia <email address hidden> Thu, 27 Apr 2023 11:41:22 +0530
-
adsys (0.9.2~22.04) jammy; urgency=medium
* Backport to jammy
adsys (0.9.2) kinetic; urgency=medium
* Update generators to fix FTBFS
- shell out to mkdir instead of go's os.Mkdir which can bypass fakeroot's
filesystem hijacking and cause unexpected behavior
* Update dependencies to latest:
- github.com/golangci/golangci-lint
- google.golang.org/protobuf
adsys (0.9.1) kinetic; urgency=medium
[ Didier Roche ]
[ Gabriel Nagy ]
* Fix loading policy content from uppercase folders (LP: #1982330)
* Add GSettings power management keys (LP: #1982349)
* Allow parsing policy entries with empty values (LP: #1982342)
* Allow parsing policies with unsupported types (LP: #1982343)
* Allow parsing policy entries with no data (LP: #1982345)
* Lowercase target name when normalizing (LP: #1982347)
* Annotate policies that require Ubuntu Pro (LP: #1982348)
* Update dependencies to latest:
- github.com/spf13/cobra
- github.com/spf13/viper
- github.com/stretchr/testify
- github.com/charmbracelet/bubbletea
- github.com/charmbracelet/bubbles
- google.golang.org/grpc
- github.com/golangci/golangci-lint
- github.com/sirupsen/logrus
adsys (0.9.0) kinetic; urgency=medium
[ Jean-Baptiste Lallement ]
[ Didier Roche ]
[ Gabriel Nagy ]
* Add Active Directory Watch Daemon - adwatchd: (LP: #1982351)
- Implement a Windows daemon that watches a list of configured directories
for changes and bumps the relevant GPT.INI files.
- Add adsys-windows binary package which includes the Windows daemon
executable and the admx/adml policies.
* Config detection now includes current executable directory
* Fixes in generator build race
* Update dependencies to latest:
- github.com/spf13/cobra
- github.com/stretchr/testify
* CI updates:
- switch to Go setup v3
- bump to really build with Golang 1.18
adsys (0.8.6) kinetic; urgency=medium
* Fix new build failures on 32 bits due to libsmbclient-dev no longer sets
the large file support cflags in libsmbclient.h.
Update to latest libsmbclient-go.
* Update dependencies to latest:
- google.golang.org/grpc
- gopkg.in/ini.v1
- github.com/golangci/golangci-lint
- github.com/spf13/viper
- github.com/stretchr/testify
-- Didier Roche <email address hidden> Thu, 04 Aug 2022 11:23:01 +0200
-
adsys (0.8.5~22.04) jammy; urgency=medium
[ Jean-Baptiste Lallement ]
[ Didier Roche ]
* Rename chapters to be in correct ascii order when viewed online.
Thanks to Anton Drastrup-Fjordbak.
* Include 22.04 in admx/adml for lts only releases. (LP: #1973745)
* Bump embedeed dependencies minor versions for both bug fixes and minor
security enhancements.
* Fix dconf keys not being readable by user after applying policy.
(LP: #1973748)
* Ensure we can execute machine and user scripts:
/run is now noexec on Ubuntu. Ensure that we can execute the scripts in
/run/adsys subdirectories. The scripts mecanism has been reviewed by the
security team, so we can reset them as executable. (LP: #1973751)
* Move integration tests under cmd/adsysd and admxgen binary to cmd/admxgen
to prepare future adwatchd daemon under cmd/ which will be SRUed with an
exception in next update. This is a no-op in the finale deploy binaries,
apart from admxgen which is now using Cobra. This binary though is not
shipped in any package and only used in CI.
* Fix privilege permission which can not be set to disabled. (LP: #1973752)
* Adaptation or new tests for all above changes.
* Add fuzz tests and include new potential crash fixes on invalid files
generated by Windows AD.
* CI fixes and changes (not impacting finale package):
- Move CI to Go 1.18 (package is already building with 1.18 in jammy).
- Fixes due to new github.
- Fix to generate all LTS releases in admx/adml (see above).
-- Didier Roche <email address hidden> Mon, 16 May 2022 14:09:36 +0200
-
adsys (0.8.4) jammy; urgency=medium
* Sync refresh timer with Windows
* Some lint fixes due to Go 1.18
* Fix image reference in documentation
-- Didier Roche <email address hidden> Wed, 06 Apr 2022 15:37:58 +0200
-
adsys (0.8.3) jammy; urgency=medium
[ Jean-Baptiste Lallement ]
[ Didier Roche ]
* Use ua attached instead of a specific ua feature to gate optional
features.
* Added and updated documentation for privilege escalation and scripts
support.
* New linter version trigger fix.
* Dependencies update for latest bug fixes:
- github.com/golangci/golangci-lint
- github.com/spf13/cobra-1.4.0
- github.com/stretchr/testify-1.7.1
- google.golang.org/protobuf-1.28.0
- google.golang.org/grpc-1.45.0
-- Didier Roche <email address hidden> Wed, 23 Mar 2022 13:39:27 +0100
-
adsys (0.8.2) jammy; urgency=medium
* Fix flaky "pick up config changes" tests on armhf and arm64
-- Didier Roche <email address hidden> Thu, 10 Mar 2022 11:00:27 +0100
-
adsys (0.8.1) jammy; urgency=medium
* Change chown logic on script directory and parents to avoid potential
vulnerability. (LP: #1961458)
* Separate readiness from session running to avoid unrefreshed user script
directories after a logout without any new logins.
