Activity log for bug #1910611

Date Who What changed Old value New value Message
2021-01-08 00:35:04 richard bug added bug
2021-01-08 00:38:08 richard bug watch added https://github.com/SSSD/sssd/issues/5446
2021-01-08 01:01:11 Seth Arnold bug task added sssd (Ubuntu)
2021-01-11 13:46:03 Christian Ehrhardt  tags server-next
2021-01-11 13:46:15 Christian Ehrhardt  bug added subscriber Ubuntu Server
2021-01-11 18:15:59 Sergio Durigan Junior sssd (Ubuntu): assignee Sergio Durigan Junior (sergiodj)
2021-01-18 21:39:27 Sergio Durigan Junior nominated for series Ubuntu Groovy
2021-01-18 21:39:27 Sergio Durigan Junior bug task added sssd (Ubuntu Groovy)
2021-01-18 21:39:27 Sergio Durigan Junior nominated for series Ubuntu Focal
2021-01-18 21:39:27 Sergio Durigan Junior bug task added sssd (Ubuntu Focal)
2021-01-18 21:39:27 Sergio Durigan Junior nominated for series Ubuntu Hirsute
2021-01-18 21:39:27 Sergio Durigan Junior bug task added sssd (Ubuntu Hirsute)
2021-01-18 21:39:35 Sergio Durigan Junior sssd (Ubuntu Focal): assignee Sergio Durigan Junior (sergiodj)
2021-01-18 21:39:38 Sergio Durigan Junior sssd (Ubuntu Groovy): assignee Sergio Durigan Junior (sergiodj)
2021-01-18 22:14:28 Sergio Durigan Junior description sssd fails to start when its apparmor profile is in enforcing mode. The OS is Ubuntu 20.04. apparmor-notify shows various denied entries. Setting the profile to 'complain' mode allows sssd to start. We're seeing this in Azure only at this time. Would like to set the profile to 'enforcing' as we're trying to achieve CIS compliance. The following notifications are sample of those observed. What looks odd (I am no apparmor wizard) is that the denies are coming from the SSSD libraries and not the main binary. Also, no service should be denied read on /etc/hosts (second entry below)? Sample apparmor-notif output here: Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss Operation: open Name: /proc/33363/cmdline Denied: r Logfile: /var/log/audit/audit.log (1498 found, most recent from 'Wed Dec 30 20:35:19 2020') Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be Operation: open Name: /etc/hosts Denied: r Logfile: /var/log/audit/audit.log (294 found, most recent from 'Thu Dec 31 02:55:41 2020') Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be Operation: mknod Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk Denied: c Logfile: /var/log/audit/audit.log Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be Operation: open Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk Denied: wrc Logfile: /var/log/audit/audit.log Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be Operation: chmod Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk Denied: w Logfile: /var/log/audit/audit.log [ Impact ] sssd users on Focal, Groovy and Hirsute can experience problems when setting sssd's apparmor profile to "Enforce" mode. In this scenario, apparmor will prevent sssd from being able to execute programs under the /usr/libexec/sssd/* path, which will cause the sssd service to fail to start. Aside from the deny mentioned above, the sssd apparmor profile also needs to be updated to reflect the fact that sssd will also need to have read access to files under the /etc/sssd/conf.d/* and /etc/gss/mech.d/* directories. [ Test Case ] Using an LXD VM, one can: $ lxc launch image:ubuntu/focal sssd-bug1910611-focal --vm $ lxc shell sssd-bug1910611-focal # apt update && apt install apparmor-utils sssd -y ... # cat > /etc/sssd/sssd.conf << __EOF__ [sssd] config_file_version = 2 domains = example.com [domain/example.com] id_provider = ldap auth_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com __EOF__ # chmod 0600 /etc/sssd/sssd.conf # aa-enforce sssd Setting /usr/sbin/sssd to enforce mode. # systemctl restart sssd.service Job for sssd.service failed because the control process exited with error code. See "systemctl status sssd.service" and "journalctl -xe" for details. # dmesg | grep DENIED ... [ 2011.510479] audit: type=1400 audit(1611007899.726:370): apparmor="DENIED" operation="exec" profile="/usr/sbin/sssd" name="/usr/libexec/sssd/sssd_be" pid=3255 