Bug 1827432
| Summary: | When the passwd or group files are replaced, sssd stops monitoring the file for inotify events, and no updates are triggered | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Frank Sorenson <fsorenso> |
| Component: | sssd | Assignee: | Alexey Tikhonov <atikhono> |
| Status: | CLOSED ERRATA | QA Contact: | sssd-qe <sssd-qe> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8.1 | CC: | aborah, abroy, atikhono, dlavu, grajaiya, jhrozek, jorge.fabregas, lslebodn, mzidek, pbrezina, sgoveas, tscherf |
| Target Milestone: | rc | Keywords: | Reproducer, Triaged |
| Target Release: | 8.0 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | sync-to-jira review | ||
| Fixed In Version: | sssd-2.3.0-3.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 02:05:05 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Frank Sorenson
2020-04-23 22:10:56 UTC
Customer's specific issue: add a user to a group by replacing the /etc/group file: # u=foo ; sed -e "s@^\(wheel:.\+[^:]\)\$@\1,$u@g" -e "s/^\(wheel:.\+:\)\$/\1$u/g" /etc/group >/var/tmp/group.new # mv -f /var/tmp/group.new /etc/group # getent group wheel wheel:x:10:foo # grep wheel /etc/group wheel:x:10:foo now add a user by replacing just the file contents: # u=bar ; sed -e "s@^\(wheel:.\+[^:]\)\$@\1,$u@g" -e "s/^\(wheel:.\+:\)\$/\1$u/g" /etc/group >/var/tmp/group.new # cat /var/tmp/group.new >/etc/group # rm -f /var/tmp/group.new # getent group wheel wheel:x:10:foo # grep wheel /etc/group wheel:x:10:foo,bar because there was no reload, the group does not include the new user. after restarting sssd: # systemctl restart sssd.service # getent group wheel wheel:x:10:foo,bar to see the currently-watched events generated on /etc/group: # pyinotify -e IN_CLOSE_WRITE,IN_MOVED_TO,IN_CREATE,IN_DELETE_SELF,IN_MOVE_SELF /etc/group to see the currently-watched events generated on /etc # pyinotify -e IN_MOVED_TO,IN_CREATE /etc after the /etc/passwd or /etc/group file is replaced, no further notifications are received for the file to see all events: # pyinotify /etc just a quick note that 'pyinotify' is the RHEL 8 replacement for inotifywatch/inotifywait, and is delivered in the python3-inotify rpm:
python3-inotify-0.9.6-13.el8.noarch
# pyinotify -h
Usage: pyinotify [options] [path1] [path2] [pathn]
Options:
-h, --help show this help message and exit
-v, --verbose Verbose mode
-r, --recursive Add watches recursively on paths
-a, --auto_add Automatically add watches on new directories
-g, --glob Treat paths as globs
-e EVENT[,...], --events-list=EVENT[,...]
A comma-separated list of events to watch for - see
the documentation for valid options (defaults to
everything)
-s, --stats Display dummy statistics
-V, --version Pyinotify version
-f, --raw-format Disable enhanced output format.
-c COMMAND, --command=COMMAND
Shell command to run upon event
I'm the "customer" who reported this. In a nutshell, this is the way to easily recreate the issue on a fresh RHEL8 installation: 1) umask 027 2) create new user 3) modify /etc/groiup via "vi" to include that new user to a whatever group 4) check with "getent group whateverGroup" You'll see it won't show up. I specified a mask of 027 because that's what our system had (a deviation from the standard 002). It turns out that "vim" behaves differently based on the current mask. If you have a mask of 027 you'll experience what's described by Frank. We know the best practice for changing group ownerships is via "usermod" or "vigr" but, this a Linux system and a plain text file (/etc/group) so, in that spirit, many admins do modify the file