Bug 883106 - sudoHost mismatch response is incorrect sometimes
Summary: sudoHost mismatch response is incorrect sometimes
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 978966
TreeView+ depends on / blocked
 
Reported: 2012-12-03 19:29 UTC by Nikolai Kondrashov
Modified: 2020-05-02 17:08 UTC (History)
4 users (show)

Fixed In Version: sssd-1.10.0-18.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 978966 (view as bug list)
Environment:
Last Closed: 2014-06-13 11:18:03 UTC
Target Upstream Version:


Attachments (Terms of Use)
sudo_host_refresh_test.ldif (2.91 KB, text/plain)
2012-12-03 19:30 UTC, Nikolai Kondrashov
no flags Details
sssd.conf (496 bytes, text/plain)
2012-12-03 19:31 UTC, Nikolai Kondrashov
no flags Details
sudo_host_refresh_test (2.78 KB, text/plain)
2012-12-03 19:32 UTC, Nikolai Kondrashov
no flags Details
sssd.log (102 bytes, text/plain)
2012-12-03 19:34 UTC, Nikolai Kondrashov
no flags Details
sssd_LDAP.log (3.11 MB, text/plain)
2012-12-03 19:34 UTC, Nikolai Kondrashov
no flags Details
sssd_sudo.log (152.79 KB, text/plain)
2012-12-03 19:35 UTC, Nikolai Kondrashov
no flags Details
host_refresh_logs2.tar.gz (336.52 KB, application/x-gzip)
2012-12-10 11:04 UTC, Nikolai Kondrashov
no flags Details
sudo_host_refresh_default_test (2.83 KB, text/plain)
2012-12-10 11:16 UTC, Nikolai Kondrashov
no flags Details
host_refresh_logs_default.tar.gz (133.88 KB, application/x-gzip)
2012-12-10 11:17 UTC, Nikolai Kondrashov
no flags Details
nsswitch.conf (1.67 KB, text/plain)
2012-12-10 11:39 UTC, Nikolai Kondrashov
no flags Details
sudoers (4.21 KB, text/plain)
2012-12-10 11:39 UTC, Nikolai Kondrashov
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2735 0 None None None 2020-05-02 17:08:57 UTC

Description Nikolai Kondrashov 2012-12-03 19:29:21 UTC
Description of problem:
sudo access denial response is sometimes incorrect, when a rule sudoHost attribute mismatches. This happens after the relevant rule was changed from matching sudoHost to mismatching sudoHost a few times with a smart refresh in between match and nonmatch changes. After several more iterations the response seems to stabilize on being incorrect and responses are given noticeably faster.

Version-Release number of selected component (if applicable):
sssd-1.9.2-30.el6.x86_64
libsss_sudo-1.9.2-30.el6.x86_64
sudo-1.8.6p3-6.el6.x86_64
sssd-client-1.9.2-30.el6.x86_64
libsss_idmap-1.9.2-30.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Use the attached "sudo_host_refresh_test.ldif" file to fill LDAP directory.
2. Use the attached "sssd.conf" file as the base for SSSD configuration.
3. Execute the attached "sudo_host_refresh_test" script with "sssd" argument.
  
Actual results:
---:<---
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354561769 1/1: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354561771 1/2: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354561772 1/3: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354561774 1/4: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354561775 1/5: 1
user1 is not in the sudoers file.  This incident will be reported.
1354561782 2/1: 1
sudo: no tty present and no askpass program specified
1354561783 2/2: 1
sudo: no tty present and no askpass program specified
1354561785 2/3: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354561785 2/4: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354561786 2/5: 1
user1 is not in the sudoers file.  This incident will be reported.
1354561793 3/1: 1
sudo: no tty present and no askpass program specified
1354561795 3/2: 1
sudo: no tty present and no askpass program specified
1354561796 3/3: 1
sudo: no tty present and no askpass program specified
1354561796 3/4: 1
sudo: no tty present and no askpass program specified
1354561797 3/5: 1
user1 is not in the sudoers file.  This incident will be reported.
1354561804 4/1: 0
sudo: no tty present and no askpass program specified
1354561805 4/2: 1
sudo: no tty present and no askpass program specified
1354561805 4/3: 1
sudo: no tty present and no askpass program specified
1354561805 4/4: 1
sudo: no tty present and no askpass program specified
1354561805 4/5: 1
sudo: no tty present and no askpass program specified
1354561811 5/1: 1
sudo: no tty present and no askpass program specified
1354561811 5/2: 1
sudo: no tty present and no askpass program specified
1354561811 5/3: 1
sudo: no tty present and no askpass program specified
1354561811 5/4: 1
sudo: no tty present and no askpass program specified
1354561812 5/5: 1
--->:---

