883106 – sudoHost mismatch response is incorrect sometimes

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 883106 - sudoHost mismatch response is incorrect sometimes

Summary: sudoHost mismatch response is incorrect sometimes

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	978966
TreeView+	depends on / blocked

Reported:	2012-12-03 19:29 UTC by Nikolai Kondrashov
Modified:	2020-05-02 17:08 UTC (History)
CC List:	4 users (show)
Fixed In Version:	sssd-1.10.0-18.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	978966 (view as bug list)
Environment:
Last Closed:	2014-06-13 11:18:03 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
sudo_host_refresh_test.ldif (2.91 KB, text/plain) 2012-12-03 19:30 UTC, Nikolai Kondrashov	no flags	Details
sssd.conf (496 bytes, text/plain) 2012-12-03 19:31 UTC, Nikolai Kondrashov	no flags	Details
sudo_host_refresh_test (2.78 KB, text/plain) 2012-12-03 19:32 UTC, Nikolai Kondrashov	no flags	Details
sssd.log (102 bytes, text/plain) 2012-12-03 19:34 UTC, Nikolai Kondrashov	no flags	Details
sssd_LDAP.log (3.11 MB, text/plain) 2012-12-03 19:34 UTC, Nikolai Kondrashov	no flags	Details
sssd_sudo.log (152.79 KB, text/plain) 2012-12-03 19:35 UTC, Nikolai Kondrashov	no flags	Details
host_refresh_logs2.tar.gz (336.52 KB, application/x-gzip) 2012-12-10 11:04 UTC, Nikolai Kondrashov	no flags	Details
sudo_host_refresh_default_test (2.83 KB, text/plain) 2012-12-10 11:16 UTC, Nikolai Kondrashov	no flags	Details
host_refresh_logs_default.tar.gz (133.88 KB, application/x-gzip) 2012-12-10 11:17 UTC, Nikolai Kondrashov	no flags	Details
nsswitch.conf (1.67 KB, text/plain) 2012-12-10 11:39 UTC, Nikolai Kondrashov	no flags	Details
sudoers (4.21 KB, text/plain) 2012-12-10 11:39 UTC, Nikolai Kondrashov	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2735	0	None	None	None	2020-05-02 17:08:57 UTC

Description Nikolai Kondrashov 2012-12-03 19:29:21 UTC

Description of problem:
sudo access denial response is sometimes incorrect, when a rule sudoHost attribute mismatches. This happens after the relevant rule was changed from matching sudoHost to mismatching sudoHost a few times with a smart refresh in between match and nonmatch changes. After several more iterations the response seems to stabilize on being incorrect and responses are given noticeably faster.

Version-Release number of selected component (if applicable):
sssd-1.9.2-30.el6.x86_64
libsss_sudo-1.9.2-30.el6.x86_64
sudo-1.8.6p3-6.el6.x86_64
sssd-client-1.9.2-30.el6.x86_64
libsss_idmap-1.9.2-30.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Use the attached "sudo_host_refresh_test.ldif" file to fill LDAP directory.
2. Use the attached "sssd.conf" file as the base for SSSD configuration.
3. Execute the attached "sudo_host_refresh_test" script with "sssd" argument.
  
Actual results:
---:<---
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354561769 1/1: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354561771 1/2: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354561772 1/3: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354561774 1/4: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354561775 1/5: 1
user1 is not in the sudoers file.  This incident will be reported.
1354561782 2/1: 1
sudo: no tty present and no askpass program specified
1354561783 2/2: 1
sudo: no tty present and no askpass program specified
1354561785 2/3: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354561785 2/4: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354561786 2/5: 1
user1 is not in the sudoers file.  This incident will be reported.
1354561793 3/1: 1
sudo: no tty present and no askpass program specified
1354561795 3/2: 1
sudo: no tty present and no askpass program specified
1354561796 3/3: 1
sudo: no tty present and no askpass program specified
1354561796 3/4: 1
sudo: no tty present and no askpass program specified
1354561797 3/5: 1
user1 is not in the sudoers file.  This incident will be reported.
1354561804 4/1: 0
sudo: no tty present and no askpass program specified
1354561805 4/2: 1
sudo: no tty present and no askpass program specified
1354561805 4/3: 1
sudo: no tty present and no askpass program specified
1354561805 4/4: 1
sudo: no tty present and no askpass program specified
1354561805 4/5: 1
sudo: no tty present and no askpass program specified
1354561811 5/1: 1
sudo: no tty present and no askpass program specified
1354561811 5/2: 1
sudo: no tty present and no askpass program specified
1354561811 5/3: 1
sudo: no tty present and no askpass program specified
1354561811 5/4: 1
sudo: no tty present and no askpass program specified
1354561812 5/5: 1
--->:---

The lines after sudo responses contain timestamp in seconds, match/non-match change iteration number, sudo execution attempt number and sudo exit status.

