Bug 869013 - Sudo smart refresh doesn't occur on time
Summary: Sudo smart refresh doesn't occur on time
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.4
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-22 18:34 UTC by Nikolai Kondrashov
Modified: 2020-05-02 17:02 UTC (History)
4 users (show)

Fixed In Version: sssd-1.9.2-5.el6
Doc Type: Bug Fix
Doc Text:
Cause: SUDO smart refresh was not performed if LDAP server did not contained any rule when SSSD started. Consequence: Newly created rules where found after a longer period of time than the ldap_sudo_smart_refresh_interval option says. Fix: SUDO smart refresh is performed. Result: Newly created rule are found within ldap_sudo_smart_refresh_interval time span.
Clone Of:
Environment:
Last Closed: 2013-02-21 09:37:51 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Base ldif, sssd.conf and logs from the reproduction script (18.00 KB, application/x-gzip)
2012-10-22 18:34 UTC, Nikolai Kondrashov
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2638 0 None None None 2020-05-02 17:02:44 UTC
Red Hat Product Errata RHSA-2013:0508 0 normal SHIPPED_LIVE Low: sssd security, bug fix and enhancement update 2013-02-20 21:30:10 UTC

Description Nikolai Kondrashov 2012-10-22 18:34:55 UTC
Created attachment 631670 [details]
Base ldif, sssd.conf and logs from the reproduction script

Description of problem:
A sudo rule node newly added to the LDAP server doesn't get noticed by sssd within smart refresh interval, only within full refresh interval.

Version-Release number of selected component (if applicable):
libsss_autofs-1.9.2-3.el6.x86_64
libsss_idmap-1.9.2-3.el6.x86_64
libsss_sudo-1.9.2-3.el6.x86_64
sssd-client-1.9.2-3.el6.x86_64
sssd-1.9.2-3.el6.x86_64

How reproducible:
Always.

Steps to Reproduce:
#
# Setup
#
service sssd stop
echo "ldap_sudo_smart_refresh_interval = 10" >> /etc/sssd/sssd.conf
echo "ldap_sudo_full_refresh_interval = 30" >> /etc/sssd/sssd.conf
rm /var/lib/sss/db/*.ldb
service sssd start
# Wait for the service to really come up,
# see https://fedorahosted.org/sssd/ticket/1357
# Without this delay the bug won't reproduce
sleep 3
check_sudo() { su user1 -c 'sudo -u user2 true' 2>/dev/null && echo ALLOWED || echo DENIED; }
#
# Test
#
check_sudo
ldapmodify -x -h server -D 'cn=Directory Manager' -w Secret123 -a <<EOF
dn: cn=test,ou=Sudoers,dc=example,dc=com
cn: test
objectClass: top
objectClass: sudoRole
sudoOption: !authenticate
sudoUser: ALL
sudoHost: ALL
sudoCommand: ALL
sudoRunAsUser: ALL
EOF
check_sudo; sleep 12; check_sudo; sleep 10; check_sudo; sleep 10; check_sudo
#
# Teardown
#
unset check_sudo
service sssd stop
grep -v 'ldap_sudo_\(smart\|full\)_refresh_interval' /etc/sssd/sssd.conf > /etc/sssd/sssd.conf.new
mv /etc/sssd/sssd.conf{.new,}
chmod 0600 /etc/sssd/sssd.conf
ldapdelete -x -h server -D 'cn=Directory Manager' -w Secret123 cn=test,ou=Sudoers,dc=example,dc=com
rm /var/lib/sss/db/*.ldb
service sssd start
  
Actual results:
DENIED
DENIED
DENIED
DENIED
ALLOWED

Expected results:
DENIED
DENIED
ALLOWED
ALLOWED
ALLOWED

Comment 2 Jakub Hrozek 2012-10-23 10:05:46 UTC
Pavel, can you check out the test and work with Nikolai on fixing this? Thanks!

Comment 3 Jakub Hrozek 2012-10-23 12:31:20 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1596

Comment 5 Jakub Hrozek 2012-10-24 16:26:20 UTC
Fixed upstream.

Comment 7 Nikolai Kondrashov 2012-12-14 16:56:19 UTC
Verified fixed in following packages:

sssd-client-1.9.2-41.el6.x86_64
libsss_idmap-1.9.2-41.el6.x86_64
libsss_sudo-1.9.2-41.el6.x86_64
sudo-1.8.6p3-6.el6.x86_64
sssd-1.9.2-41.el6.x86_64

Relevant sudo suite output:

:: [   PASS   ] :: refresh_add_rule_before_smart
:: [   PASS   ] :: refresh_add_rule_after_smart
:: [   PASS   ] :: refresh_mod_rule_user_to_mismatch
:: [   PASS   ] :: refresh_mod_rule_user_to_match_before_smart
:: [   PASS   ] :: refresh_mod_rule_user_to_match_after_smart
:: [   PASS   ] :: refresh_mod_rule_command_to_mismatch
:: [   PASS   ] :: refresh_mod_rule_command_to_match
:: [   PASS   ] :: refresh_mod_rule_runasuser_to_mismatch
:: [   PASS   ] :: refresh_mod_rule_runasuser_to_match
:: [   PASS   ] :: refresh_mod_rule_runasgroup_to_mismatch
:: [   PASS   ] :: refresh_mod_rule_runasgroup_to_match
:: [   PASS   ] :: refresh_mod_rule_sudooption_to_require_auth
:: [   PASS   ] :: refresh_mod_rule_sudooption_to_not_require_auth

Comment 8 errata-xmlrpc 2013-02-21 09:37:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html


Note You need to log in before you can comment on or make changes to this bug.