Bug 1767514 - sssd requires timed sudoers ldap entries to be specified up to the seconds
Summary: sssd requires timed sudoers ldap entries to be specified up to the seconds
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: 8.0
Assignee: Paweł Poławski
QA Contact: sssd-qe
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-31 15:54 UTC by Dalibor Pospíšil
Modified: 2020-05-02 19:14 UTC (History)
9 users (show)

Fixed In Version: sssd-2.2.3-14.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-28 16:56:29 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 5079 0 None closed sssd requires timed sudoers ldap entries to be specified up to the seconds 2020-07-09 06:58:00 UTC
Red Hat Product Errata RHBA-2020:1863 0 None None None 2020-04-28 16:56:40 UTC

Description Dalibor Pospíšil 2019-10-31 15:54:38 UTC
Description of problem:
LDAP specification says that minutes and seconds might be omitted and in that case these are meant to be treated as zeros [1].

When sudo rule defines sudoNotAfter and/or sudoNotBefore options which are defined upto hours, e.g. 2019103116Z, sssd does not match the rule and refuses a user to run a command. If the options are padded by zeros, e.g. 20191031160000Z it works.

SSSD shoudl behave according to the LDAP specifications in this terms.

Version-Release number of selected component (if applicable):
sssd-2.2.0-19.el8.x86_64

How reproducible:
100%

Steps to Reproduce:
1. have a rule with sudoNotBefore set to the past but specified upto hours, e.g. 2019103116Z
2. try to run command allowed by the rule

Actual results:
sudoNotBefore=2019103015Z
$ sudo -l
Sorry, user userallowed may not run sudo on ci-vm-10-0-137-224.

sudoNotBefore=20191030150000Z
$ sudo -l
Matching Defaults entries for userallowed on ci-vm-10-0-137-224:
    !authenticate, !requiretty

User userallowed may run the following commands on ci-vm-10-0-137-224:
    (root) NOTBEFORE=20191030150000Z ALL

Expected results:
sudoNotBefore=2019103015Z
$ sudo -l
Matching Defaults entries for userallowed on ci-vm-10-0-137-224:
    !authenticate, !requiretty

User userallowed may run the following commands on ci-vm-10-0-137-224:
    (root) NOTBEFORE=20191030150000Z ALL

sudoNotBefore=20191030150000Z
$ sudo -l
Matching Defaults entries for userallowed on ci-vm-10-0-137-224:
    !authenticate, !requiretty

User userallowed may run the following commands on ci-vm-10-0-137-224:
    (root) NOTBEFORE=20191030150000Z ALL


Additional info:
1. https://ldapwiki.com/wiki/GeneralizedTime

Comment 1 Pavel Březina 2019-11-19 12:47:41 UTC
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/4118

Comment 6 Pavel Březina 2019-12-04 11:03:13 UTC
* `master`
    * 58a67cd38b8be9bef45ce70588763d851840dd65 - sysdb_sudo: Enable LDAP time format compatibility

Comment 7 Michal Zidek 2019-12-12 11:21:39 UTC
Sorry, moving back to POST, did not notice that this bug still needs ACKs. Adding devel ack.

Comment 9 shridhar 2020-03-05 14:57:56 UTC
Tested with following data:
~]# rpm -q sssd
sssd-2.2.3-17.el8.x86_64

 ~]# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains             = LDAP
services            = nss, pam, sudo
debug_level         = 0xFFFF

[nss]
filter_groups       = root
filter_users        = root

[pam]

[sudo]
debug_level         = 0xFFFF
sudo_timed          = true

[domain/LDAP]
id_provider         = ldap
auth_provider       = ldap
sudo_provider       = ldap
debug_level         = 0xFFFF
ldap_uri            = ldaps://ipaqavma.idmqe.lab.eng.bos.redhat.com
ldap_tls_cacert     = /etc/openldap/certs/cacert.asc
ldap_search_base    = dc=example,dc=com

entry_cache_nowait_percentage       = 0
entry_cache_timeout                 = 0
ldap_sudo_smart_refresh_interval    = 1



[root@kvm-02-guest13 ~]# ldapsearch -x -h ipaqavma.idmqe.lab.eng.bos.redhat.com -b 'ou=sudoers,dc=example,dc=com' -D 'cn=Manager,dc=example,dc=com' -w 'Secret123'
# extended LDIF
#
# LDAPv3
# base <ou=sudoers,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Sudoers, example.com
dn: ou=Sudoers,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Sudoers

# defaults, Sudoers, example.com
dn: cn=defaults,ou=Sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
sudoOption: !authenticate
cn: defaults

# test, Sudoers, example.com
dn: cn=test,ou=Sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
sudoHost: ALL
sudoCommand: ALL
sudoUser: ALL
cn: test
sudoRunAsUser: ALL
sudoNotBefore: 2020030509Z

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

~]# systemctl stop sssd ; rm -rf /var/lib/sss/db/* ; rm -rf /var/log/sssd/* ; systemctl start sssd

[root@kvm-02-guest13 ~]# sudo -l -U user1
User user1 may run the following commands on kvm-02-guest13:
    (ALL) NOTBEFORE=20200305090000Z ALL
[root@kvm-02-guest13 ~]# ssh user1@localhost
user1@localhost's password: 
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
         This System is part of the Red Hat Test System.              
                                                                      
      Please do not use this system for individual unit testing.      
                                                                      
      RHTS Test information:                                          
                         HOSTNAME=kvm-02-guest13.hv2.lab.eng.bos.redhat.com                           
                            JOBID=4112847                              
                         RECIPEID=7982488                           
                       LAB_SERVER=                         
                    RESULT_SERVER=LEGACY                      
                           DISTRO=RHEL-8.2.0-20200227.0                             
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
Last login: Thu Mar  5 09:15:19 2020 from ::1
Could not chdir to home directory /home/user1: No such file or directory
[user1@kvm-02-guest13 /]$ sudo -l
Matching Defaults entries for user1 on kvm-02-guest13:
    !authenticate

User user1 may run the following commands on kvm-02-guest13:
    (ALL) NOTBEFORE=20200305090000Z ALL
[user1@kvm-02-guest13 /]$ sudo -l
Matching Defaults entries for user1 on kvm-02-guest13:
    !authenticate

User user1 may run the following commands on kvm-02-guest13:
    (ALL) NOTBEFORE=20200305090000Z ALL
[user1@kvm-02-guest13 /]$ sudo less /var/log/secure 
[user1@kvm-02-guest13 /]$ touch /etc/sssd/sssd.conf
touch: cannot touch '/etc/sssd/sssd.conf': Permission denied
[user1@kvm-02-guest13 /]$ sudo touch /etc/sssd/sssd.conf
[user1@kvm-02-guest13 /]$ sudo True
sudo: True: command not found
[user1@kvm-02-guest13 /]$ sudo true
[user1@kvm-02-guest13 /]$ logout
Connection to localhost closed.
[root@kvm-02-guest13 [root@kvm-02-guest13 
~]# date +%Y%m%d%H%M%S
20200305095639


Marking verified.

Comment 11 errata-xmlrpc 2020-04-28 16:56:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1863


Note You need to log in before you can comment on or make changes to this bug.