Red Hat Bugzilla – Bug 1007475
The multicast check is wrong in the sudo source code getting the host info
Last modified: 2013-09-30 22:16:33 EDT
Description of problem: Using the ldap attribute sudoHost, users always been refused to execute a sudo command when the sudoHost is a IPV4 address or subnet. Version-Release number of selected component (if applicable): sssd 1.11.0 sudo 1.8.6p7 sssd-ldap 1.11.0 sssd-common 1.11.0 How reproducible: Always (But only using NetworkManager service... When switching to "network" service, this bug disappears ! ) Steps to Reproduce: 1. In OpenLdap, fill a user entry with a "sudoHost" attribute with a subnet: "192.168.101.0/24" 2. On a fresh Fedora 19 machine which is in the subnet "192.168.101.0/24", and which has NetworkManager service installed, the user tries to execute the command "sudo -l" 3. Actual results: "User xxxx is not allowed to run sudo on machine" Expected results: The user is allowed to run sudo on the machine Additional info: This is an old anomaly we face for a long time. After a little bit of debugging and digging in the code, it seems a filter on multicast address is wrong in ./src/providers/ldap/sdap_async_sudo_hostinfo.c:242: if (IN_MULTICAST(ip4_addr->sin_addr.s_addr)) { In fact, a conversion with "ntohl" is needed here: ./src/providers/ldap/sdap_async_sudo_hostinfo.c:242: if (IN_MULTICAST(ntohl(ip4_addr->sin_addr.s_addr))) { Without ntohl, the ipv4 addresses or subnets are seen has multicast and therefore are filtered... I see that a similar bug has been fixed in February for IPA: https://bugzilla.redhat.com/show_bug.cgi?id=790105 https://fedorahosted.org/sssd/ticket/1804 It may also exist another similar bug in ./src/monitor/monitor_netlink.c:613: return IN_MULTICAST(addr4->s_addr); You cannot imagine how much i'm looking forward that this bug be corrected :-)
Ooof, thank you very much for reporting this bug. I'll prepare a fix right away.
Upstream ticket: https://fedorahosted.org/sssd/ticket/2087
Patch sent upstream.
Fixed upstream: master: 6982b488e03b8e29e186f0c54cf5f80438cceadd sssd-1-11: a9b2c8fb47fc334c7ba9b229cde18d168059c096
sssd-1.11.0-3.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/sssd-1.11.0-3.fc19
Package sssd-1.11.0-3.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sssd-1.11.0-3.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-17764/sssd-1.11.0-3.fc19 then log in and leave karma (feedback).
sssd-1.11.1-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/sssd-1.11.1-1.fc19
sssd-1.11.1-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.