Bug 1285339
Summary: | nss_mymachines can poison the nscd cache | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Florian Weimer <fweimer> |
Component: | glibc | Assignee: | glibc team <glibc-bugzilla> |
Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | arjun.is, codonell, dj, fweimer, jakub, johannbg, law, lnykryn, lpoetter, mfabian, msekleta, pfrankli, siddhesh, s, ssorce, systemd-maint, zbyszek |
Target Milestone: | --- | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-10-30 13:23:36 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1285267 |
Description
Florian Weimer
2015-11-25 12:26:16 UTC
Hmm, which container manager is this? nspawn? docker? Did you use user namespacing in the container? Apparently there's no NSS entry point that would allow us to pass a TTL for each user or group, like there is for host lookups. This is nasty, and means outdated user/group data might linger uncontrolled. But that's really breakage in nscd that needs to be fixed there. Other than that, I will now change nss-mymachines so that it will it exclude itself from all lookups if no user translation actually took place, or if the translated users is < 0x10000 (which we consider strictly private the host UIDs). This should guarantee that nss-mymachines can never be used to create nscd cache records for UIDs outside of ranges that are explicitly assigned for user namespace mappings. (In reply to Lennart Poettering from comment #1) > Hmm, which container manager is this? nspawn? docker? systemd-nspwan, without --private-users. THe mentioned fix is here: https://github.com/systemd/systemd/pull/2576 The fix went in now. I'll consider this fixed from the systemd perspective. Will now reassign to glibc, since we cannot solve this fully unless nscd provides a way to set a ttl for grp/pwd entries passed to it, the same way it supports it for hosts entries... (In reply to Lennart Poettering from comment #5) > The fix went in now. I'll consider this fixed from the systemd perspective. > > Will now reassign to glibc, since we cannot solve this fully unless nscd > provides a way to set a ttl for grp/pwd entries passed to it, the same way > it supports it for hosts entries... For the host cache, NetworkManager needs to signal nscd when the DNS view changes. TTL support is insufficient. Will something similar be needed for the user and group database? You can't predict container lifetime, so I don't see how you want to set a correct TTL. This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle. Changing version to '24'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase (In reply to Florian Weimer from comment #6) > (In reply to Lennart Poettering from comment #5) > > The fix went in now. I'll consider this fixed from the systemd perspective. > > > > Will now reassign to glibc, since we cannot solve this fully unless nscd > > provides a way to set a ttl for grp/pwd entries passed to it, the same way > > it supports it for hosts entries... > > For the host cache, NetworkManager needs to signal nscd when the DNS view > changes. TTL support is insufficient. > > Will something similar be needed for the user and group database? You can't > predict container lifetime, so I don't see how you want to set a correct TTL. Lennart? (In reply to Florian Weimer from comment #6) > Will something similar be needed for the user and group database? You can't > predict container lifetime, so I don't see how you want to set a correct TTL. I'd simply set the TTL to 0, so that nscd doesn't cache at all. There's really no point in caching stuff that is a quick local check anyway. This message is a reminder that Fedora 24 is nearing its end of life. Approximately 2 (two) weeks from now Fedora will stop maintaining and issuing updates for Fedora 24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '24'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 24 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The systemd fix was this: commit cf3bdcfeba48ffef71f1f59e092c4fb9275dcb3a Author: Lennart Poettering <lennart> Date: Wed Feb 10 22:58:41 2016 +0100 nss-mymachines: never resolve unmapped UIDs/GIDs Don't ever permit successful user or group lookups if no UID/GID mapping is actually applied. THis way, we can be sure that nss-mymachines cannot be used to insert invalid cache entries into nscd's cache. https://bugzilla.redhat.com/show_bug.cgi?id=1285339 I think the expiration problem needs a larger discussion about guaranteed propagation times for IdM updates and account revocation. So far, we have received no guidance on this matter and whether this is even a requirement. |