Newline characters (\n) must be sanitized before LDAP requests take place.

Bug #1669712 reported by Victor Tapia on 2017-03-03
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Medium
Victor Tapia
Nominated for Trusty by Victor Tapia
Nominated for Xenial by Victor Tapia
Nominated for Yakkety by Victor Tapia
Nominated for Zesty by Victor Tapia
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned

Bug Description

[Impact]

 * When a username with a trailing newline or carriage return character is used for authentication, the malformed LDAP query will return that the username does not exist and then the username will be erased from the LDB cache.

[Test Case]

 1. While the provider is online, request a valid user and confirm it's cached:

ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1'
ad1:*:1500:1500:ad1:/home/ad:/bin/bash

ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 1 entries

 2. Request an invalid username:
ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1
'

 3. Confirm the cache entry has disappeared:
ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 0 entries

[Regression Potential]

 * None, the sanitizer code is just extended for these two characters

[Other Info]

 * Upstream bug: https://pagure.io/SSSD/sssd/issue/3317
 * Fix has been merged upstream

[Original Description]

Introducing valid usernames with trailing newline characters triggers the removal of valid LDB cache entries

Reproducer:

1. Request a valid user and confirm it's cached:
ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1'
ad1:*:1500:1500:ad1:/home/ad:/bin/bash

ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 1 entries

2. Request an invalid username:
ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1
'

3. Confirm the cache entry has disappeared:
ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 0 entries

This is an excerpt from the logs of the request with the newline char:

(Tue Feb 28 16:07:40 2017) [sssd[be[UBUNTU.TEST]]] [be_get_account_info] (0x0200): Got request for [0x1001][FAST BE_REQ_USER][1][name=ad1
]

(Tue Feb 28 16:08:33 2017) [sssd[be[UBUNTU.TEST]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=ad1
)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][CN=Users,DC=ubuntu,DC=test].
(Tue Feb 28 16:08:33 2017) [sssd[be[UBUNTU.TEST]]] [sdap_get_users_done] (0x0040): Failed to retrieve users
(Tue Feb 28 16:08:33 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/UBUNTU.TEST/ad1
] to negative cache
(Tue Feb 28 16:08:33 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call

At this point, the ldb entry removal request for ad1 (without \n) takes place via sysdb_delete_user.

Adding '\n' to the character list in sss_filter_sanitize_ex() seems to fix this issue.

Upstream bug: https://pagure.io/SSSD/sssd/issue/3317

Nish Aravamudan (nacc) wrote :
Changed in sssd (Ubuntu):
status: New → Triaged
Victor Tapia (vtapia) wrote :
description: updated
Victor Tapia (vtapia) wrote :
Victor Tapia (vtapia) wrote :
Victor Tapia (vtapia) wrote :

The attachment "xenial-sssd_1.13.4-1ubuntu1.4.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch

Hello Victor, or anyone else affected,

Accepted sssd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.13.4-1ubuntu1.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sssd (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed
Timo Aaltonen (tjaalton) wrote :

Hello Victor, or anyone else affected,

Accepted sssd into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.13.4-3ubuntu0.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sssd (Ubuntu Yakkety):
status: New → Fix Committed
Victor Tapia (vtapia) wrote :

# VERIFICATION FOR XENIAL

Following the instructions in the description, 'user1' is present in the db:

root@vtapia-xenial:/var/log/sssd# sudo sss_cache -E; getent passwd 'user1'
root@vtapia-xenial:/var/log/sssd# sudo ldbsearch -H /var/lib/sss/db/cache_openstacklocal.ldb -b name=user1,cn=users,cn=openstacklocal,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 1 entries

And after a manipulated user request, the entry in the db persists:
root@vtapia-xenial:/var/log/sssd# sudo sss_cache -E; getent passwd 'user1
> '
root@vtapia-xenial:/var/log/sssd# sudo ldbsearch -H /var/lib/sss/db/cache_openstacklocal.ldb -b name=user1,cn=users,cn=openstacklocal,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 1 entries

The log shows how the username has been sanitized:

(Thu Mar 30 13:55:19 2017) [sssd[be[openstacklocal]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=user1\0a)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=openstacklocal].

tags: added: verification-done-xenial
Victor Tapia (vtapia) wrote :

# VERIFICATION FOR YAKKETY

Using the same verification used for Xenial:

root@vtapia-yakkety:/home/ubuntu# sss_cache -E; getent passwd 'user1'
user1:*:10000:5000:user1:/home/user1:/bin/bash
root@vtapia-yakkety:/home/ubuntu# sudo ldbsearch -H /var/lib/sss/db/cache_openstacklocal.ldb -b name=user1,cn=users,cn=openstacklocal,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 1 entries
root@vtapia-yakkety:/home/ubuntu# sudo sss_cache -E; getent passwd 'user1
> '
root@vtapia-yakkety:/home/ubuntu# sudo ldbsearch -H /var/lib/sss/db/cache_openstacklocal.ldb -b name=user1,cn=users,cn=openstacklocal,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 1 entries

The log shows the sanitization:

(Fri Mar 31 09:00:30 2017) [sssd[be[openstacklocal]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=user1\0a)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=openstacklocal].

So far, both xenial and yakkety are working as expected

tags: added: verification-done-yakkety

An upload of sssd to trusty-proposed has been rejected from the upload queue for the following reason: "This upload adds a new patch and renames existing patches.".

Victor Tapia (vtapia) on 2017-04-12
tags: added: verification-failed
removed: verification-done-xenial verification-done-yakkety verification-needed
Victor Tapia (vtapia) on 2017-04-12
tags: added: verification-failed-xenial verification-failed-yakkety
removed: verification-failed

Hello Victor, or anyone else affected,

Accepted sssd into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.13.4-3ubuntu0.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Łukasz Zemczak (sil2100) wrote :

Hello Victor, or anyone else affected,

Accepted sssd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.13.4-1ubuntu1.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers