2022-12-08 22:49:22 |
Kartik Subbarao |
bug |
|
|
added bug |
2022-12-09 15:40:43 |
Lena Voytek |
nominated for series |
|
Ubuntu Jammy |
|
2022-12-09 15:40:43 |
Lena Voytek |
bug task added |
|
sssd (Ubuntu Jammy) |
|
2022-12-09 15:40:48 |
Lena Voytek |
sssd (Ubuntu Jammy): status |
New |
Confirmed |
|
2022-12-12 17:44:09 |
Lena Voytek |
sssd (Ubuntu Jammy): importance |
Undecided |
Wishlist |
|
2022-12-12 17:44:26 |
Lena Voytek |
sssd (Ubuntu Jammy): importance |
Wishlist |
Low |
|
2022-12-13 12:23:35 |
Lucas Kanashiro |
bug |
|
|
added subscriber Ubuntu Server |
2023-03-28 12:58:52 |
Launchpad Janitor |
sssd (Ubuntu): status |
New |
Confirmed |
|
2023-09-19 09:30:04 |
Michał Małoszewski |
sssd (Ubuntu): assignee |
|
Michał Małoszewski (michal-maloszewski99) |
|
2023-09-19 09:30:06 |
Michał Małoszewski |
sssd (Ubuntu Jammy): assignee |
|
Michał Małoszewski (michal-maloszewski99) |
|
2023-10-04 15:13:40 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~michal-maloszewski99/ubuntu/+source/sssd/+git/sssd/+merge/452827 |
|
2023-10-04 15:23:54 |
Michał Małoszewski |
tags |
apparmor |
apparmor server-todo |
|
2023-10-05 23:35:23 |
Launchpad Janitor |
sssd (Ubuntu): status |
Confirmed |
Fix Released |
|
2023-10-06 15:08:41 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~michal-maloszewski99/ubuntu/+source/sssd/+git/sssd/+merge/453061 |
|
2023-10-09 15:10:27 |
Michał Małoszewski |
description |
I noticed these kinds of extraneous ALLOWED messages from apparmor in /var/log/syslog:
=====
Dec 8 15:24:33 ubuntu2204.example.com kernel: [171969.873642] audit: type=1400 audit(1670538273.822:1820): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/run/systemd/users/12345" pid=727740 comm="sssd_pam" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 8 15:24:51 ubuntu2204.example.com kernel: [171987.659148] audit: type=1400 audit(1670538291.605:1821): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/proc/770129/cmdline" pid=727739 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
=====
As a workaround to silence these, I added the following lines to /etc/apparmor.d/local/usr.sbin/sssd:
@{PROC}/[0-9]*/cmdline r,
/run/systemd/users/* r,
I'm guessing the proper fix is to add these lines to /etc/apparmor.d/usr.sbin.sssd in the package. |
[Impact]
* Users of sssd reported extraneous ALLOWED messages from apparmor in /var/log/syslog while trying to login to the server via ssh.
* This crash is caused by the lack of some entries in apparmor-profile file.
The fix is to add:
- #include <abstractions/openssl>
- @{PROC}/[0-9]*/cmdline r,
- /var/lib/sss/mc/* rwk,
- /{,var/}run/systemd/users/* r,
in the right order to the apparmor-profile file.
[Test Plan]
lxc launch ubuntu:22.04 test1
lxc shell test1
Example of failed output:
Example of successful output:
TBD.
[Where problems could occur]
* @{PROC}/[0-9]*/cmdline r, - the line that has been added allows SSSD processes to read the /proc/[pid]/cmdline files for other processes. Reading it provides access to the cmdline arguments of other processes, but it might be the issue in the future that this access is not used appropriately and exposes sensitive information, however it is unlike.
* There is additional possible regression related to the:
-/{,var/}run/systemd/users/* r,
there might be regression related to user sessions managed by systemd.
-------------------------original bug report------------------------------------
I noticed these kinds of extraneous ALLOWED messages from apparmor in /var/log/syslog:
=====
Dec 8 15:24:33 ubuntu2204.example.com kernel: [171969.873642] audit: type=1400 audit(1670538273.822:1820): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/run/systemd/users/12345" pid=727740 comm="sssd_pam" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 8 15:24:51 ubuntu2204.example.com kernel: [171987.659148] audit: type=1400 audit(1670538291.605:1821): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/proc/770129/cmdline" pid=727739 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
=====
As a workaround to silence these, I added the following lines to /etc/apparmor.d/local/usr.sbin/sssd:
@{PROC}/[0-9]*/cmdline r,
/run/systemd/users/* r,
I'm guessing the proper fix is to add these lines to /etc/apparmor.d/usr.sbin.sssd in the package. |
|
2023-10-17 00:20:40 |
Michał Małoszewski |
description |
[Impact]
* Users of sssd reported extraneous ALLOWED messages from apparmor in /var/log/syslog while trying to login to the server via ssh.
* This crash is caused by the lack of some entries in apparmor-profile file.
The fix is to add:
- #include <abstractions/openssl>
- @{PROC}/[0-9]*/cmdline r,
- /var/lib/sss/mc/* rwk,
- /{,var/}run/systemd/users/* r,
in the right order to the apparmor-profile file.
[Test Plan]
lxc launch ubuntu:22.04 test1
lxc shell test1
Example of failed output:
Example of successful output:
TBD.
