Bug 1610667
Summary: | sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jakub Hrozek <jhrozek> |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
Status: | CLOSED ERRATA | QA Contact: | Michal Reznik <mreznik> |
Severity: | urgent | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.6 | CC: | abokovoy, extras-qa, fidencio, grajaiya, jhrozek, ksiddiqu, lslebodn, mkosek, mreznik, mzidek, orion, pbrezina, rharwood, sbose, sgoveas, ssorce, tscherf |
Target Milestone: | rc | Keywords: | Regression |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.16.2-12.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | 1609382 | Environment: | |
Last Closed: | 2018-10-30 10:42:59 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1609382 | ||
Bug Blocks: |
Description
Jakub Hrozek
2018-08-01 07:41:27 UTC
Upstream ticket: https://pagure.io/SSSD/sssd/issue/3794 To test, add two or more certificates to an IPA user. Run "sss_ssh_authorizedkeys user". Before the patch, each invocation of the sss_ssh_authorizedkeys helper will leak 2 file descriptors, which you can observe with "lsof -p $(pidof sssd_ssh) | wc -l". About automating the lsof -- the first request might load some shared libraries etc so it is expected the very first request might open files that were not opened before. But checking for file types as well, IOW making sure just the number of pipes is the same should be safe. master: a76f96ac143128c11bdb975293d667aca861cd91 Reproducible on: [root@kvm-03-guest03 ~]# rpm -q sssd-common sssd-common-1.16.2-9.el7.x86_64 [root@kvm-03-guest03 ~]# ipa user-show tuser User login: tuser First name: tuser Last name: tuser Home directory: /home/tuser Login shell: /bin/sh Principal name: tuser Principal alias: tuser Email address: tuser UID: 1274000001 GID: 1274000001 Certificate: MIID9zCCAt+gAwIBAgIBCzANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE4MDgxNTEyNTEyMVoXDTIwMDgxNTEyNTEyMVowIzERMA8GA1UECgwISVBBLlRFU1QxDjAMBgNVBAMMBXR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApyoulkoiqfjgxNNCUdGlhJCYmRgJOKLWG54EI6lETyNMxOKxC24s1CTMSNhRvT71kBJyj0NVUip8Q/gPAz7gc86gG0DPjQdxcPZvd8F0w4Trnuje5QnkzO3c5tsGbaD/pLeR3pWk3/ZJr1Hu+0xmcRFfW6X3FqKbzdYYAzZMqe2mK/VisZcVLnPHSSEHVZaP6mhJBLmRtr1h1D5AmS7oJgyhToDicoTesvRiDQc2b0YIhgelxmpeyqdDa6rnlwSK8YQ3ehGu8JejnxAlNF9Ha1xfBeXrHr0wf1qH5GxhXHTrQiMiFNE+54O364GUrlIaXklPnWZmc3FmYiec1u9N8QIDAQABo4IBJDCCASAwHwYDVR0jBBgwFoAUQAjahQD9b0FyVjwr68x7Ds6DlzQwOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vaXBhLWNhLmlwYS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBzBgNVHR8EbDBqMGigMKAuhixodHRwOi8vaXBhLWNhLmlwYS50ZXN0L2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQU6hstJo0YMSQgH5TU6lZvmtrfvgIwDQYJKoZIhvcNAQELBQADggEBAKTLTXHAx2eQKFJ3WqBHXDh64Y4jh8lQTN6vbkt2mOGIu1RBfCydq2I6SyRa3dHdqvjyqdEuF15tpgJBkCuCk/zfRgAQuOplAJHXVthKuweiyBYoLjZVPG58nu69yPK3AmXbv3wTCB3f2Y6WfZTsQrXpDrSSN0UA7p/wDPteD3QpkghzgUPA0JXhJeIMF+OeL4Qm6Jn5UhG4BDA6tyGun87DWRnTF4eVWFTcctyj0YEHyRuSdTCbsJhA3fNNO64oJkxPOLzpOvvbBrZN41nXjnG+sjYpa2zLFq+pPCrxJyjfrqp1m4l3ots+qfLZX3wNTcSXF9ntai2AHVc22xVWL64=, MIIDITCCAgkCCQCCwnOu73sn4DANBgkqhkiG9w0BAQsFADBTMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMQ8wDQYDVQQDDAZ0ZXN0Q0EwHhcNMTgwODE1MTI0NjA3WhcNMjEwNjA0MTI0NjA3WjBSMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMQ4wDAYDVQQDDAV0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3NJnVEivPftK4K2Iq9yI21k8nPKpIXK588y0UzW7MRSX2Wp2VAUCB7QPTgHAn/87oE9r+Y2XryYq6NI7K+RZuukYVzA9rdfKihGIazDU9Cmy4sIzZbnXp8nXH6SBsc5SEsXlR1r4eVymN8qQJJZZi5VX5xUYKOmUTY6wnkCyMFaEk55WfwW3qBPaYKN7YbXSsvcpIoPX15SUFP8zPMalr6BoocMI17wTX3AIwWXVIdvuDf6qql3gwKVwBOcarENM2LLWdL72gg2aTT60lkMMz1N8EvFoUe8hyeNV8iYR5TxAazKn4rHa8hJKmAkAuMF/igbSB9j2eT9tYayIMaxmECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEASSDUMP7cfAQKdcMNvnjBIK5h2tXhLQJZcLYYXo4rG0HT0W3ljVWj6rpdouIVKF8K8Ve3yiuLDWnpV2SU2An70wjteR6bU6PEx45HJ9574m5Nsegvsi9biJlPNpvlYoR6ya+65cDPvS7ORRPPgYmrf5MNdkyweeWJScx1JMhw2/dmJx8g4/e/65RNf/QBv20duA2tZsdeE4Glyv7jrM2XZRs6XBQNmdMINImiY2q7vA/mDohMTvPJmd+AMxt7aZuUMQ0Bf4Ef2pCGCvjb37OpyA3CVEvOKEDlSQGD8q/xGRVtbnvjae7UA5bmHh/LatqQ3LCBDZsHcT0N5wBiT2VXCQ==, MIIDITCCAgkCCQCCwnOu73sn4TANBgkqhkiG9w0BAQsFADBTMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMQ8wDQYDVQQDDAZ0ZXN0Q0EwHhcNMTgwODE1MTMyMjUxWhcNMjEwNjA0MTMyMjUxWjBSMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMQ4wDAYDVQQDDAV0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKzH1Wn3Mh3cyUDvbvJ9fuhgcf2gDpf/p2TRs/y2QDQKl/Ibw1MfPMM1pcYxZtHLhPC0Xl6h/9eTXaudBajZqpJnxQPbfStjx8vo9lTLiVpJoBdSU0+DFTbqlHNqGoc3lSizFiixJ9NHChg8kTkpF2B1TeUNdVG1spufDrYKrH1+XlrY65QunJSIVM9HOTPhSZyhJ2CK6Lf0J9qzJ4capQQu4brdyvGMI72xfF87sru2YPS2cX1AKv19XIc/Q55lzBswxySu2EUub88EKUcPDVEFo23txcHNtVx5XlQkGhJYF0Tr1Hru+BCmGIYCAXWOjQ1qofDEdTDHvxy4nWqdXRECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAfjRqzAUS877bvR6RbRuroG/trgy7E8RPdx7lws8WtpByGj4q4j5tR6QibwsR55pXkos5u6CshQm4Kbg2dCyGGEW82eTS0+7Pgjhe0DuevihrJQ864oGBuV5ZLUHUTYzq+TBmtE5RZEdHkylLkCMjI3SfSreBJJKTqhriS0We+LtOd7JQxk4TkakpsoybMjidonTsfTskqkrAUp6rfpFImTNJYhGn4yWBcc6PP8NwmetniXAC2h622VHZhcGme7cOH/eGw+BzAoaxrSDV2I3TzgtLR2WFU3iS8prdrlSndFU/VW9NzaZrGh+7LLnaCFnahRZJAlucjttkARgpVxJ0YQ== Account disabled: False Password: False Member of groups: ipausers Kerberos keys available: False [root@kvm-03-guest03 ~]# [root@kvm-03-guest03 ~]# [root@kvm-03-guest03 ~]# lsof -p $(pidof sssd_ssh) | wc -l 99 [root@kvm-03-guest03 ~]# [root@kvm-03-guest03 ~]# [root@kvm-03-guest03 ~]# sss_ssh_authorizedkeys tuser [root@kvm-03-guest03 ~]# lsof -p $(pidof sssd_ssh) | wc -l 103 [root@kvm-03-guest03 ~]# sss_ssh_authorizedkeys tuser [root@kvm-03-guest03 ~]# lsof -p $(pidof sssd_ssh) | wc -l 107 [root@kvm-03-guest03 ~]# [root@kvm-03-guest03 ~]# Verified on: [root@kvm-03-guest03 sssd]# rpm -q sssd-common sssd-common-1.16.2-12.el7.x86_64 [root@kvm-03-guest03 sssd]# [root@kvm-03-guest03 sssd]# lsof -p $(pidof sssd_ssh) | wc -l 87 [root@kvm-03-guest03 sssd]# sss_ssh_authorizedkeys tuser [root@kvm-03-guest03 sssd]# lsof -p $(pidof sssd_ssh) | wc -l 87 [root@kvm-03-guest03 sssd]# sss_ssh_authorizedkeys tuser [root@kvm-03-guest03 sssd]# lsof -p $(pidof sssd_ssh) | wc -l 87 [root@kvm-03-guest03 sssd]# Automation: https://github.com/freeipa/freeipa/blob/master/ipatests/test_integration/test_commands.py Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3158 |