| 2017-03-03 08:48:48 |
Victor Tapia |
bug |
|
|
added bug |
| 2017-03-07 00:28:34 |
Nish Aravamudan |
sssd (Ubuntu): status |
New |
Triaged |
|
| 2017-03-07 00:28:44 |
Nish Aravamudan |
bug |
|
|
added subscriber Ubuntu Server Team |
| 2017-03-07 08:32:15 |
Victor Tapia |
nominated for series |
|
Ubuntu Xenial |
|
| 2017-03-07 08:32:15 |
Victor Tapia |
nominated for series |
|
Ubuntu Trusty |
|
| 2017-03-07 08:32:15 |
Victor Tapia |
nominated for series |
|
Ubuntu Zesty |
|
| 2017-03-07 08:32:15 |
Victor Tapia |
nominated for series |
|
Ubuntu Yakkety |
|
| 2017-03-10 13:44:20 |
Victor Tapia |
description |
Introducing valid usernames with trailing newline characters triggers the removal of valid LDB cache entries
Reproducer:
1. Request a valid user and confirm it's cached:
ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1'
ad1:*:1500:1500:ad1:/home/ad:/bin/bash
ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 1 entries
2. Request an invalid username:
ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1
'
3. Confirm the cache entry has disappeared:
ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 0 entries
This is an excerpt from the logs of the request with the newline char:
(Tue Feb 28 16:07:40 2017) [sssd[be[UBUNTU.TEST]]] [be_get_account_info] (0x0200): Got request for [0x1001][FAST BE_REQ_USER][1][name=ad1
]
(Tue Feb 28 16:08:33 2017) [sssd[be[UBUNTU.TEST]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=ad1
)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][CN=Users,DC=ubuntu,DC=test].
(Tue Feb 28 16:08:33 2017) [sssd[be[UBUNTU.TEST]]] [sdap_get_users_done] (0x0040): Failed to retrieve users
(Tue Feb 28 16:08:33 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/UBUNTU.TEST/ad1
] to negative cache
(Tue Feb 28 16:08:33 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
At this point, the ldb entry removal request for ad1 (without \n) takes place via sysdb_delete_user.
Adding '\n' to the character list in sss_filter_sanitize_ex() seems to fix this issue.
Upstream bug: https://pagure.io/SSSD/sssd/issue/3317 |
[Impact]
* When a username with a trailing newline or carriage return character is used for authentication, the malformed LDAP query will return that the username does not exist and then the username will be erased from the LDB cache.
[Test Case]
1. While the provider is online, request a valid user and confirm it's cached:
ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1'
ad1:*:1500:1500:ad1:/home/ad:/bin/bash
ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 1 entries
2. Request an invalid username:
ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1
'
3. Confirm the cache entry has disappeared:
ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 0 entries
[Regression Potential]
* None, the sanitizer code is just extended for these two characters
[Other Info]
* Upstream bug: https://pagure.io/SSSD/sssd/issue/3317
* Fix has been merged upstream
[Original Description]
Introducing valid usernames with trailing newline characters triggers the removal of valid LDB cache entries
Reproducer:
1. Request a valid user and confirm it's cached:
ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1'
ad1:*:1500:1500:ad1:/home/ad:/bin/bash
ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 1 entries
2. Request an invalid username:
ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1
'
3. Confirm the cache entry has disappeared:
ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 0 entries
This is an excerpt from the logs of the request with the newline char:
(Tue Feb 28 16:07:40 2017) [sssd[be[UBUNTU.TEST]]] [be_get_account_info] (0x0200): Got request for [0x1001][FAST BE_REQ_USER][1][name=ad1
]
(Tue Feb 28 16:08:33 2017) [sssd[be[UBUNTU.TEST]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=ad1
)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][CN=Users,DC=ubuntu,DC=test].
(Tue Feb 28 16:08:33 2017) [sssd[be[UBUNTU.TEST]]] [sdap_get_users_done] (0x0040): Failed to retrieve users
(Tue Feb 28 16:08:33 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/UBUNTU.TEST/ad1
] to negative cache
(Tue Feb 28 16:08:33 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
At this point, the ldb entry removal request for ad1 (without \n) takes place via sysdb_delete_user.
Adding '\n' to the character list in sss_filter_sanitize_ex() seems to fix this issue.