by hand for simple edits and so. Hope this was helpful. -- Jorge Part of upstream PR https://github.com/SSSD/sssd/pull/5204 Pushed PR: https://github.com/SSSD/sssd/pull/5204 * `master` * 5611d242f7d958ec06e07f601eb9f2e9a1a6b696 - PROVIDERS/IPA: fixed few CLANG_WARNINGs * ce06995432158ded2f95017c6b512c5a4a85f4a9 - PROVIDERS/LDAP: fixed CLANG_WARNING * 64adcd410b889f5cbdb39e6e18a9a24f3a61f9ee - PROVIDERS/LDAP: fixed CLANG_WARNING * 316c850ec3daf914b6c76f1e0f4a2f0dcae6c4c9 - CACHE_REQ: fixed CLANG_WARNING * 83389697f62e6cc2ce361999c194c555dc1464ab - RESPONDER/NSS: fixed few CLANG_WARNINGs * 464f809e00d663cda980a2329c93286c1f599090 - RESPONDER/SUDO: fixed CLANG_WARNING * 14e5c31e582943330289c6dac3753033dc41d4c7 - CLIENT: fixed "Dereference of null pointer" warning * e525ed6a6acd2bcb6bae6967e6e6aaaa1c8b19f9 - TOOLS: fixed a couple of CLANG_WARNINGs * 9c4d662de64d483bab3e2cdca5cab8e9b3a88457 - TOOLS: fixed CLANG_WARNING * 0c5711f9bae1cb46d4cd3fbe5d86d8688087be13 - util/inotify: fixed bug in inotify event processing * 144e78dfebc0fd01feb6c11a37f81d01146cf33a - util/inotify: fixed CLANG_WARNING * 6701ad96ac1ddd49998fe14e6b3c6c26a1e88944 - CLIENT: fixed CPPCHECK_WARNING (CWE-476) * b132fab8c0fb03700a52d7e1b6577ea1cc043179 - MC: fixed CPPCHECK_WARNING * 8088b3e3adefc0dc96af501bae5bba6e2e1f8a91 - PROXY: suppress CPPCHECK_WARNING (CWE-456) * ee16f3928d948e9a9a619d62136a25c5b73cd009 - KCM: fixed NO_EFFECT (CWE-398) * 014cbde8fce1571dc4bd161b8d50eaaad5b865b6 - NSS: fixed FORWARD_NULL (CWE-476) * 39480618ae89138b1dc078229a5f1e58bc88c0eb - CLIENT: fixed few CHECKED_RETURN (CWE-252) warnings This bug is probably fixed only by "0c5711f9bae1cb46d4cd3fbe5d86d8688087be13 - util/inotify: fixed bug in inotify event processing" but I'm not sure if it depends on the other patches or not. Only relevant patches are: * 0c5711f9bae1cb46d4cd3fbe5d86d8688087be13 - util/inotify: fixed bug in inotify event processing * 144e78dfebc0fd01feb6c11a37f81d01146cf33a - util/inotify: fixed CLANG_WARNING First comment: This bug only occures when umask is set to 027 =========================================== [root@ci-vm-10-0-139-169 etc]# rpm -qa | grep sssd sssd-nfs-idmap-2.0.0-43.el8.x86_64 sssd-client-2.0.0-43.el8.x86_64 sssd-common-2.0.0-43.el8.x86_64 sssd-kcm-2.0.0-43.el8.x86_64 [root@ci-vm-10-0-139-169 etc]# umask 027 [root@ci-vm-10-0-139-169 etc]# useradd anuj3 [root@ci-vm-10-0-139-169 etc]# vi group(manually add user anuj3 to group wheel) [root@ci-vm-10-0-139-169 etc]# getent group wheel wheel:x:10:anuj,anuj1 [root@ci-vm-10-0-139-169 etc]# grep wheel group wheel:x:10:anuj,anuj1,anuj3 [root@ci-vm-10-0-139-169 etc]# pwd /etc ============================================== [root@ci-vm-10-0-138-127 etc]# rpm -qa | grep sssd sssd-client-2.3.0-6.el8.x86_64 sssd-nfs-idmap-2.3.0-6.el8.x86_64 python3-sssdconfig-2.3.0-6.el8.noarch sssd-common-2.3.0-6.el8.x86_64 sssd-kcm-2.3.0-6.el8.x86_64 sssd-krb5-2.3.0-6.el8.x86_64 sssd-proxy-2.3.0-6.el8.x86_64 sssd-ipa-2.3.0-6.el8.x86_64 sssd-2.3.0-6.el8.x86_64 sssd-krb5-common-2.3.0-6.el8.x86_64 sssd-ldap-2.3.0-6.el8.x86_64 sssd-common-pac-2.3.0-6.el8.x86_64 sssd-ad-2.3.0-6.el8.x86_64 [root@ci-vm-10-0-138-127 etc]# umask 027 [root@ci-vm-10-0-138-127 etc]# useradd anuj3 [root@ci-vm-10-0-138-127 etc]# vi group(manually add user anuj3 to group wheel) [root@ci-vm-10-0-138-127 etc]# getent group wheel wheel:x:10:anuj3 [root@ci-vm-10-0-138-127 etc]# grep wheel group wheel:x:10:anuj3 [root@ci-vm-10-0-138-127 etc]# pwd /etc [root@ci-vm-10-0-138-127 etc]# ================================= Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4569 |