pam_sss messes up existing /var/log/sssd/p11_child.log permissions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sssd |
Fix Released
|
Unknown
|
|||
sssd (Debian) |
Fix Released
|
Unknown
|
|||
sssd (Ubuntu) |
Fix Released
|
Medium
|
Sergio Durigan Junior | ||
Jammy |
Fix Released
|
Medium
|
Sergio Durigan Junior | ||
Kinetic |
Fix Released
|
Medium
|
Sergio Durigan Junior |
Bug Description
[ Impact ]
sssd will inadvertently change the UID/GID of the p11_child.log file when certain services are used for login, such as pam_sss. This can lead to subsequent "Permission denied" errors when using sssd-ifp's FindByValidCert
The problem actually happens because of uninitialized variables being used in the code. It is described in detail here:
https:/
[ Test Plan ]
$ lxc launch ubuntu-
$ lxc shell sssd-bug1989356
# apt update
# apt install -y sssd
# cat > /etc/sssd/sssd.conf << __EOF__
[sssd]
domains = local
[domain/local]
id_provider = files
__EOF__
# chmod 0600 /etc/sssd/sssd.conf
# touch /var/log/
# ls -la /var/log/
# passwd ubuntu
<choose an easy password here>
# systemctl restart sssd.service
# login ubuntu
<type the easy password>
$ exit
# ls -la /var/log/
You will notice that the UID and/or GID of the p11_child.log file have changed.
[ Where problems could occur ]
The fix being SRU'd explicitly sets the UID/GID variables to "0" when no "--uid"/"--gid" parameters were passed while invoking the sssd services. This means that the services will run as root:root, and any files created by them will also be owned by this user/group. This should be OK, since:
* In order to run the services manually, the user needs to be root.
* If the user wants the services to run under a different UID/GID, they need to use the "--uid"/"--gid" parameters when invoking the binaries. In this case, the variables will assume the respective UID/GID values provided via the CLI.
I don't really believe it is possible, but if users have scripts that expect to be able to modify log files under the assumption that they will be writeable to their $USER, this will no longer hold true unless they explicitly invoke the sssd services with the proper "--uid"/"--gid" parameters. But then again, this should always have been the modus operandi.
[ Original Description ]
This is the same as https:/
We found it now also with sssd 2.7.2-3ubuntu1
Related branches
- git-ubuntu bot: Approve
- Athos Ribeiro (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 219 lines (+197/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/initialize-uid-gid-main-functions.patch (+188/-0)
debian/patches/series (+1/-0)
- git-ubuntu bot: Approve
- Athos Ribeiro (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 219 lines (+197/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/initialize-uid-gid-main-functions.patch (+188/-0)
debian/patches/series (+1/-0)
Changed in sssd (Debian): | |
status: | Unknown → New |
Changed in sssd (Ubuntu): | |
status: | New → Triaged |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
Changed in sssd: | |
status: | Unknown → New |
Changed in sssd (Debian): | |
status: | New → Confirmed |
Changed in sssd: | |
status: | New → Fix Released |
description: | updated |
description: | updated |
Changed in sssd (Ubuntu Jammy): | |
importance: | Undecided → Medium |
Changed in sssd (Ubuntu Kinetic): | |
importance: | Undecided → Medium |
Changed in sssd (Ubuntu Jammy): | |
status: | Triaged → In Progress |
Changed in sssd (Ubuntu Kinetic): | |
status: | Triaged → Fix Committed |
Changed in sssd (Debian): | |
status: | Confirmed → Fix Released |
I was able to reproduce the issue, but not in a deterministic manner. In fact, most of the time I can't trigger the bug at all. I'm still not sure if it's something I'm messing up, or it this bug is indeed racy.
Here are the steps I'm taking to (try to) reproduce:
$ lxc launch ubuntu- daily:kinetic sssd-bug1989356
$ lxc shell sssd-bug1989356
# apt update
# apt install -y sssd
# cat > /etc/sssd/sssd.conf << __EOF__
[sssd]
domains = local
[domain/local] sssd/p11_ child.log sssd/p11_ child.log sssd/p11_ child.log
id_provider = files
__EOF__
# chmod 0600 /etc/sssd/sssd.conf
# touch /var/log/
# ls -la /var/log/
# passwd ubuntu
<choose an easy password here>
# systemctl restart sssd.service
# login ubuntu
<type the easy password>
$ exit
# ls -la /var/log/