2022-09-12 14:33:56 |
Marius Vollmer |
bug |
|
|
added bug |
2022-09-12 17:17:22 |
Martin Pitt |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001377 |
|
2022-09-12 17:17:22 |
Martin Pitt |
bug task added |
|
sssd (Debian) |
|
2022-09-13 15:48:56 |
Bug Watch Updater |
sssd (Debian): status |
Unknown |
New |
|
2022-09-13 20:42:21 |
Lucas Kanashiro |
bug |
|
|
added subscriber Ubuntu Server |
2022-09-14 01:22:21 |
Sergio Durigan Junior |
sssd (Ubuntu): status |
New |
Triaged |
|
2022-09-14 01:22:23 |
Sergio Durigan Junior |
sssd (Ubuntu): assignee |
|
Sergio Durigan Junior (sergiodj) |
|
2022-09-14 03:43:13 |
Sergio Durigan Junior |
bug |
|
|
added subscriber Sergio Durigan Junior |
2022-09-14 03:43:21 |
Sergio Durigan Junior |
tags |
|
server-todo |
|
2022-09-14 23:17:45 |
Sergio Durigan Junior |
bug watch added |
|
https://github.com/SSSD/sssd/issues/6347 |
|
2022-09-14 23:17:45 |
Sergio Durigan Junior |
bug task added |
|
sssd |
|
2022-09-14 23:19:29 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Jammy |
|
2022-09-14 23:19:29 |
Sergio Durigan Junior |
bug task added |
|
sssd (Ubuntu Jammy) |
|
2022-09-14 23:19:29 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Kinetic |
|
2022-09-14 23:19:29 |
Sergio Durigan Junior |
bug task added |
|
sssd (Ubuntu Kinetic) |
|
2022-09-14 23:19:36 |
Sergio Durigan Junior |
sssd (Ubuntu Jammy): status |
New |
Triaged |
|
2022-09-14 23:19:39 |
Sergio Durigan Junior |
sssd (Ubuntu Jammy): assignee |
|
Sergio Durigan Junior (sergiodj) |
|
2022-09-14 23:21:06 |
Bug Watch Updater |
sssd: status |
Unknown |
New |
|
2022-09-15 19:17:12 |
Bug Watch Updater |
sssd (Debian): status |
New |
Confirmed |
|
2022-10-03 20:37:00 |
Bug Watch Updater |
sssd: status |
New |
Fix Released |
|
2022-10-04 22:54:16 |
Sergio Durigan Junior |
description |
This is the same as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001377
We found it now also with sssd 2.7.2-3ubuntu1 |
[ Impact ]
sssd will inadvertently change the UID/GID of the p11_child.log file when certain services are used for login, such as pam_sss. This can lead to subsequent "Permission denied" errors when using sssd-ifp's FindByValidCertificate method, which ultimately affects certificate validation for sssd-ifp users.
The problem actually happens because of uninitialized variables being used in the code. It is described in detail here:
https://github.com/SSSD/sssd/issues/6347#issuecomment-1255711607
[ Test Plan ]
$ lxc launch ubuntu-daily:kinetic sssd-bug1989356 --vm
$ lxc shell sssd-bug1989356
# apt update
# apt install -y sssd
# cat > /etc/sssd/sssd.conf << __EOF__
[sssd]
domains = local
[domain/local]
id_provider = files
__EOF__
# chmod 0600 /etc/sssd/sssd.conf
# touch /var/log/sssd/p11_child.log
# ls -la /var/log/sssd/p11_child.log
# passwd ubuntu
<choose an easy password here>
# systemctl restart sssd.service
# login ubuntu
<type the easy password>
$ exit
# ls -la /var/log/sssd/p11_child.log
You will notice that the UID and/or GID of the p11_child.log file have changed.
[ Where problems could occur ]
TBD.
[ Original Description ]
This is the same as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001377
We found it now also with sssd 2.7.2-3ubuntu1 |
|
2022-10-04 23:11:08 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/431006 |
|
2022-10-04 23:12:45 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/431007 |
|
2022-10-04 23:22:37 |
Sergio Durigan Junior |
description |
[ Impact ]
sssd will inadvertently change the UID/GID of the p11_child.log file when certain services are used for login, such as pam_sss. This can lead to subsequent "Permission denied" errors when using sssd-ifp's FindByValidCertificate method, which ultimately affects certificate validation for sssd-ifp users.
