pam_sss messes up existing /var/log/sssd/p11_child.log permissions

Bug #1989356 reported by Marius Vollmer
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd
Fix Released
Unknown
sssd (Debian)
Fix Released
Unknown
sssd (Ubuntu)
Fix Released
Medium
Sergio Durigan Junior
Jammy
Fix Released
Medium
Sergio Durigan Junior
Kinetic
Fix Released
Medium
Sergio Durigan Junior

Bug Description

[ Impact ]

sssd will inadvertently change the UID/GID of the p11_child.log file when certain services are used for login, such as pam_sss. This can lead to subsequent "Permission denied" errors when using sssd-ifp's FindByValidCertificate method, which ultimately affects certificate validation for sssd-ifp users.

The problem actually happens because of uninitialized variables being used in the code. It is described in detail here:

https://github.com/SSSD/sssd/issues/6347#issuecomment-1255711607

[ Test Plan ]

$ lxc launch ubuntu-daily:kinetic sssd-bug1989356 --vm
$ lxc shell sssd-bug1989356
# apt update
# apt install -y sssd
# cat > /etc/sssd/sssd.conf << __EOF__
[sssd]
domains = local

[domain/local]
id_provider = files
__EOF__
# chmod 0600 /etc/sssd/sssd.conf
# touch /var/log/sssd/p11_child.log
# ls -la /var/log/sssd/p11_child.log
# passwd ubuntu
<choose an easy password here>
# systemctl restart sssd.service
# login ubuntu
<type the easy password>
$ exit
# ls -la /var/log/sssd/p11_child.log

You will notice that the UID and/or GID of the p11_child.log file have changed.

[ Where problems could occur ]

The fix being SRU'd explicitly sets the UID/GID variables to "0" when no "--uid"/"--gid" parameters were passed while invoking the sssd services. This means that the services will run as root:root, and any files created by them will also be owned by this user/group. This should be OK, since:

* In order to run the services manually, the user needs to be root.

* If the user wants the services to run under a different UID/GID, they need to use the "--uid"/"--gid" parameters when invoking the binaries. In this case, the variables will assume the respective UID/GID values provided via the CLI.

I don't really believe it is possible, but if users have scripts that expect to be able to modify log files under the assumption that they will be writeable to their $USER, this will no longer hold true unless they explicitly invoke the sssd services with the proper "--uid"/"--gid" parameters. But then again, this should always have been the modus operandi.

[ Original Description ]

This is the same as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001377

We found it now also with sssd 2.7.2-3ubuntu1

Related branches

Changed in sssd (Debian):
status: Unknown → New
Changed in sssd (Ubuntu):
status: New → Triaged
assignee: nobody → Sergio Durigan Junior (sergiodj)
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

I was able to reproduce the issue, but not in a deterministic manner. In fact, most of the time I can't trigger the bug at all. I'm still not sure if it's something I'm messing up, or it this bug is indeed racy.

Here are the steps I'm taking to (try to) reproduce:

$ lxc launch ubuntu-daily:kinetic sssd-bug1989356
$ lxc shell sssd-bug1989356
# apt update
# apt install -y sssd
# cat > /etc/sssd/sssd.conf << __EOF__
[sssd]
domains = local

[domain/local]
id_provider = files
__EOF__
# chmod 0600 /etc/sssd/sssd.conf
# touch /var/log/sssd/p11_child.log
# ls -la /var/log/sssd/p11_child.log
# passwd ubuntu
<choose an easy password here>
# systemctl restart sssd.service
# login ubuntu
<type the easy password>
$ exit
# ls -la /var/log/sssd/p11_child.log

tags: added: server-todo
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

It seems like if I use a VM instead of a container (i.e., pass "--vm" to "lxc launch") I can reproduce the bug consistently.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

I filed an upstream bug, but I'm still investigating and trying to determine what's going on.

Changed in sssd (Ubuntu Jammy):
status: New → Triaged
assignee: nobody → Sergio Durigan Junior (sergiodj)
Changed in sssd:
status: Unknown → New
Changed in sssd (Debian):
status: New → Confirmed
Changed in sssd:
status: New → Fix Released
Revision history for this message
Marius Vollmer (marius-vollmer-gmail) wrote :

Super excellent work, thanks a lot!

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote : Re: [Bug 1989356] Re: pam_sss messes up existing /var/log/sssd/p11_child.log permissions

On Tuesday, October 04 2022, Marius Vollmer wrote:

> Super excellent work, thanks a lot!

Thanks. I'll work on SRUing the fix into Jammy/Kinetic later today.

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

description: updated
description: updated
Changed in sssd (Ubuntu Jammy):
importance: Undecided → Medium
Changed in sssd (Ubuntu Kinetic):
importance: Undecided → Medium
Changed in sssd (Ubuntu Jammy):
status: Triaged → In Progress
Changed in sssd (Ubuntu Kinetic):
status: Triaged → Fix Committed
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Marius, or anyone else affected,

Accepted sssd into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/2.6.3-1ubuntu3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in sssd (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 2.7.3-2ubuntu2

---------------
sssd (2.7.3-2ubuntu2) kinetic; urgency=medium

  * d/p/initialize-uid-gid-main-functions.patch: Initialize UID/GID
    variables in "main" functions, preventing inadvertent changes in
    p11_child.log file permissions. (LP: #1989356)

 -- Sergio Durigan Junior <email address hidden> Tue, 04 Oct 2022 19:00:49 -0400

Changed in sssd (Ubuntu Kinetic):
status: Fix Committed → Fix Released
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Performing the verification for Jammy.

First, reproducing the issue:

# systemctl restart sssd.service
# login ubuntu
...
# ls -la /var/log/sssd/p11_child.log
-rw-r--r-- 1 root 65 0 Oct 20 03:12 /var/log/sssd/p11_child.log

# apt policy sssd
sssd:
  Installed: 2.6.3-1ubuntu3.1
  Candidate: 2.6.3-1ubuntu3.1
  Version table:
 *** 2.6.3-1ubuntu3.1 500
        500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.6.3-1ubuntu3 500
        500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages

Now, confirming that the new package fixes the bug:

# rm /var/log/sssd/p11_child.log
# touch /var/log/sssd/p11_child.log
# systemctl restart sssd.service
# login ubuntu
...
# ls -la /var/log/sssd/p11_child.log
-rw-r--r-- 1 root root 0 Oct 20 03:15 /var/log/sssd/p11_child.log

# apt policy sssd
sssd:
  Installed: 2.6.3-1ubuntu3.2
  Candidate: 2.6.3-1ubuntu3.2
  Version table:
 *** 2.6.3-1ubuntu3.2 500
        500 http://archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2.6.3-1ubuntu3.1 500
        500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
     2.6.3-1ubuntu3 500
        500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages

This concludes the verification.

tags: added: verification-done verification-done-jammy
removed: verification-needed verification-needed-jammy
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 2.6.3-1ubuntu3.2

---------------
sssd (2.6.3-1ubuntu3.2) jammy; urgency=medium

  * d/p/initialize-uid-gid-main-functions.patch: Initialize UID/GID
    variables in "main" functions, preventing inadvertent changes in
    p11_child.log file permissions. (LP: #1989356)

 -- Sergio Durigan Junior <email address hidden> Tue, 04 Oct 2022 19:04:33 -0400

Changed in sssd (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for sssd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Changed in sssd (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.