[Where problems could occur]
* @{PROC}/[0-9]*/cmdline r, - the line that has been added allows SSSD processes to read the /proc/[pid]/cmdline files for other processes. Reading it provides access to the cmdline arguments of other processes, but it might be the issue in the future that this access is not used appropriately and exposes sensitive information, however it is unlike.
* There is additional possible regression related to the:
-/{,var/}run/systemd/users/* r,
there might be regression related to user sessions managed by systemd.
-------------------------original bug report------------------------------------
I noticed these kinds of extraneous ALLOWED messages from apparmor in /var/log/syslog:
=====
Dec 8 15:24:33 ubuntu2204.example.com kernel: [171969.873642] audit: type=1400 audit(1670538273.822:1820): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/run/systemd/users/12345" pid=727740 comm="sssd_pam" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 8 15:24:51 ubuntu2204.example.com kernel: [171987.659148] audit: type=1400 audit(1670538291.605:1821): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/proc/770129/cmdline" pid=727739 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
=====
As a workaround to silence these, I added the following lines to /etc/apparmor.d/local/usr.sbin/sssd:
@{PROC}/[0-9]*/cmdline r,
/run/systemd/users/* r,
I'm guessing the proper fix is to add these lines to /etc/apparmor.d/usr.sbin.sssd in the package. |
[Impact]
* Users of sssd reported extraneous ALLOWED messages from apparmor in /var/log/syslog while trying to login to the server via ssh.
* This crash is caused by the lack of some entries in apparmor-profile file.
The fix is to add:
- #include <abstractions/openssl>
- @{PROC}/[0-9]*/cmdline r,
- /var/lib/sss/mc/* rwk,
- /{,var/}run/systemd/users/* r,
in the right order to the apparmor-profile file.
[Test Plan]
lxc launch ubuntu:22.04 test1
lxc shell test1
1. # apt install slapd ldap-utils -y
2. # dpkg-reconfigure slapd
3. # apt install sssd
4. # vim /etc/ssh/sssd.conf
5. Enter configuration that fits to your system.
6. # systemctl restart sssd
7. # systemctl enable sssd
8. Exit the container.
9. SSH into that container.
10. Check /var/log/syslog.
Example of failed output:
Oct 16 18:55:31 ubuntu2204.example.com kernel: [171965.873242] audit: type=1400 audit(1673538673.812:1220): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/run/systemd/users/12345" pid=712698 comm="sssd_pam" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 16 18:55:31 ubuntu2204.example.com kernel: [174187.653158] audit: type=1400 audit(1679438151.423:1221): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/proc/770129/cmdline" pid=712735 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Example of successful output:
No apparmor messages like these present.
[Where problems could occur]
* @{PROC}/[0-9]*/cmdline r, - the line that has been added allows SSSD processes to read the /proc/[pid]/cmdline files for other processes. Reading it provides access to the cmdline arguments of other processes, but it might be the issue in the future that this access is not used appropriately and exposes sensitive information, however it is unlike.
* There is additional possible regression related to the:
-/{,var/}run/systemd/users/* r,
there might be regression related to user sessions managed by systemd.
-------------------------original bug report------------------------------------
I noticed these kinds of extraneous ALLOWED messages from apparmor in /var/log/syslog:
=====
Dec 8 15:24:33 ubuntu2204.example.com kernel: [171969.873642] audit: type=1400 audit(1670538273.822:1820): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/run/systemd/users/12345" pid=727740 comm="sssd_pam" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 8 15:24:51 ubuntu2204.example.com kernel: [171987.659148] audit: type=1400 audit(1670538291.605:1821): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/proc/770129/cmdline" pid=727739 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
=====
As a workaround to silence these, I added the following lines to /etc/apparmor.d/local/usr.sbin/sssd:
@{PROC}/[0-9]*/cmdline r,
/run/systemd/users/* r,
I'm guessing the proper fix is to add these lines to /etc/apparmor.d/usr.sbin.sssd in the package. |
|
2023-10-18 15:16:08 |
Robie Basak |
sssd (Ubuntu Jammy): assignee |
Michał Małoszewski (michal-maloszewski99) |
|
|
2023-10-20 13:15:30 |
Paride Legovini |
sssd (Ubuntu Jammy): status |
Confirmed |
Triaged |
|
2023-10-25 15:11:56 |
Robie Basak |
tags |
apparmor server-todo |
apparmor bitesize server-todo |
|
2023-11-01 15:08:18 |
Sergio Durigan Junior |
tags |
apparmor bitesize server-todo |
apparmor bitesize |
|
2023-11-12 12:02:06 |
Andreas Roth |
bug |
|
|
added subscriber Andreas Roth |
2024-01-03 17:02:15 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/457904 |
|
2024-01-03 17:13:17 |
Sergio Durigan Junior |
merge proposal unlinked |
https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/457904 |
|
|
2024-01-17 21:02:03 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/457904 |
|
2024-02-26 19:16:46 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/461283 |
|
2024-02-26 19:17:02 |
Sergio Durigan Junior |
merge proposal unlinked |
https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/461283 |
|
|
2024-03-04 19:33:27 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/461744 |
|
2024-03-04 19:41:52 |
Sergio Durigan Junior |
merge proposal unlinked |
https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/461744 |
|
|
2024-03-08 16:25:11 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/461744 |
|
2024-06-24 21:01:41 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/468108 |
|
2024-06-24 21:13:30 |
Sergio Durigan Junior |
merge proposal unlinked |
https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/468108 |
|
|