Bug 1007475 - The multicast check is wrong in the sudo source code getting the host info
Summary: The multicast check is wrong in the sudo source code getting the host info
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: 19
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Jakub Hrozek
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2013-09-12 14:43 UTC by Fabrice Robin
Modified: 2020-05-02 17:28 UTC (History)
8 users (show)

Fixed In Version: sssd-1.11.1-1.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-10-01 02:16:33 UTC
Type: Bug

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Github SSSD sssd issues 3129 None None None 2020-05-02 17:28:46 UTC

Description Fabrice Robin 2013-09-12 14:43:04 UTC
Description of problem:
Using the ldap attribute sudoHost, users always been refused to execute
a sudo command when the sudoHost is a IPV4 address or subnet.

Version-Release number of selected component (if applicable):
sssd 1.11.0
sudo 1.8.6p7
sssd-ldap 1.11.0
sssd-common 1.11.0

How reproducible:
Always (But only using NetworkManager service... When switching to "network" service,  this bug disappears ! )

Steps to Reproduce:
1. In OpenLdap, fill a user entry with a "sudoHost" attribute with a subnet: ""
2. On a fresh Fedora 19 machine which is in the subnet "", and which has NetworkManager service installed, the user tries to execute the command "sudo -l"

Actual results:
"User xxxx is not allowed to run sudo on machine"

Expected results:
The user is allowed to run sudo on the machine

Additional info:
This is an old anomaly we face for a long time.
After a little bit of debugging and digging in the code, it seems a filter on multicast address is wrong in
./src/providers/ldap/sdap_async_sudo_hostinfo.c:242:            if (IN_MULTICAST(ip4_addr->sin_addr.s_addr)) {
In fact, a conversion with "ntohl" is needed here:
./src/providers/ldap/sdap_async_sudo_hostinfo.c:242:            if (IN_MULTICAST(ntohl(ip4_addr->sin_addr.s_addr))) {

Without ntohl, the ipv4 addresses or subnets are seen has multicast and therefore are filtered... 

I see that a similar bug has been fixed in February for IPA:

It may also exist another similar bug in
./src/monitor/monitor_netlink.c:613:        return IN_MULTICAST(addr4->s_addr);

You cannot imagine how much i'm looking forward that this bug be corrected :-)

Comment 1 Jakub Hrozek 2013-09-12 15:45:45 UTC
Ooof, thank you very much for reporting this bug. I'll prepare a fix right away.

Comment 2 Jakub Hrozek 2013-09-12 16:15:03 UTC
Upstream ticket:

Comment 3 Jakub Hrozek 2013-09-12 16:47:40 UTC
Patch sent upstream.

Comment 4 Jakub Hrozek 2013-09-24 13:12:50 UTC
Fixed upstream:
    master: 6982b488e03b8e29e186f0c54cf5f80438cceadd
    sssd-1-11: a9b2c8fb47fc334c7ba9b229cde18d168059c096

Comment 5 Fedora Update System 2013-09-26 06:51:07 UTC
sssd-1.11.0-3.fc19 has been submitted as an update for Fedora 19.

Comment 6 Fedora Update System 2013-09-27 00:51:37 UTC
Package sssd-1.11.0-3.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.11.0-3.fc19'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2013-09-27 21:09:54 UTC
sssd-1.11.1-1.fc19 has been submitted as an update for Fedora 19.

Comment 8 Fedora Update System 2013-10-01 02:16:33 UTC
sssd-1.11.1-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.