Bug 1007475 - The multicast check is wrong in the sudo source code getting the host info
The multicast check is wrong in the sudo source code getting the host info
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
19
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: Jakub Hrozek
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-12 10:43 EDT by Fabrice Robin
Modified: 2013-09-30 22:16 EDT (History)
8 users (show)

See Also:
Fixed In Version: sssd-1.11.1-1.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-30 22:16:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Fabrice Robin 2013-09-12 10:43:04 EDT
Description of problem:
Using the ldap attribute sudoHost, users always been refused to execute
a sudo command when the sudoHost is a IPV4 address or subnet.

Version-Release number of selected component (if applicable):
sssd 1.11.0
sudo 1.8.6p7
sssd-ldap 1.11.0
sssd-common 1.11.0

How reproducible:
Always (But only using NetworkManager service... When switching to "network" service,  this bug disappears ! )

Steps to Reproduce:
1. In OpenLdap, fill a user entry with a "sudoHost" attribute with a subnet: "192.168.101.0/24"
2. On a fresh Fedora 19 machine which is in the subnet "192.168.101.0/24", and which has NetworkManager service installed, the user tries to execute the command "sudo -l"
3. 

Actual results:
"User xxxx is not allowed to run sudo on machine"

Expected results:
The user is allowed to run sudo on the machine

Additional info:
This is an old anomaly we face for a long time.
After a little bit of debugging and digging in the code, it seems a filter on multicast address is wrong in
./src/providers/ldap/sdap_async_sudo_hostinfo.c:242:            if (IN_MULTICAST(ip4_addr->sin_addr.s_addr)) {
In fact, a conversion with "ntohl" is needed here:
./src/providers/ldap/sdap_async_sudo_hostinfo.c:242:            if (IN_MULTICAST(ntohl(ip4_addr->sin_addr.s_addr))) {

Without ntohl, the ipv4 addresses or subnets are seen has multicast and therefore are filtered... 

I see that a similar bug has been fixed in February for IPA:
https://bugzilla.redhat.com/show_bug.cgi?id=790105
https://fedorahosted.org/sssd/ticket/1804

It may also exist another similar bug in
./src/monitor/monitor_netlink.c:613:        return IN_MULTICAST(addr4->s_addr);

You cannot imagine how much i'm looking forward that this bug be corrected :-)
Comment 1 Jakub Hrozek 2013-09-12 11:45:45 EDT
Ooof, thank you very much for reporting this bug. I'll prepare a fix right away.
Comment 2 Jakub Hrozek 2013-09-12 12:15:03 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2087
Comment 3 Jakub Hrozek 2013-09-12 12:47:40 EDT
Patch sent upstream.
Comment 4 Jakub Hrozek 2013-09-24 09:12:50 EDT
Fixed upstream:
    master: 6982b488e03b8e29e186f0c54cf5f80438cceadd
    sssd-1-11: a9b2c8fb47fc334c7ba9b229cde18d168059c096
Comment 5 Fedora Update System 2013-09-26 02:51:07 EDT
sssd-1.11.0-3.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/sssd-1.11.0-3.fc19
Comment 6 Fedora Update System 2013-09-26 20:51:37 EDT
Package sssd-1.11.0-3.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.11.0-3.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-17764/sssd-1.11.0-3.fc19
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2013-09-27 17:09:54 EDT
sssd-1.11.1-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/sssd-1.11.1-1.fc19
Comment 8 Fedora Update System 2013-09-30 22:16:33 EDT
sssd-1.11.1-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.