| 2021-01-08 00:35:04 |
richard |
bug |
|
|
added bug |
| 2021-01-08 00:38:08 |
richard |
bug watch added |
|
https://github.com/SSSD/sssd/issues/5446 |
|
| 2021-01-08 01:01:11 |
Seth Arnold |
bug task added |
|
sssd (Ubuntu) |
|
| 2021-01-11 13:46:03 |
Christian Ehrhardt |
tags |
|
server-next |
|
| 2021-01-11 13:46:15 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Server |
| 2021-01-11 18:15:59 |
Sergio Durigan Junior |
sssd (Ubuntu): assignee |
|
Sergio Durigan Junior (sergiodj) |
|
| 2021-01-18 21:39:27 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Groovy |
|
| 2021-01-18 21:39:27 |
Sergio Durigan Junior |
bug task added |
|
sssd (Ubuntu Groovy) |
|
| 2021-01-18 21:39:27 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Focal |
|
| 2021-01-18 21:39:27 |
Sergio Durigan Junior |
bug task added |
|
sssd (Ubuntu Focal) |
|
| 2021-01-18 21:39:27 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Hirsute |
|
| 2021-01-18 21:39:27 |
Sergio Durigan Junior |
bug task added |
|
sssd (Ubuntu Hirsute) |
|
| 2021-01-18 21:39:35 |
Sergio Durigan Junior |
sssd (Ubuntu Focal): assignee |
|
Sergio Durigan Junior (sergiodj) |
|
| 2021-01-18 21:39:38 |
Sergio Durigan Junior |
sssd (Ubuntu Groovy): assignee |
|
Sergio Durigan Junior (sergiodj) |
|
| 2021-01-18 22:14:28 |
Sergio Durigan Junior |
description |
sssd fails to start when its apparmor profile is in enforcing mode. The OS is Ubuntu 20.04.
apparmor-notify shows various denied entries. Setting the profile to 'complain' mode allows sssd to start. We're seeing this in Azure only at this time. Would like to set the profile to 'enforcing' as we're trying to achieve CIS compliance.
The following notifications are sample of those observed. What looks odd (I am no apparmor wizard) is that the denies are coming from the SSSD libraries and not the main binary. Also, no service should be denied read on /etc/hosts (second entry below)?
Sample apparmor-notif output here:
Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss
Operation: open
Name: /proc/33363/cmdline
Denied: r
Logfile: /var/log/audit/audit.log
(1498 found, most recent from 'Wed Dec 30 20:35:19 2020')
Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
Operation: open
Name: /etc/hosts
Denied: r
Logfile: /var/log/audit/audit.log
(294 found, most recent from 'Thu Dec 31 02:55:41 2020')
Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
Operation: mknod
Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk
Denied: c
Logfile: /var/log/audit/audit.log
Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
Operation: open
Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk
Denied: wrc
Logfile: /var/log/audit/audit.log
Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
Operation: chmod
Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk
Denied: w
Logfile: /var/log/audit/audit.log |
[ Impact ]
sssd users on Focal, Groovy and Hirsute can experience problems when setting sssd's apparmor profile to "Enforce" mode. In this scenario, apparmor will prevent sssd from being able to execute programs under the /usr/libexec/sssd/* path, which will cause the sssd service to fail to start.
Aside from the deny mentioned above, the sssd apparmor profile also needs to be updated to reflect the fact that sssd will also need to have read access to files under the /etc/sssd/conf.d/* and /etc/gss/mech.d/* directories.
[ Test Case ]
Using an LXD VM, one can:
$ lxc launch image:ubuntu/focal sssd-bug1910611-focal --vm
$ lxc shell sssd-bug1910611-focal
# apt update && apt install apparmor-utils sssd -y
...
# cat > /etc/sssd/sssd.conf << __EOF__
[sssd]
config_file_version = 2
domains = example.com
[domain/example.com]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ldap01.example.com
cache_credentials = True
ldap_search_base = dc=example,dc=com
__EOF__
# chmod 0600 /etc/sssd/sssd.conf
# aa-enforce sssd
Setting /usr/sbin/sssd to enforce mode.
# systemctl restart sssd.service
Job for sssd.service failed because the control process exited with error code.
See "systemctl status sssd.service" and "journalctl -xe" for details.