* pam_adsys: Fix memory leak and identation. (LP: #1961459)
* Adapt to newer samba, while keeping backward compatilibity for CI.
Thanks Michael. (LP: #1962170)
* Try to stabilize configuration detection change test by calling sync() to
sync FHS to disk, and then, hoping we get the inotify update. Seems to fix
flakyness on armhf. (LP: #1962510)
* Enforce closing stderr on ppcel64 in tests with new samba to avoid hangs
in race.
* Fix linting issues discovered by new golangci-lint.
* Misc syntax polish.
* Dependencies update:
- github.com/godbus/dbus/v5
- github.com/golangci/golangci-lint
- gopkg.in/ini.v1
-- Didier Roche <email address hidden> Tue, 08 Mar 2022 09:49:08 +0100
-
adsys (0.8ubuntu1) jammy; urgency=medium
* Quick patch to invoke smbd in tests with options accepted by v4.15+.
-- Michael Hudson-Doyle <email address hidden> Mon, 28 Feb 2022 13:07:12 +1300
-
adsys (0.8) jammy; urgency=medium
[ Jean-Baptiste Lallement ]
[ Didier Roche ]
* Add new types of GPOs support, with ubuntu advantage subscription
integration. Recommends ubuntu-advantage-desktop-daemon.
* Privilege escalation: support for privilege escalation and gives
administrator access to users and groups registered in Active Directory.
The administrator can also prevent any kind of local administrator on
the machine.
* Scripts integration: support for scripts in GPO when the computer boots and
shuts down, and when the user logs on or off.
- The computer scripts are ran as root, on startup (or first AD user login
if we couldn’t fetch GPOs and had no cache)
- The user scripts are ran with systemd user session, as the user.
- A transactional state is handled: New versions of scripts or list of
scripts are only updated when a given session is not opened.
Said differently, the shutdown scripts for the machine will be the ones
downloaded and enabled when the start scripts were ran.
Similarly, the user logoff scripts will be the ones corresponding to
the time when the log on scripts were executed.
- Any failing scripts won’t stop the boot or log on. Similarly to Windows
script support, this is not a security feature.
* Support downloading assets from the Active Directory server. Those assets
are located in the <Distribution> named directory at SYSVOL root.
Those needs a GPT.INI, similarly to GPO, to control cache update.
* Internal changes on how policies and cached are handled. Those changes are
needed to enhance the model of caching with assets, while keeping
a transactional behaviour.
* Many new tests covering all the new and existing changes.
* General cleanups:
- More debugging and info messages.
- In templates, policies define personalized notes and descriptions.
Those are now used to generate the description of the policy.
- Modernize, fix bugs and workarounds now that we are on at min Go 1.16,
and prepare for 1.17 and new vendored dependencies versions.
- Add more linting support and fix discovered issues.
- Rewrite integration tests containers mimicking system services in python
for better reliability and support via dbus-mock. Upgraded to a newer
version.
- Adapt to new GitHub infrastructure changes with new container repository,
and change workflows adjustements by new linting rules.
- Discare deprecated dconf keys for those releases.
* Updated vendored go dependencies:
- bluemonday
- cobra
- color
- glamour
- go-dbus
- golangci-lint
- grpc
- ini
- viper
-- Didier Roche <email address hidden> Mon, 07 Feb 2022 09:37:45 +0100
-
adsys (0.7.1build1) jammy; urgency=medium
* No-change rebuild against Go 1.17
-- William 'jawn-smith' Wilson <email address hidden> Tue, 30 Nov 2021 13:46:14 -0600
-
adsys (0.7.1) impish; urgency=medium
* Fix user login name when being prefixed by domain (domain\user) or using
default domain suffix.
* Relax commands to always normalize to user@domain even if a previous form
of entry is given
* Fix pam module to always be loaded for those.
* All users and machine update should not provide a target
* Relax rule for hostname length when > 15 characters. Try first real name
in AD and then fallback to 15 for NETBIOS compatibility if AD is configured
in such a way.
* Pull sss connection state dynamically, to switch between online and offline
mode.
* Misc smaller fixes in namings and entry permissive mode.
* Add and adapt unit and integration tests for all the above, including
docker test container.
* Fixes for incoming Golang 1.17 tests Name() behaviour change
* Make some integration tests more stable
* Refresh policy definition file
* Update vendored dependency via DEPENDABOT:
- github.com/fsnotify/fsnotify
- github.com/godbus/dbus
- golang.org/x/text
- google.golang.org/grpc
- gopkg.in/ini.v1
- honnef.co/go/tools
* CI:
- switch back to hirsute for QA code check, as impish docker images have
a broken libc.
* Packaging fixes:
- Ensure we always build with PIE
- Fix autopkgtests by not running them as root
- Ship NOTICE from a vendor dependency as being Apache2 licensed
- Modernize gbp.conf
-- Didier Roche <email address hidden> Wed, 15 Sep 2021 10:30:27 +0200
