| Summary: | The multicast check is wrong in the sudo source code getting the host info | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Fabrice Robin <fabrice.robin> |
| Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | abokovoy, jhrozek, lslebodn, okos, pbrezina, sbose, sgallagh, ssorce |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.11.1-1.fc19 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-10-01 02:16:33 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Ooof, thank you very much for reporting this bug. I'll prepare a fix right away. Upstream ticket: https://fedorahosted.org/sssd/ticket/2087 Patch sent upstream. Fixed upstream:
master: 6982b488e03b8e29e186f0c54cf5f80438cceadd
sssd-1-11: a9b2c8fb47fc334c7ba9b229cde18d168059c096
sssd-1.11.0-3.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/sssd-1.11.0-3.fc19 Package sssd-1.11.0-3.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sssd-1.11.0-3.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-17764/sssd-1.11.0-3.fc19 then log in and leave karma (feedback). sssd-1.11.1-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/sssd-1.11.1-1.fc19 sssd-1.11.1-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Using the ldap attribute sudoHost, users always been refused to execute a sudo command when the sudoHost is a IPV4 address or subnet. Version-Release number of selected component (if applicable): sssd 1.11.0 sudo 1.8.6p7 sssd-ldap 1.11.0 sssd-common 1.11.0 How reproducible: Always (But only using NetworkManager service... When switching to "network" service, this bug disappears ! ) Steps to Reproduce: 1. In OpenLdap, fill a user entry with a "sudoHost" attribute with a subnet: "192.168.101.0/24" 2. On a fresh Fedora 19 machine which is in the subnet "192.168.101.0/24", and which has NetworkManager service installed, the user tries to execute the command "sudo -l" 3. Actual results: "User xxxx is not allowed to run sudo on machine" Expected results: The user is allowed to run sudo on the machine Additional info: This is an old anomaly we face for a long time. After a little bit of debugging and digging in the code, it seems a filter on multicast address is wrong in ./src/providers/ldap/sdap_async_sudo_hostinfo.c:242: if (IN_MULTICAST(ip4_addr->sin_addr.s_addr)) { In fact, a conversion with "ntohl" is needed here: ./src/providers/ldap/sdap_async_sudo_hostinfo.c:242: if (IN_MULTICAST(ntohl(ip4_addr->sin_addr.s_addr))) { Without ntohl, the ipv4 addresses or subnets are seen has multicast and therefore are filtered... I see that a similar bug has been fixed in February for IPA: https://bugzilla.redhat.com/show_bug.cgi?id=790105 https://fedorahosted.org/sssd/ticket/1804 It may also exist another similar bug in ./src/monitor/monitor_netlink.c:613: return IN_MULTICAST(addr4->s_addr); You cannot imagine how much i'm looking forward that this bug be corrected :-)