comm="sssd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 [ 2011.511822] audit: type=1400 audit(1611007899.726:371): apparmor="DENIED" operation="exec" profile="/usr/sbin/sssd" name="/usr/libexec/sssd/sssd_be" pid=3256 comm="sssd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 The instructions above can be replicated to test things on Groovy and Hirsute. [ Regression Potential ] Very little regression potential, since we are expanding the apparmor permissions of sssd, and not reducing them. * If the user already has apparmor enabled for sssd, she will most likely have addressed these issues by herself, which means that this change will just be a duplicate of what is already on the system. * If the user does not have apparmor enabled, then nothing will change. [ Original Description ] sssd fails to start when its apparmor profile is in enforcing mode. The OS is Ubuntu 20.04. apparmor-notify shows various denied entries. Setting the profile to 'complain' mode allows sssd to start. We're seeing this in Azure only at this time. Would like to set the profile to 'enforcing' as we're trying to achieve CIS compliance. The following notifications are sample of those observed. What looks odd (I am no apparmor wizard) is that the denies are coming from the SSSD libraries and not the main binary. Also, no service should be denied read on /etc/hosts (second entry below)? Sample apparmor-notif output here: Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss Operation: open Name: /proc/33363/cmdline Denied: r Logfile: /var/log/audit/audit.log (1498 found, most recent from 'Wed Dec 30 20:35:19 2020') Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be Operation: open Name: /etc/hosts Denied: r Logfile: /var/log/audit/audit.log (294 found, most recent from 'Thu Dec 31 02:55:41 2020') Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be Operation: mknod Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk Denied: c Logfile: /var/log/audit/audit.log Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be Operation: open Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk Denied: wrc Logfile: /var/log/audit/audit.log Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be Operation: chmod Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk Denied: w Logfile: /var/log/audit/audit.log
2021-01-18 22:56:26 Launchpad Janitor merge proposal linked https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/396453
2021-01-18 23:01:56 Launchpad Janitor merge proposal linked https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/396454
2021-01-20 04:23:01 Launchpad Janitor merge proposal linked https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/396542
2021-01-21 00:53:28 Launchpad Janitor sssd (Ubuntu Hirsute): status New Fix Released
2021-01-22 10:04:57 Robie Basak sssd (Ubuntu Groovy): status New Fix Committed
2021-01-22 10:04:58 Robie Basak bug added subscriber Ubuntu Stable Release Updates Team
2021-01-22 10:05:01 Robie Basak bug added subscriber SRU Verification
2021-01-22 10:05:04 Robie Basak tags server-next server-next verification-needed verification-needed-groovy
2021-01-22 10:05:30 Robie Basak sssd (Ubuntu Focal): status New Fix Committed
2021-01-22 10:05:36 Robie Basak tags server-next verification-needed verification-needed-groovy server-next verification-needed verification-needed-focal verification-needed-groovy
2021-01-25 14:05:41 Sergio Durigan Junior tags server-next verification-needed verification-needed-focal verification-needed-groovy server-next verification-done-focal verification-needed verification-needed-groovy
2021-01-25 14:10:21 Sergio Durigan Junior tags server-next verification-done-focal verification-needed verification-needed-groovy server-next verification-done-focal verification-done-groovy
2021-02-02 21:53:23 Launchpad Janitor sssd (Ubuntu Groovy): status Fix Committed Fix Released
2021-02-02 21:53:32 Brian Murray removed subscriber Ubuntu Stable Release Updates Team
2021-02-08 09:56:42 Launchpad Janitor sssd (Ubuntu Focal): status Fix Committed Fix Released