[MIR] ADSys

[Summary]
Overall this is looking fine, but we need to make sure to fix a few things around it. As this is a go binary with many vendorized dependencies, you also need to explicitly state your commitment to support the security team with security and dependency updates. Please do so in this bug report. Furthermore, you might add a team subscription to this package's bugs (though that can be done by an AA later on).

I'd also like you to take a look at some recommendations like fixing autopkgtests, fixing some lintian warnings and trying to avoid the "sudo" call in debian/control/tests. Those can be fixed after promotion to main as well.

This does need a security review, so I'll assign ubuntu-security (root daemon, vendorized code)
List of specific binary packages to be promoted to main: adsys

So this will be a MIR team ACK, once the required TODOs are fulfilled.

Notes:
This is a go package with many (>50) vendorized dependencies, but the owning team is using "dependabot" (from GitHub) to keep track of dependency/security updates.

Required TODOs:
- This is a static go binary, therefore the owning team must state the following commitment explicitly:
  * the owning team must state their commitment to test no-change-rebuilds triggered by a dependent library/compiler and to fix any issues found for the lifetime of the release (including ESM when included)
  * the owning team must provide timely testing of no-change-rebuilds from the security team, fixing the rebuilt package as necessary
  * the owning team must state their commitment to provide updates to the security team for any affected vendored code for the lifetime of the release (including ESM when included)
  * the owning team will provide timely, high quality updates for the security team to sponsor to fix issues in the affected vendored code

Recomended TODOs:
- Please add a team subscription (~desktop-packages?)
- Make autopkgtests pass (it's not a regression as the autopkgtests passed never before)
- Fix relevant lintian warnings (missing-notice-file-for-apache-license, hardening-no-pie)
- check if you could be using the "needs-root" restriction instead of "sudo" in debian/control/tests

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
- Build-dependency: debhelper-compat is pure virtual, dh-apport is only a build-dependency and therefore OK to be in universe
- no -dev/-debug/-doc packages that need exclusion

Problems:
- NONE

[Embedded sources and static linking]
OK:
- Special case: this is a Go package, using dh-golang

Problems:
- embedded source present (53 vendorized go depdendencies)
- static linking (Built-Using)

[Security]
OK:
- history of CVEs does not look concerning, 0 CVEs so far, according to https://ubuntu.com/security/cve?q=&package=adsys&priority=&version=&status=
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port (but can be socket activated)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop

Problems:
- does run a daemon as root (can be socket activated)
- does deal with system authenticatio...

Thanks for the review! All comments should now be addressed.

Required TODOs:
* Statement is now clearly made in description

Recommended TODOs:
* subscription is now done
* autopkgtests: no sudo anymore and they pass with 0.7.1: https://autopkgtest.ubuntu.com/packages/adsys
* 0.7.1 ships the NOTICE file from yaml dependency
* 0.7.1 now specify -buildmode=pie

adsys 0.7.1 is now in the release pocket.

Thanks for working out the kinks, Didier!

MIR team ACK

It seems this is important for the 20.04.4 point release, so while we try to prioritize all the cases in the queue for security review let us set this to Critical + 20.04.4 Milestone.

I reviewed adsys 0.8 as checked into jammy. This shouldn't be
considered a full audit but rather a quick gauge of maintainability. As
usual with golang code, there's vastly more code in the package than we've
authored, and it's not feasible to review the entirety.

adsys allows network administrators to include Ubuntu systems in Windows
Group Policy ecosystem. There's easy support for a lot of individual
tunable elements, as well as generic support for running both machine and
user scripts on login, logout, etc.

- CVE History:
  none :)
- Build-Depends?
  Build-Depends: debhelper-compat (= 13),
               dh-apport,
               dh-golang,
               golang-go (>= 2:1.16~),
               libsmbclient-dev,
               libdbus-1-dev,
               python3,
               python3-samba,
               samba-dsdb-modules,
               libpam0g-dev,
               samba,
               dbus,
- pre/post inst/rm scripts?
  mostly added automatically by dh_ helpers; registers and unregisters pam
  module, enables systemd units, purges and unmasks systemd units, etc.
- init scripts?
  none
- systemd units?
  sets up socket activation, sets up timers, refreshes policies, runs
  machine scripts in machine units, runs user scripts in user units
- dbus services?
  none
- setuid binaries?
  none
- binaries in PATH?
  adsysd, adsysctl
- sudo fragments?
  /etc/sudoers.d/99-adsys-privilege-enforcement is under control of the
  application:

"%admin ALL=(ALL) !ALL\n"
"%sudo ALL=(ALL:ALL) !ALL\n"

contentSudo += fmt.Sprintf("\"%s\" ALL=(ALL:ALL) ALL\n", e)

  these are very powerful; I'd appreciate a second set of eyes here :)

- polkit files?
  yes, seems reasonable
- udev rules?
  none
- unit tests / autopkgtests?
  yes, many tests, run during the build
- cron jobs?
  none, systemd timer units used instead
- Build logs:
  the shell completion files are dumped during build, it's a bit noisy,
  but otherwise looks clean

- Processes spawned?
  Yes -- pam module, copied from pam_exec.c
  Yes -- adsys spawned from the user manager will run scripts, seems okay
- Memory management?
  Most is golang, safe enough
  pam module has some memory leaks; when reported to upstream pam_exec.c
  folks, they appear to be leaning towards leaking even more memory :) so
  probably fine.
- File IO?
  Some issues, raised elsewhere.
- Logging?
  pam module looked fine
- Environment variable usage?
  NO_COLOR and KRB5CCNAME, seemed safe
- Use of privileged functions?
  chown
- Use of cryptography / random number sources etc?
  none
- Use of temp files?
  none
- Use of networking?
  grpc; to the extent I looked at it, it felt safe enough
- Use of WebKit?
  none
- Use of PolicyKit?
  yes, internal/authorizer/authorizer.go
  looks up process start time by searching *backwards* through
  /proc/pid/stat file for a ), then looking forward 19 fields. I didn't
  double-check the math but it sure sounds promising.

- Any significant cppcheck results?
  memory leaks in pam_adsys.c, upstream for inspiration pam_exec didn't seem bothered
- Any significant Coverity results?
  none
- Any significant shellcheck results?
  none
- Any significant bandit results?
  none

ads...

Thanks Seth for the review and the overall positive comments! :)

Some answers:
1. the potential race is fixed after our discussion and pending some reviews

2. the pam modulefixes are done and merged already (even if upstream don’t deallocate, let’s do it on our side)

3. on the conditions that can be added to adsys-boot.service to make it less likely to spam the journal every five seconds for ten hours when on an airplane?
-> We can’t rely on network being up (maybe we never had the network, or the interface is on but not connected yet, or the interface is on, has no Internet, but local network is enough to reach AD).
Depending on all those conditions, we can’t link it to the network, it may be too early or too late. Also, we support offline mode once we have a valid cache.

Considering that this case only happen the first time you boot your machine (no local cache for offline usage) and don’t have access to AD, this doesn’t seem a big issue and rather something you want to be alerted on, what do you think?

4. on the doc and examples containing a socket in /tmp
-> This is more a debug example to run adsysd as non root. The issue with putting real values is then, if you do that on a system where adsysd is running, you end up erroring out on the systemd existing socket and then, it’s a nightmare to recover on the systemd side (you need to reset the state of the .socket unit). This is why the example carefully avoid using the real system socket (in addition to require root to read it).

$ ./change-override -c main -B adsys
Override component to main
adsys 0.8.2 in jammy: universe/admin -> main
adsys 0.8.2 in jammy amd64: universe/admin/optional/100% -> main
adsys 0.8.2 in jammy arm64: universe/admin/optional/100% -> main
adsys 0.8.2 in jammy armhf: universe/admin/optional/100% -> main
adsys 0.8.2 in jammy ppc64el: universe/admin/optional/100% -> main
adsys 0.8.2 in jammy riscv64: universe/admin/optional/100% -> main
adsys 0.8.2 in jammy s390x: universe/admin/optional/100% -> main
Override [y|N]? y
7 publications overridden.