Newline characters (\n) must be sanitized before LDAP requests take place.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sssd (Ubuntu) |
Fix Released
|
Medium
|
Victor Tapia | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Yakkety |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* When a username with a trailing newline or carriage return character is used for authentication, the malformed LDAP query will return that the username does not exist and then the username will be erased from the LDB cache.
[Test Case]
1. While the provider is online, request a valid user and confirm it's cached:
ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1'
ad1:*:1500:
ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/
asq: Unable to register control with rootdse!
# 1 entries
2. Request an invalid username:
ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1
'
3. Confirm the cache entry has disappeared:
ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/
asq: Unable to register control with rootdse!
# 0 entries
[Regression Potential]
* None, the sanitizer code is just extended for these two characters
[Other Info]
* Upstream bug: https:/
* Fix has been merged upstream
[Original Description]
Introducing valid usernames with trailing newline characters triggers the removal of valid LDB cache entries
Reproducer:
1. Request a valid user and confirm it's cached:
ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1'
ad1:*:1500:
ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/
asq: Unable to register control with rootdse!
# 1 entries
2. Request an invalid username:
ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1
'
3. Confirm the cache entry has disappeared:
ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/
asq: Unable to register control with rootdse!
# 0 entries
This is an excerpt from the logs of the request with the newline char:
(Tue Feb 28 16:07:40 2017) [sssd[be[
]
(Tue Feb 28 16:08:33 2017) [sssd[be[
)(objectclass=
(Tue Feb 28 16:08:33 2017) [sssd[be[
(Tue Feb 28 16:08:33 2017) [sssd[nss]] [sss_ncache_
] to negative cache
(Tue Feb 28 16:08:33 2017) [sssd[nss]] [nss_cmd_
At this point, the ldb entry removal request for ad1 (without \n) takes place via sysdb_delete_user.
Adding '\n' to the character list in sss_filter_
Upstream bug: https:/
tags: |
added: verification-failed removed: verification-done-xenial verification-done-yakkety verification-needed |
tags: |
added: verification-failed-xenial verification-failed-yakkety removed: verification-failed |
Upstream PR is at: https:/ /github. com/SSSD/ sssd/pull/ 178