The problem actually happens because of uninitialized variables being used in the code. It is described in detail here:
https://github.com/SSSD/sssd/issues/6347#issuecomment-1255711607
[ Test Plan ]
$ lxc launch ubuntu-daily:kinetic sssd-bug1989356 --vm
$ lxc shell sssd-bug1989356
# apt update
# apt install -y sssd
# cat > /etc/sssd/sssd.conf << __EOF__
[sssd]
domains = local
[domain/local]
id_provider = files
__EOF__
# chmod 0600 /etc/sssd/sssd.conf
# touch /var/log/sssd/p11_child.log
# ls -la /var/log/sssd/p11_child.log
# passwd ubuntu
<choose an easy password here>
# systemctl restart sssd.service
# login ubuntu
<type the easy password>
$ exit
# ls -la /var/log/sssd/p11_child.log
You will notice that the UID and/or GID of the p11_child.log file have changed.
[ Where problems could occur ]
TBD.
[ Original Description ]
This is the same as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001377
We found it now also with sssd 2.7.2-3ubuntu1 |
[ Impact ]
sssd will inadvertently change the UID/GID of the p11_child.log file when certain services are used for login, such as pam_sss. This can lead to subsequent "Permission denied" errors when using sssd-ifp's FindByValidCertificate method, which ultimately affects certificate validation for sssd-ifp users.
The problem actually happens because of uninitialized variables being used in the code. It is described in detail here:
https://github.com/SSSD/sssd/issues/6347#issuecomment-1255711607
[ Test Plan ]
$ lxc launch ubuntu-daily:kinetic sssd-bug1989356 --vm
$ lxc shell sssd-bug1989356
# apt update
# apt install -y sssd
# cat > /etc/sssd/sssd.conf << __EOF__
[sssd]
domains = local
[domain/local]
id_provider = files
__EOF__
# chmod 0600 /etc/sssd/sssd.conf
# touch /var/log/sssd/p11_child.log
# ls -la /var/log/sssd/p11_child.log
# passwd ubuntu
<choose an easy password here>
# systemctl restart sssd.service
# login ubuntu
<type the easy password>
$ exit
# ls -la /var/log/sssd/p11_child.log
You will notice that the UID and/or GID of the p11_child.log file have changed.
[ Where problems could occur ]
The fix being SRU'd explicitly sets the UID/GID variables to "0" when no "--uid"/"--gid" parameters were passed while invoking the sssd services. This means that the services will run as root:root, and any files created by them will also be owned by this user/group. This should be OK, since:
* In order to run the services manually, the user needs to be root.
* If the user wants the services to run under a different UID/GID, they need to use the "--uid"/"--gid" parameters when invoking the binaries. In this case, the variables will assume the respective UID/GID values provided via the CLI.
I don't really believe it is possible, but if users have scripts that expect to be able to modify log files under the assumption that they will be writeable to their $USER, this will no longer hold true unless they explicitly invoke the sssd services with the proper "--uid"/"--gid" parameters. But then again, this should always have been the modus operandi.
[ Original Description ]
This is the same as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001377
We found it now also with sssd 2.7.2-3ubuntu1 |
|
2022-10-04 23:22:45 |
Sergio Durigan Junior |
sssd (Ubuntu Jammy): importance |
Undecided |
Medium |
|
2022-10-04 23:22:47 |
Sergio Durigan Junior |
sssd (Ubuntu Kinetic): importance |
Undecided |
Medium |
|
2022-10-05 20:38:57 |
Sergio Durigan Junior |
sssd (Ubuntu Jammy): status |
Triaged |
In Progress |
|
2022-10-05 20:39:02 |
Sergio Durigan Junior |
sssd (Ubuntu Kinetic): status |
Triaged |
Fix Committed |
|
2022-10-07 09:13:04 |
Timo Aaltonen |
sssd (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2022-10-07 09:13:06 |
Timo Aaltonen |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2022-10-07 09:13:08 |
Timo Aaltonen |
bug |
|
|
added subscriber SRU Verification |
2022-10-07 09:13:11 |
Timo Aaltonen |
tags |
server-todo |
server-todo verification-needed verification-needed-jammy |
|
2022-10-08 09:39:19 |
Launchpad Janitor |
sssd (Ubuntu Kinetic): status |
Fix Committed |
Fix Released |
|
2022-10-20 03:16:36 |
Sergio Durigan Junior |
tags |
server-todo verification-needed verification-needed-jammy |
server-todo verification-done verification-done-jammy |
|
2022-10-25 08:32:07 |
Ćukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2022-10-25 08:32:01 |
Launchpad Janitor |
sssd (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2023-01-03 23:15:32 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/435089 |
|
2023-01-04 00:17:12 |
Sergio Durigan Junior |
merge proposal unlinked |
https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/435089 |
|
|
2023-01-04 00:17:59 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/435089 |
|
2023-01-04 00:19:51 |
Sergio Durigan Junior |
merge proposal unlinked |
https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/435089 |
|
|
2023-03-29 04:56:06 |
Bug Watch Updater |
sssd (Debian): status |
Confirmed |
Fix Released |
|