Merge pull request #267 from himmelblau-idm/stable-0.6.x_ubuntu_issues

Resolve some Ubuntu issues backport to stable 0.6.x

Cargo.toml

@@ -17,7 +17,7 @@ members = [
 resolver = "2"
 
 [workspace.package]
-version = "0.6.14"
+version = "0.6.15"
 authors = [
     "David Mulder <[email protected]>"
 ]
@@ -77,7 +77,7 @@ tracing-forest = "^0.1.6"
 rusqlite = "^0.32.0"
 hashbrown = { version = "0.14.0", features = ["serde", "inline-more", "ahash"] }
 lru = "^0.12.3"
-kanidm_lib_crypto = { path = "./src/crypto", version = "0.6.14" }
+kanidm_lib_crypto = { path = "./src/crypto", version = "0.6.15" }
 kanidm_utils_users = { path = "./src/users" }
 walkdir = "2"
 csv = "1.2.2"

platform/debian/himmelblau.conf.example

@@ -0,0 +1,91 @@
+[global]
+# REQUIRED: The list of configured domains. This must be specified, or no users
+# will be permitted to authenticate. The first user to authenticate to each
+# domain will be the owner of the device object in the directory. Typically
+# this would be the primary user of the device.
+# domains =
+#
+### Optional global values
+# Configure whether the logger will output debug messages to the journal.
+# debug = false
+#
+# pam_allow_groups SHOULD be defined or else all users will be authorized by
+# pam account. The option should be set to a comma seperated list of Users and
+# Groups which are allowed access to the system. Groups MUST be specified by
+# Object ID, not by UPN. This is because Azure does not permit regular users
+# the right to read group names, only the Object IDs which they belong to.
+# pam_allow_groups =
+#
+# Specify whether to map uid/gid based on the object name or the object uuid.
+# By object uuid mapping is the old default, but can cause authentication
+# issues over SSH. Mapping by name is recommeneded.
+# id_attr_map = name ; {name|uuid}
+#
+# If you have an ODC provider (the default being odc.officeapps.live.com), specify
+# the hostname for sending a federationProvider request. If the federationProvider
+# request is successful, the tenant_id and authority_host options do not need to
+# be specified.
+# odc_provider = odc.officeapps.live.com
+#
+# Whether to enroll users in Hello authentication. If disabled, MFA may be
+# required during each login. Disabling Hello authentication is recommeneded
+# when the host is public facing (such as via SSH).
+# enable_hello = true
+#
+# The minimum length of the Hello authentication PIN. This PIN length cannot
+# be less than 6, and cannot exceed 32 characters. These are hard requirements
+# for the encryption algorithm.
+# hello_pin_min_length = 6
+#
+# Whether to permit attempting a SFA (password only) authentication when MFA
+# methods are unavailable. Sometimes this is possible when MFA has yet to be
+# configured. This is disabled by default.
+# enable_sfa_fallback = false
+#
+# CN to UPN mapping allows users to simply enter the short form of their
+# username (`dave` instead of `[email protected]`). Himmelblau will only map CNs
+# to the primary domain (the first domain listed in the `domains` option
+# above). WARNING: CN mapping could mask local users, depending on your PAM
+# configuration.
+# cn_name_mapping = true
+#
+# authority_host = login.microsoftonline.com
+#
+# The location of the cache database
+# db_path = /var/cache/himmelblau/himmelblau.cache.db
+#
+# The location where the hsm pin will be stored
+# hsm_pin_path = /var/lib/himmelblaud/hsm-pin
+# socket_path = /var/run/himmelblaud/socket
+# task_socket_path = /var/run/himmelblaud/task_sock
+# broker_socket_path = /var/run/himmelblaud/broker_sock
+# home_prefix = /home/
+# home_attr = UUID ; home directory attribute options:
+#                  ; UUID (default)
+#                  ; SPN
+#                  ; CN
+home_attr = CN
+# home_alias = SPN ; home directory alias options:
+#                  ; UUID
+#                  ; SPN (default)
+#                  ; CN
+home_alias = CN
+# shell = /bin/bash ; default shell for the user
+# idmap_range = 5000000-5999999
+# connection_timeout = 2
+# cache_timeout = 15
+use_etc_skel = true
+# selinux = true
+
+### Domain specific values
+# Individual domain values may be overridden by specifying these values under
+# a domain section. These options take precedent over global config options.
+# For example:
+#
+# [example.com]
+# odc_provider = odc.officeapps.live.com
+# home_prefix = /home/
+# home_attr = UUID
+# home_alias = SPN
+# shell = /bin/zsh
+# idmap_range = 6000000-6999999

platform/debian/scripts/postinst

@@ -17,6 +17,20 @@ UNIX_CHKPWD_PATCH=$(cat << 'EOF'
  