The lines after sudo responses contain timestamp in seconds, match/non-match change iteration number, sudo execution attempt number and sudo exit status.

The "user1 is not allowed to run sudo on client-rhel6.  This incident will be reported." response is correct. The "user1 is not in the sudoers file.  This incident will be reported." response is unusual and is likely incorrect, but the text itself is suitable more-or-less. The "sudo: no tty present and no askpass program specified" response is definitely incorrect as it goes against the "defaults" entry. Please note the definitely incorrect exit status of 0 in the 4/1 entry. Also note how much faster the responses are given after that entry. This could signify some internal state corruption.

Expected results:
---:<---
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562694 1/1: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562695 1/2: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562695 1/3: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562695 1/4: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562695 1/5: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562695 2/1: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562695 2/2: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 2/3: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 2/4: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 2/5: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 3/1: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 3/2: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 3/3: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 3/4: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 3/5: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 4/1: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 4/2: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 4/3: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 4/4: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 4/5: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 5/1: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 5/2: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 5/3: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 5/4: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 5/5: 1
--->:---

The output above is produced with "sudoers" set to "ldap" in /etc/nsswitch.conf and the attached "sudo_host_refresh_test" script invoked with "ldap" argument.

Comment 1 Nikolai Kondrashov 2012-12-03 19:30:18 UTC
Created attachment 656918 [details]
sudo_host_refresh_test.ldif

Comment 2 Nikolai Kondrashov 2012-12-03 19:31:00 UTC
Created attachment 656928 [details]
sssd.conf

Comment 3 Nikolai Kondrashov 2012-12-03 19:32:37 UTC
Created attachment 656940 [details]
sudo_host_refresh_test

Comment 5 Nikolai Kondrashov 2012-12-03 19:34:02 UTC
Created attachment 656941 [details]
sssd.log

Comment 6 Nikolai Kondrashov 2012-12-03 19:34:47 UTC
Created attachment 656942 [details]
sssd_LDAP.log

Comment 7 Nikolai Kondrashov 2012-12-03 19:35:23 UTC
Created attachment 656943 [details]
sssd_sudo.log

Comment 8 Jakub Hrozek 2012-12-05 09:01:38 UTC
Pavel, have you had a chance to take a look?

Comment 9 Jakub Hrozek 2012-12-05 09:04:42 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1693

Comment 11 Nikolai Kondrashov 2012-12-10 10:56:36 UTC
Re-ran the original test with these packages:
sssd-client-1.9.2-37.el6.x86_64
sssd-1.9.2-37.el6.x86_64
sudo-1.8.6p3-6.el6.x86_64
libsss_idmap-1.9.2-37.el6.x86_64
libsss_sudo-1.9.2-37.el6.x86_64

The sssd and sudo debug logs for the run are to be attached.

The output pattern has changed a bit:
---:<---
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136689 1/1: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136691 1/2: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136692 1/3: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136694 1/4: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136695 1/5: 1
user1 is not in the sudoers file.  This incident will be reported.
1355136702 2/1: 1
sudo: no tty present and no askpass program specified
1355136703 2/2: 1
sudo: no tty present and no askpass program specified
1355136704 2/3: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136705 2/4: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136706 2/5: 1
user1 is not in the sudoers file.  This incident will be reported.
1355136713 3/1: 1
sudo: no tty present and no askpass program specified
1355136715 3/2: 1
sudo: no tty present and no askpass program specified
1355136716 3/3: 1
sudo: no tty present and no askpass program specified
1355136717 3/4: 1
sudo: no tty present and no askpass program specified
1355136717 3/5: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136724 4/1: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136726 4/2: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136727 4/3: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136728 4/4: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136729 4/5: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136736 5/1: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136737 5/2: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136738 5/3: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136739 5/4: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136740 5/5: 1
--->:---

Comment 12 Nikolai Kondrashov 2012-12-10 11:04:14 UTC
Created attachment 660711 [details]
host_refresh_logs2.tar.gz

Comment 13 Nikolai Kondrashov 2012-12-10 11:16:53 UTC
Created attachment 660719 [details]
sudo_host_refresh_default_test

Retried without setting entry_cache_timeout, smart and full refresh interval, with the attached modified test.