# dmesg | grep DENIED
...
[ 2011.510479] audit: type=1400 audit(1611007899.726:370): apparmor="DENIED" operation="exec" profile="/usr/sbin/sssd" name="/usr/libexec/sssd/sssd_be" pid=3255 comm="sssd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[ 2011.511822] audit: type=1400 audit(1611007899.726:371): apparmor="DENIED" operation="exec" profile="/usr/sbin/sssd" name="/usr/libexec/sssd/sssd_be" pid=3256 comm="sssd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
The instructions above can be replicated to test things on Groovy and Hirsute.
[ Regression Potential ]
Very little regression potential, since we are expanding the apparmor permissions of sssd, and not reducing them.
* If the user already has apparmor enabled for sssd, she will most likely have addressed these issues by herself, which means that this change will just be a duplicate of what is already on the system.
* If the user does not have apparmor enabled, then nothing will change.
[ Original Description ]
sssd fails to start when its apparmor profile is in enforcing mode. The OS is Ubuntu 20.04.
apparmor-notify shows various denied entries. Setting the profile to 'complain' mode allows sssd to start. We're seeing this in Azure only at this time. Would like to set the profile to 'enforcing' as we're trying to achieve CIS compliance.
The following notifications are sample of those observed. What looks odd (I am no apparmor wizard) is that the denies are coming from the SSSD libraries and not the main binary. Also, no service should be denied read on /etc/hosts (second entry below)?
Sample apparmor-notif output here:
Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss
Operation: open
Name: /proc/33363/cmdline
Denied: r
Logfile: /var/log/audit/audit.log
(1498 found, most recent from 'Wed Dec 30 20:35:19 2020')
Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
Operation: open
Name: /etc/hosts
Denied: r
Logfile: /var/log/audit/audit.log
(294 found, most recent from 'Thu Dec 31 02:55:41 2020')
Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
Operation: mknod
Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk
Denied: c
Logfile: /var/log/audit/audit.log
Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
Operation: open
Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk
Denied: wrc
Logfile: /var/log/audit/audit.log
Profile: /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
Operation: chmod
Name: /var/lib/sss/pubconf/.krb5info_dummy_r07Rxk
Denied: w
Logfile: /var/log/audit/audit.log |
|
| 2021-01-18 22:56:26 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/396453 |
|
| 2021-01-18 23:01:56 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/396454 |
|
| 2021-01-20 04:23:01 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/396542 |
|
| 2021-01-21 00:53:28 |
Launchpad Janitor |
sssd (Ubuntu Hirsute): status |
New |
Fix Released |
|
| 2021-01-22 10:04:57 |
Robie Basak |
sssd (Ubuntu Groovy): status |
New |
Fix Committed |
|
| 2021-01-22 10:04:58 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2021-01-22 10:05:01 |
Robie Basak |
bug |
|
|
added subscriber SRU Verification |
| 2021-01-22 10:05:04 |
Robie Basak |
tags |
server-next |
server-next verification-needed verification-needed-groovy |
|
| 2021-01-22 10:05:30 |
Robie Basak |
sssd (Ubuntu Focal): status |
New |
Fix Committed |
|
| 2021-01-22 10:05:36 |
Robie Basak |
tags |
server-next verification-needed verification-needed-groovy |
server-next verification-needed verification-needed-focal verification-needed-groovy |
|
| 2021-01-25 14:05:41 |
Sergio Durigan Junior |
tags |
server-next verification-needed verification-needed-focal verification-needed-groovy |
server-next verification-done-focal verification-needed verification-needed-groovy |
|
| 2021-01-25 14:10:21 |
Sergio Durigan Junior |
tags |
server-next verification-done-focal verification-needed verification-needed-groovy |
server-next verification-done-focal verification-done-groovy |
|
| 2021-02-02 21:53:23 |
Launchpad Janitor |
sssd (Ubuntu Groovy): status |
Fix Committed |
Fix Released |
|
| 2021-02-02 21:53:32 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2021-02-08 09:56:42 |
Launchpad Janitor |
sssd (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
| 2021-06-21 18:04:06 |
Mathew Hodson |
apparmor: status |
New |
Fix Released |
|
| 2021-10-28 00:42:04 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/410912 |
|