 EOF
 )
+LIBREOFFICE_PATCH=$(cat << 'EOF'
+--- /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin	2024-09-02 07:51:12.000000000 -0600
++++ /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin	2024-10-24 09:52:51.062702354 -0600
+@@ -76,7 +76,7 @@
+
+ #include <tunables/global>
+
+-profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(complain) {
++profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(complain,attach_disconnected) {
+   #include <abstractions/private-files>
+
+   #include <abstractions/audio>
+EOF
+)
 
 # Check if the file /etc/apparmor.d/unix-chkpwd exists
 if [[ -f /etc/apparmor.d/unix-chkpwd ]]; then
@@ -26,3 +40,12 @@ if [[ -f /etc/apparmor.d/unix-chkpwd ]]; then
 	# Reload the AppArmor profile to apply the changes
 	apparmor_parser -r /etc/apparmor.d/unix-chkpwd || echo "apparmor reload failed"
 fi
+
+# Check if the file /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin exists
+if [[ -f /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin ]]; then
+	# Apply the patch using the patch command
+	echo "$LIBREOFFICE_PATCH" | patch --fuzz 2 --silent --forward -p0 /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin || echo "apparmor libreoffice patch failed"
+
+	# Reload the AppArmor profile to apply the changes
+	apparmor_parser -r /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin || echo "apparmor reload failed"
+fi

platform/debian/scripts/postrm

@@ -17,6 +17,20 @@ UNIX_CHKPWD_PATCH=$(cat << 'EOF'
  
 EOF
 )
+LIBREOFFICE_PATCH=$(cat << 'EOF'
+--- /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin	2024-09-02 07:51:12.000000000 -0600
++++ /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin	2024-10-24 09:52:51.062702354 -0600
+@@ -76,7 +76,7 @@
+
+ #include <tunables/global>
+
+-profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(complain) {
++profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(complain,attach_disconnected) {
+   #include <abstractions/private-files>
+
+   #include <abstractions/audio>
+EOF
+)
 
 # Check if the file /etc/apparmor.d/unix-chkpwd exists
 if [[ -f /etc/apparmor.d/unix-chkpwd ]]; then
@@ -26,3 +40,12 @@ if [[ -f /etc/apparmor.d/unix-chkpwd ]]; then
 	# Reload the AppArmor profile to apply the changes
 	apparmor_parser -r /etc/apparmor.d/unix-chkpwd
 fi
+
+# Check if the file /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin exists
+if [[ -f /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin ]]; then
+	# Reverse the patch using the patch command
+	echo "$LIBREOFFICE_PATCH" | patch --fuzz 2 --silent --reverse -p0 /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin || echo "apparmor libreoffice patch failed"
+
+	# Reload the AppArmor profile to apply the changes
+	apparmor_parser -r /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin || echo "apparmor reload failed"
+fi

src/daemon/Cargo.toml

@@ -46,7 +46,7 @@ maintainer = "David Mulder <[email protected]>"
 depends = ["libssl3", "libsqlite3-0"]
 recommends = ["nss-himmelblau", "pam-himmelblau"]
 assets = [
-  ["../../src/config/himmelblau.conf.example", "etc/himmelblau/himmelblau.conf", "644"],
+  ["../../platform/debian/himmelblau.conf.example", "etc/himmelblau/himmelblau.conf", "644"],
   ["target/release/aad-tool", "usr/bin/", "755"],
   ["../../platform/debian/himmelblaud-tasks.service", "etc/systemd/system/", "644"],
   ["../../platform/debian/himmelblaud.service", "etc/systemd/system/", "644"],