869013 – Sudo smart refresh doesn't occur on time

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 869013 - Sudo smart refresh doesn't occur on time

Summary: Sudo smart refresh doesn't occur on time

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-10-22 18:34 UTC by Nikolai Kondrashov
Modified:	2020-05-02 17:02 UTC (History)
CC List:	4 users (show)
Fixed In Version:	sssd-1.9.2-5.el6
Doc Type:	Bug Fix
Doc Text:	Cause: SUDO smart refresh was not performed if LDAP server did not contained any rule when SSSD started. Consequence: Newly created rules where found after a longer period of time than the ldap_sudo_smart_refresh_interval option says. Fix: SUDO smart refresh is performed. Result: Newly created rule are found within ldap_sudo_smart_refresh_interval time span.
Clone Of:
Environment:
Last Closed:	2013-02-21 09:37:51 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Base ldif, sssd.conf and logs from the reproduction script (18.00 KB, application/x-gzip) 2012-10-22 18:34 UTC, Nikolai Kondrashov	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2638	0	None	None	None	2020-05-02 17:02:44 UTC
Red Hat Product Errata	RHSA-2013:0508	0	normal	SHIPPED_LIVE	Low: sssd security, bug fix and enhancement update	2013-02-20 21:30:10 UTC

Description Nikolai Kondrashov 2012-10-22 18:34:55 UTC

Created attachment 631670 [details]
Base ldif, sssd.conf and logs from the reproduction script

Description of problem:
A sudo rule node newly added to the LDAP server doesn't get noticed by sssd within smart refresh interval, only within full refresh interval.

Version-Release number of selected component (if applicable):
libsss_autofs-1.9.2-3.el6.x86_64
libsss_idmap-1.9.2-3.el6.x86_64
libsss_sudo-1.9.2-3.el6.x86_64
sssd-client-1.9.2-3.el6.x86_64
sssd-1.9.2-3.el6.x86_64

How reproducible:
Always.

Steps to Reproduce:
#
# Setup
#
service sssd stop
echo "ldap_sudo_smart_refresh_interval = 10" >> /etc/sssd/sssd.conf
echo "ldap_sudo_full_refresh_interval = 30" >> /etc/sssd/sssd.conf
rm /var/lib/sss/db/*.ldb
service sssd start
# Wait for the service to really come up,
# see https://fedorahosted.org/sssd/ticket/1357
# Without this delay the bug won't reproduce
sleep 3
check_sudo() { su user1 -c 'sudo -u user2 true' 2>/dev/null && echo ALLOWED || echo DENIED; }
#
# Test
#
check_sudo
ldapmodify -x -h server -D 'cn=Directory Manager' -w Secret123 -a <<EOF
dn: cn=test,ou=Sudoers,dc=example,dc=com
cn: test
objectClass: top
objectClass: sudoRole
sudoOption: !authenticate
sudoUser: ALL
sudoHost: ALL
sudoCommand: ALL
sudoRunAsUser: ALL
EOF
check_sudo; sleep 12; check_sudo; sleep 10; check_sudo; sleep 10; check_sudo
#
# Teardown
#
unset check_sudo
service sssd stop
grep -v 'ldap_sudo_\(smart\|full\)_refresh_interval' /etc/sssd/sssd.conf > /etc/sssd/sssd.conf.new
mv /etc/sssd/sssd.conf{.new,}
chmod 0600 /etc/sssd/sssd.conf
ldapdelete -x -h server -D 'cn=Directory Manager' -w Secret123 cn=test,ou=Sudoers,dc=example,dc=com
rm /var/lib/sss/db/*.ldb
service sssd start
  
Actual results:
DENIED
DENIED
DENIED
DENIED
ALLOWED

Expected results:
DENIED
DENIED
ALLOWED
ALLOWED
ALLOWED

Comment 2 Jakub Hrozek 2012-10-23 10:05:46 UTC

Pavel, can you check out the test and work with Nikolai on fixing this? Thanks!

Comment 3 Jakub Hrozek 2012-10-23 12:31:20 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1596

Comment 5 Jakub Hrozek 2012-10-24 16:26:20 UTC

Fixed upstream.

Comment 7 Nikolai Kondrashov 2012-12-14 16:56:19 UTC

Verified fixed in following packages:

sssd-client-1.9.2-41.el6.x86_64
libsss_idmap-1.9.2-41.el6.x86_64
libsss_sudo-1.9.2-41.el6.x86_64
sudo-1.8.6p3-6.el6.x86_64
sssd-1.9.2-41.el6.x86_64

Relevant sudo suite output:

:: [   PASS   ] :: refresh_add_rule_before_smart
:: [   PASS   ] :: refresh_add_rule_after_smart
:: [   PASS   ] :: refresh_mod_rule_user_to_mismatch
:: [   PASS   ] :: refresh_mod_rule_user_to_match_before_smart
:: [   PASS   ] :: refresh_mod_rule_user_to_match_after_smart
:: [   PASS   ] :: refresh_mod_rule_command_to_mismatch
:: [   PASS   ] :: refresh_mod_rule_command_to_match
:: [   PASS   ] :: refresh_mod_rule_runasuser_to_mismatch
:: [   PASS   ] :: refresh_mod_rule_runasuser_to_match
:: [   PASS   ] :: refresh_mod_rule_runasgroup_to_mismatch
:: [   PASS   ] :: refresh_mod_rule_runasgroup_to_match
:: [   PASS   ] :: refresh_mod_rule_sudooption_to_require_auth
:: [   PASS   ] :: refresh_mod_rule_sudooption_to_not_require_auth

Comment 8 errata-xmlrpc 2013-02-21 09:37:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html

Note You need to log in before you can comment on or make changes to this bug.