Upstream bug: https://pagure.io/SSSD/sssd/issue/3317 |
|
| 2017-03-10 13:44:54 |
Victor Tapia |
attachment added |
|
xenial-sssd_1.13.4-1ubuntu1.4.debdiff https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1669712/+attachment/4835274/+files/xenial-sssd_1.13.4-1ubuntu1.4.debdiff |
|
| 2017-03-10 13:45:14 |
Victor Tapia |
attachment added |
|
yakkety-sssd_1.13.4-3ubuntu0.3.debdiff https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1669712/+attachment/4835275/+files/yakkety-sssd_1.13.4-3ubuntu0.3.debdiff |
|
| 2017-03-10 13:45:28 |
Victor Tapia |
attachment added |
|
zesty-sssd_1.15.0-3ubuntu5.debdiff https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1669712/+attachment/4835276/+files/zesty-sssd_1.15.0-3ubuntu5.debdiff |
|
| 2017-03-10 13:45:49 |
Victor Tapia |
attachment added |
|
trusty-sssd_1.11.8-0ubuntu0.7.debdiff https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1669712/+attachment/4835277/+files/trusty-sssd_1.11.8-0ubuntu0.7.debdiff |
|
| 2017-03-10 16:27:35 |
Ubuntu Foundations Team Bug Bot |
tags |
sts |
patch sts |
|
| 2017-03-10 16:27:42 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
| 2017-03-12 07:12:14 |
Dominique Poulain |
bug |
|
|
added subscriber Dominique Poulain |
| 2017-03-28 12:20:43 |
Timo Aaltonen |
sssd (Ubuntu Xenial): status |
New |
Fix Committed |
|
| 2017-03-28 12:20:45 |
Timo Aaltonen |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2017-03-28 12:20:46 |
Timo Aaltonen |
bug |
|
|
added subscriber SRU Verification |
| 2017-03-28 12:20:49 |
Timo Aaltonen |
tags |
patch sts |
patch sts verification-needed |
|
| 2017-03-28 12:21:08 |
Timo Aaltonen |
removed subscriber Ubuntu Sponsors Team |
|
|
|
| 2017-03-28 12:31:38 |
Timo Aaltonen |
sssd (Ubuntu Yakkety): status |
New |
Fix Committed |
|
| 2017-03-30 15:56:11 |
Victor Tapia |
tags |
patch sts verification-needed |
patch sts verification-done-xenial verification-needed |
|
| 2017-03-31 09:04:24 |
Victor Tapia |
tags |
patch sts verification-done-xenial verification-needed |
patch sts verification-done-xenial verification-done-yakkety verification-needed |
|
| 2017-04-12 15:39:29 |
Eric Desrochers |
bug |
|
|
added subscriber Eric Desrochers |
| 2017-04-12 17:39:03 |
Victor Tapia |
tags |
patch sts verification-done-xenial verification-done-yakkety verification-needed |
patch sts verification-failed |
|
| 2017-04-12 18:11:11 |
Victor Tapia |
tags |
patch sts verification-failed |
patch sts verification-failed-xenial verification-failed-yakkety |
|
| 2017-04-25 14:18:32 |
Łukasz Zemczak |
tags |
patch sts verification-failed-xenial verification-failed-yakkety |
patch sts verification-failed-xenial verification-failed-yakkety verification-needed |
|
| 2017-05-04 10:55:22 |
Victor Tapia |
tags |
patch sts verification-failed-xenial verification-failed-yakkety verification-needed |
patch sts verification-done-xenial verification-done-yakkety verification-needed |
|
| 2017-05-04 17:07:59 |
Launchpad Janitor |
sssd (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
| 2017-05-04 17:08:14 |
Launchpad Janitor |
sssd (Ubuntu Yakkety): status |
Fix Committed |
Fix Released |
|
| 2017-05-22 14:43:56 |
Andy Whitcroft |
bug task added |
|
sssd (Ubuntu Trusty) |
|
| 2017-05-22 14:44:31 |
Andy Whitcroft |
sssd (Ubuntu Trusty): status |
New |
Fix Committed |
|
| 2017-05-25 16:01:06 |
Victor Tapia |
tags |
patch sts verification-done-xenial verification-done-yakkety verification-needed |
patch sts verification-done |
|
| 2017-06-01 14:02:33 |
Launchpad Janitor |
sssd (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
| 2017-06-01 14:02:50 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2017-06-01 20:41:50 |
Nish Aravamudan |
sssd (Ubuntu): status |
Triaged |
Fix Released |
|
