Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1101751 - (CVE-2014-0249) CVE-2014-0249 sssd: incorrect expansion of group membership when encountering a non-POSIX group
CVE-2014-0249 sssd: incorrect expansion of group membership when encountering...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20140513,reported=2...
: Security
Depends On: 1103488 995389 1101756 1103487
Blocks: 1101758
  Show dependency treegraph
 
Reported: 2014-05-27 16:21 EDT by Vincent Danen
Modified: 2017-01-10 10:01 EST (History)
13 users (show)

See Also:
Fixed In Version: sssd 1.11.7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-01-10 10:01:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Vincent Danen 2014-05-27 16:21:59 EDT 
It was reported [1] that SSSD improperly expanded group membership when it encountered a non-POSIX group in the group membership chain.  For instance:

  user -> posix_group1 -> non_posix_group -> posix_group2

With the group memberships noted above, SSSD should include the user as a member of both posix_group1 and posix_group2, however due to the position of the non-POSIX group, SSSD halts processing at it and never reaches posix_group2, leaving the user as a member of posix_group1 and not posix_group2.

SSSD has the capability to set a 'deny' ACL for both users and groups, so in a situation like that illustrated above, if posix_group2 was present in a 'deny' ACL, the user would be granted access because they are not shown as having membership in the denied group.  This could grant unintended access to certain users in an environment where non-POSIX groups are used in addition to POSIX groups.

There is currently no patch to correct this issue.


[1] https://lists.fedorahosted.org/pipermail/sssd-devel/2014-May/019495.html


Acknowledgements:

This issue was discovered by Arpit Tolani of Red Hat, with the security implications raised by Stephen Gallagher of Red Hat.
Comment 1 Vincent Danen 2014-05-27 16:22:25 EDT 
Created sssd tracking bugs for this issue:

Affects: fedora-all [bug 1101756]
Comment 2 Huzaifa S. Sidhpurwala 2014-05-29 03:45:13 EDT 
Statement:

This issue affects the version of sssd package as shipped with Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this issue as having Low security impact, a future update may address this flaw.
Comment 5 Tomas Hoger 2015-03-12 10:35:57 EDT 
This issue was already fixed in sssd updates in Red Hat Enterprise Linux 6 (in 6.6, via RHBA-2014:1375) and Red Hat Enterprise Linux 7 (in 7.1, via RHBA-2015:0441).

https://rhn.redhat.com/errata/RHBA-2014-1375.html
https://rhn.redhat.com/errata/RHBA-2015-0441.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.