Bug 1607313
Summary: | When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jakub Hrozek <jhrozek> |
Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> |
Status: | CLOSED ERRATA | QA Contact: | sssd-qe <sssd-qe> |
Severity: | unspecified | Docs Contact: | Lucie Vařáková <lmanasko> |
Priority: | unspecified | ||
Version: | 7.3 | CC: | fhanzelk, grajaiya, jhrozek, lmanasko, lslebodn, mkosek, mzidek, pbrezina, sgadekar, sgoveas, tscherf |
Target Milestone: | rc | Keywords: | Regression |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.16.2-8.el7 | Doc Type: | Known Issue |
Doc Text: |
Cause: To address a secutiry issue, the UNIX pipe that sudo uses to communicate with the SSSD had much tighter permissions than before. In the case of SSSD running as a non-root user (by using user=sssd in the [sssd] section of sssd.conf), there was an additional permissions check in sssd that never succeeded for the sudo pipe.
Consequence: sudo was not usable with sssd running in the non-root mode.
Workaround (if any): either remove the sss module from the sudoers line in nsswitch.conf or disable the sudo responder. Both workarounds would disable fetching sudo rules through sssd. Alternarnatively, run sssd as root.
Result: What am I supposed to write here? We temporarily broke sssd sudo support when running as a non-root user. It's fixed now.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-30 10:42:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jakub Hrozek
2018-07-23 09:25:34 UTC
* master: * 21ea8204a0bd8ea4451f420713e909d3cfee34ef * 4900b8e59bdbb89fbc1c9718969aabe26f3db34a Issue was reproduced using rpm = sssd-common-1.16.2-7.el7.x86_64 Initial configuration (with root user) ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 domains = LDAP services = nss, pam, sudo debug_level = 0xFFFF [nss] filter_groups = root filter_users = root [pam] [sudo] debug_level = 0xFFFF sudo_timed = true [domain/LDAP] id_provider = ldap auth_provider = ldap sudo_provider = ldap debug_level = 0xFFFF ldap_uri = ldaps://vm-idm-023.lab.eng.pnq.redhat.com ldap_tls_cacert = /etc/openldap/certs/cacert.asc ldap_search_base = dc=example,dc=com ldap_sudo_smart_refresh_interval = 10 [root@vm-idm-018 ~]# id testuser uid=1000014(testuser) gid=1000014 groups=1000014 [root@vm-idm-018 ~]# sudo -l testuser -U sudo: testuser: command not found [root@vm-idm-018 ~]# sudo -l -U testuser Matching Defaults entries for testuser on vm-idm-018: !authenticate User testuser may run the following commands on vm-idm-018: (root) NOPASSWD: /usr/bin/id ##### editing sssd.conf to run the sssd as non root user [root@vm-idm-018 ~]# vi /etc/sssd/sssd.conf [root@vm-idm-018 ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 domains = LDAP services = nss, pam, sudo debug_level = 0xFFFF user = sssd [nss] filter_groups = root filter_users = root [pam] [sudo] debug_level = 0xFFFF sudo_timed = true [domain/LDAP] id_provider = ldap auth_provider = ldap sudo_provider = ldap debug_level = 0xFFFF ldap_uri = ldaps://vm-idm-023.lab.eng.pnq.redhat.com ldap_tls_cacert = /etc/openldap/certs/cacert.asc ldap_search_base = dc=example,dc=com ldap_sudo_smart_refresh_interval = 10 ### #$ service sssd stop; rm -rf /var/lib/sss/db/* ; service sssd start ~]# ps auxf |head -n1; ps auxf|tail -n4 USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND sssd 3852 0.3 0.2 298292 8540 ? S 19:21 0:00 \_ /usr/libexec/sssd/sssd_be --domain LDAP --uid 997 --gid 993 --logger=files sssd 3853 0.1 0.7 264648 28752 ? S 19:21 0:00 \_ /usr/libexec/sssd/sssd_nss --uid 997 --gid 993 --logger=files sssd 3854 0.0 0.1 244316 4108 ? S 19:21 0:00 \_ /usr/libexec/sssd/sssd_pam --uid 997 --gid 993 --logger=files sssd 3855 0.0 0.1 237756 4020 ? S 19:21 0:00 \_ /usr/libexec/sssd/sssd_sudo --uid 997 --gid 993 --logger=files [root@vm-idm-018 ~]# sudo -l -U testuser ^C ^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C ^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^CYou have mail in /var/spool/mail/root ####### Above shows that terminal is in hung state. From other terminal updated the sssd to updated version. ~]# yum update sssd Resolving Dependencies --> Running transaction check ---> Package sssd.x86_64 0:1.16.2-7.el7 will be updated ---> Package sssd.x86_64 0:1.16.2-12.el7 will be an update --> Processing Dependency: python-sssdconfig = 1.16.2-12.el7 for package: sssd-1.16.2-12.el7.x86_64 --> Processing Dependency: sssd-ad = 1.16.2-12.el7 for package: sssd-1.16.2-12.el7.x86_64 --> Processing Dependency: sssd-common = 1.16.2-12.el7 for package: sssd-1.16.2-12.el7.x86_64 . [...] Updated: sssd.x86_64 0:1.16.2-12.el7 Dependency Updated: libipa_hbac.x86_64 0:1.16.2-12.el7 libsss_autofs.x86_64 0:1.16.2-12.el7 libsss_idmap.x86_64 0:1.16.2-12.el7 libsss_simpleifp.x86_64 0:1.16.2-12.el7 libsss_sudo.x86_64 0:1.16.2-12.el7 python-sss.x86_64 0:1.16.2-12.el7 python-sssdconfig.noarch 0:1.16.2-12.el7 sssd-ad.x86_64 0:1.16.2-12.el7 sssd-client.x86_64 0:1.16.2-12.el7 sssd-common.x86_64 0:1.16.2-12.el7 sssd-common-pac.x86_64 0:1.16.2-12.el7 sssd-dbus.x86_64 0:1.16.2-12.el7 sssd-ipa.x86_64 0:1.16.2-12.el7 sssd-krb5.x86_64 0:1.16.2-12.el7 sssd-krb5-common.x86_64 0:1.16.2-12.el7 sssd-ldap.x86_64 0:1.16.2-12.el7 sssd-proxy.x86_64 0:1.16.2-12.el7 sssd-tools.x86_64 0:1.16.2-12.el7 [root@vm-idm-018 ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 domains = LDAP services = nss, pam, sudo debug_level = 0xFFFF user = sssd [nss] filter_groups = root filter_users = root [pam] [sudo] debug_level = 0xFFFF sudo_timed = true [domain/LDAP] id_provider = ldap auth_provider = ldap sudo_provider = ldap debug_level = 0xFFFF ldap_uri = ldaps://vm-idm-023.lab.eng.pnq.redhat.com ldap_tls_cacert = /etc/openldap/certs/cacert.asc ldap_search_base = dc=example,dc=com idm-018 ~]# rpm -q sssd sssd-1.16.2-12.el7.x86_64] ~]# service sssd stop; rm -rf /var/lib/sss/db/* ; service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@vm-idm-018 ~]# sudo -l -U testuser Matching Defaults entries for testuser on vm-idm-018: !authenticate User testuser may run the following commands on vm-idm-018: (root) NOPASSWD: /usr/bin/id In addition to comment #7. now the sudo pipe permissions are [root@vm-idm-018 ~]# ll /var/lib/sss/pipes/sudo srw-------. 1 sssd root 0 Aug 16 19:34 /var/lib/sss/pipes/sudo Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3158 |