This results in always the same, polite answer and stable response time:
---:<---
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137758 1/1: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137759 1/2: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137759 1/3: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137759 1/4: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137759 1/5: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137765 2/1: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137765 2/2: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137765 2/3: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137765 2/4: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137765 2/5: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137771 3/1: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137771 3/2: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137772 3/3: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137772 3/4: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137772 3/5: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137778 4/1: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137778 4/2: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137778 4/3: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137778 4/4: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137778 4/5: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137784 5/1: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137784 5/2: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137784 5/3: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137784 5/4: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137784 5/5: 1
--->:---

The logs are to be attached.

Comment 14 Nikolai Kondrashov 2012-12-10 11:17:50 UTC
Created attachment 660722 [details]
host_refresh_logs_default.tar.gz

Comment 15 Nikolai Kondrashov 2012-12-10 11:23:52 UTC
Where should I look for core files?
I have abrtd running.

Comment 16 Nikolai Kondrashov 2012-12-10 11:28:56 UTC
Restoring original component. Don't know the reason it changed, but I've seen this happen to another bug of mine. Could be a bug in Bugzilla.

Comment 17 Nikolai Kondrashov 2012-12-10 11:29:38 UTC
abrt-cli list doesn't show any core files.

Comment 18 Nikolai Kondrashov 2012-12-10 11:39:25 UTC
Created attachment 660745 [details]
nsswitch.conf

Comment 19 Nikolai Kondrashov 2012-12-10 11:39:56 UTC
Created attachment 660746 [details]
sudoers

Comment 20 Nikolai Kondrashov 2012-12-11 20:56:02 UTC
I've noticed similar effect just adding/removing a rule with similar timing.

Comment 22 Nikolai Kondrashov 2012-12-14 13:35:09 UTC
Please note, that although the issue reproduced only with minimal refresh interval, there is no proof that it won't reproduce with other intervals, including the default one. As evidenced by the behavior described in the bug description some internal state corruption could be happening.

As the cause is unknown and the effect is not fully studied, I would say that it is not entirely safe to release the package as is.

Comment 23 Pavel Březina 2012-12-19 12:50:03 UTC
I was able to reproduce this issue on RHEL6.4 machine.

Comment 25 Nikolai Kondrashov 2013-03-12 19:35:59 UTC
Please note, that this bug interferes with automatic testing considerably, as
it uses low smart refresh interval while testing smart refresh and attribute
value handling to speed it up.

The sudo suite has about 20% tests waived currently because of this bug.

I would prefer this bug fixed sooner.

Comment 26 Jakub Hrozek 2013-07-10 16:27:02 UTC
Fixed upstream in 1.10.0

Comment 27 Nikolai Kondrashov 2013-09-11 13:18:06 UTC
Verified as fixed with the following packages:

sssd-common-1.11.0-1.el7.x86_64
sssd-ad-1.11.0-1.el7.x86_64
sssd-ipa-1.11.0-1.el7.x86_64
libsss_idmap-1.11.0-1.el7.x86_64
sssd-client-1.11.0-1.el7.x86_64
sssd-krb5-common-1.11.0-1.el7.x86_64
sssd-ldap-1.11.0-1.el7.x86_64
sssd-proxy-1.11.0-1.el7.x86_64
python-sssdconfig-1.11.0-1.el7.noarch
sssd-krb5-1.11.0-1.el7.x86_64
sssd-1.11.0-1.el7.x86_64

Relevant sudo suite output:

:: [   PASS   ] :: stress_refresh_attr_host (Expected 0, got 0)

Comment 28 Ludek Smid 2014-06-13 11:18:03 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.


Note You need to log in before you can comment on or make changes to this bug.