Bug 1767514

Summary: sssd requires timed sudoers ldap entries to be specified up to the seconds
Product: Red Hat Enterprise Linux 8 Reporter: Dalibor Pospíšil <dapospis>
Component: sssdAssignee: Paweł Poławski <ppolawsk>
Status: CLOSED ERRATA QA Contact: sssd-qe <sssd-qe>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.0CC: grajaiya, jhrozek, lslebodn, mzidek, pbrezina, rsroka, sgadekar, sgoveas, tscherf
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.2.3-14.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:56:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dalibor Pospíšil 2019-10-31 15:54:38 UTC
Description of problem:
LDAP specification says that minutes and seconds might be omitted and in that case these are meant to be treated as zeros [1].

When sudo rule defines sudoNotAfter and/or sudoNotBefore options which are defined upto hours, e.g. 2019103116Z, sssd does not match the rule and refuses a user to run a command. If the options are padded by zeros, e.g. 20191031160000Z it works.

SSSD shoudl behave according to the LDAP specifications in this terms.

Version-Release number of selected component (if applicable):
sssd-2.2.0-19.el8.x86_64

How reproducible:
100%

Steps to Reproduce:
1. have a rule with sudoNotBefore set to the past but specified upto hours, e.g. 2019103116Z
2. try to run command allowed by the rule

Actual results:
sudoNotBefore=2019103015Z
$ sudo -l
Sorry, user userallowed may not run sudo on ci-vm-10-0-137-224.

sudoNotBefore=20191030150000Z
$ sudo -l
Matching Defaults entries for userallowed on ci-vm-10-0-137-224:
    !authenticate, !requiretty

User userallowed may run the following commands on ci-vm-10-0-137-224:
    (root) NOTBEFORE=20191030150000Z ALL

Expected results:
sudoNotBefore=2019103015Z
$ sudo -l
Matching Defaults entries for userallowed on ci-vm-10-0-137-224:
    !authenticate, !requiretty

User userallowed may run the following commands on ci-vm-10-0-137-224:
    (root) NOTBEFORE=20191030150000Z ALL

sudoNotBefore=20191030150000Z
$ sudo -l
Matching Defaults entries for userallowed on ci-vm-10-0-137-224:
    !authenticate, !requiretty

User userallowed may run the following commands on ci-vm-10-0-137-224:
    (root) NOTBEFORE=20191030150000Z ALL


Additional info:
1. https://ldapwiki.com/wiki/GeneralizedTime

Comment 1 Pavel Březina 2019-11-19 12:47:41 UTC
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/4118

Comment 6 Pavel Březina 2019-12-04 11:03:13 UTC
* `master`
    * 58a67cd38b8be9bef45ce70588763d851840dd65 - sysdb_sudo: Enable LDAP time format compatibility

Comment 7 Michal Zidek 2019-12-12 11:21:39 UTC
Sorry, moving back to POST, did not notice that this bug still needs ACKs. Adding devel ack.

Comment 9 shridhar 2020-03-05 14:57:56 UTC
Tested with following data:
~]# rpm -q sssd
sssd-2.2.3-17.el8.x86_64

 ~]# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains             = LDAP
services            = nss, pam, sudo
debug_level         = 0xFFFF

[nss]
filter_groups       = root
filter_users        = root

[pam]

[sudo]
debug_level         = 0xFFFF
sudo_timed          = true

[domain/LDAP]
id_provider         = ldap
auth_provider       = ldap
sudo_provider       = ldap
debug_level         = 0xFFFF
ldap_uri            = ldaps://ipaqavma.idmqe.lab.eng.bos.redhat.com
ldap_tls_cacert     = /etc/openldap/certs/cacert.asc
ldap_search_base    = dc=example,dc=com

entry_cache_nowait_percentage       = 0
entry_cache_timeout                 = 0
ldap_sudo_smart_refresh_interval    = 1



[root@kvm-02-guest13 ~]# ldapsearch -x -h ipaqavma.idmqe.lab.eng.bos.redhat.com -b 'ou=sudoers,dc=example,dc=com' -D 'cn=Manager,dc=example,dc=com' -w 'Secret123'
# extended LDIF
#
# LDAPv3
# base <ou=sudoers,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Sudoers, example.com
dn: ou=Sudoers,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Sudoers

# defaults, Sudoers, example.com
dn: cn=defaults,ou=Sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
sudoOption: !authenticate
cn: defaults

# test, Sudoers, example.com
dn: cn=test,ou=Sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
sudoHost: ALL
sudoCommand: ALL
sudoUser: ALL
cn: test
sudoRunAsUser: ALL
sudoNotBefore: 2020030509Z

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

~]# systemctl stop sssd ; rm -rf /var/lib/sss/db/* ; rm -rf /var/log/sssd/* ; systemctl start sssd

[root@kvm-02-guest13 ~]# sudo -l -U user1
User user1 may run the following commands on kvm-02-guest13:
    (ALL) NOTBEFORE=20200305090000Z ALL
[root@kvm-02-guest13 ~]# ssh user1@localhost
user1@localhost's password: 
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
         This System is part of the Red Hat Test System.              
                                                                      
      Please do not use this system for individual unit testing.      
                                                                      
      RHTS Test information:                                          
                         HOSTNAME=kvm-02-guest13.hv2.lab.eng.bos.redhat.com                           
                            JOBID=4112847                              
                         RECIPEID=7982488                           
                       LAB_SERVER=                         
                    RESULT_SERVER=LEGACY                      
                           DISTRO=RHEL-8.2.0-20200227.0                             
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
Last login: Thu Mar  5 09:15:19 2020 from ::1
Could not chdir to home directory /home/user1: No such file or directory
[user1@kvm-02-guest13 /]$ sudo -l
Matching Defaults entries for user1 on kvm-02-guest13:
    !authenticate

User user1 may run the following commands on kvm-02-guest13:
    (ALL) NOTBEFORE=20200305090000Z ALL
[user1@kvm-02-guest13 /]$ sudo -l
Matching Defaults entries for user1 on kvm-02-guest13:
    !authenticate

User user1 may run the following commands on kvm-02-guest13:
    (ALL) NOTBEFORE=20200305090000Z ALL
[user1@kvm-02-guest13 /]$ sudo less /var/log/secure 
[user1@kvm-02-guest13 /]$ touch /etc/sssd/sssd.conf
touch: cannot touch '/etc/sssd/sssd.conf': Permission denied
[user1@kvm-02-guest13 /]$ sudo touch /etc/sssd/sssd.conf
[user1@kvm-02-guest13 /]$ sudo True
sudo: True: command not found
[user1@kvm-02-guest13 /]$ sudo true
[user1@kvm-02-guest13 /]$ logout
Connection to localhost closed.
[root@kvm-02-guest13 [root@kvm-02-guest13 
~]# date +%Y%m%d%H%M%S
20200305095639


Marking verified.

Comment 11 errata-xmlrpc 2020-04-28 16:56:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1863