The "user1 is not allowed to run sudo on client-rhel6.  This incident will be reported." response is correct. The "user1 is not in the sudoers file.  This incident will be reported." response is unusual and is likely incorrect, but the text itself is suitable more-or-less. The "sudo: no tty present and no askpass program specified" response is definitely incorrect as it goes against the "defaults" entry. Please note the definitely incorrect exit status of 0 in the 4/1 entry. Also note how much faster the responses are given after that entry. This could signify some internal state corruption.

Expected results:
---:<---
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562694 1/1: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562695 1/2: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562695 1/3: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562695 1/4: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562695 1/5: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562695 2/1: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562695 2/2: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 2/3: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 2/4: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 2/5: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 3/1: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 3/2: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 3/3: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 3/4: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 3/5: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 4/1: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 4/2: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 4/3: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 4/4: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 4/5: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 5/1: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 5/2: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 5/3: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 5/4: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1354562696 5/5: 1
--->:---

The output above is produced with "sudoers" set to "ldap" in /etc/nsswitch.conf and the attached "sudo_host_refresh_test" script invoked with "ldap" argument.

Comment 1 Nikolai Kondrashov 2012-12-03 19:30:18 UTC

Created attachment 656918 [details]
sudo_host_refresh_test.ldif

Comment 2 Nikolai Kondrashov 2012-12-03 19:31:00 UTC

Created attachment 656928 [details]
sssd.conf

Comment 3 Nikolai Kondrashov 2012-12-03 19:32:37 UTC

Created attachment 656940 [details]
sudo_host_refresh_test

Comment 5 Nikolai Kondrashov 2012-12-03 19:34:02 UTC

Created attachment 656941 [details]
sssd.log

Comment 6 Nikolai Kondrashov 2012-12-03 19:34:47 UTC

Created attachment 656942 [details]
sssd_LDAP.log

Comment 7 Nikolai Kondrashov 2012-12-03 19:35:23 UTC

Created attachment 656943 [details]
sssd_sudo.log

Comment 8 Jakub Hrozek 2012-12-05 09:01:38 UTC

Pavel, have you had a chance to take a look?

Comment 9 Jakub Hrozek 2012-12-05 09:04:42 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1693

Comment 11 Nikolai Kondrashov 2012-12-10 10:56:36 UTC

Re-ran the original test with these packages:
sssd-client-1.9.2-37.el6.x86_64
sssd-1.9.2-37.el6.x86_64
sudo-1.8.6p3-6.el6.x86_64
libsss_idmap-1.9.2-37.el6.x86_64
libsss_sudo-1.9.2-37.el6.x86_64

The sssd and sudo debug logs for the run are to be attached.

The output pattern has changed a bit:
---:<---
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136689 1/1: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136691 1/2: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136692 1/3: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136694 1/4: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136695 1/5: 1
user1 is not in the sudoers file.  This incident will be reported.
1355136702 2/1: 1
sudo: no tty present and no askpass program specified
1355136703 2/2: 1
sudo: no tty present and no askpass program specified
1355136704 2/3: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136705 2/4: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136706 2/5: 1
user1 is not in the sudoers file.  This incident will be reported.
1355136713 3/1: 1
sudo: no tty present and no askpass program specified
1355136715 3/2: 1
sudo: no tty present and no askpass program specified
1355136716 3/3: 1
sudo: no tty present and no askpass program specified
1355136717 3/4: 1
sudo: no tty present and no askpass program specified
1355136717 3/5: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136724 4/1: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136726 4/2: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136727 4/3: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136728 4/4: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136729 4/5: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136736 5/1: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136737 5/2: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136738 5/3: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136739 5/4: 1
user1 is not allowed to run sudo on client-rhel6.  This incident will be reported.
1355136740 5/5: 1
--->:---

Comment 12 Nikolai Kondrashov 2012-12-10 11:04:14 UTC

Created attachment 660711 [details]
host_refresh_logs2.tar.gz

Comment 13 Nikolai Kondrashov 2012-12-10 11:16:53 UTC

Created attachment 660719 [details]
sudo_host_refresh_default_test

Retried without setting entry_cache_timeout, smart and full refresh interval, with the attached modified test.

This results in always the same, polite answer and stable response time:
---:<---
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137758 1/1: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137759 1/2: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137759 1/3: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137759 1/4: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137759 1/5: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137765 2/1: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137765 2/2: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137765 2/3: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137765 2/4: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137765 2/5: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137771 3/1: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137771 3/2: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137772 3/3: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137772 3/4: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137772 3/5: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137778 4/1: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137778 4/2: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137778 4/3: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137778 4/4: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137778 4/5: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137784 5/1: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137784 5/2: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137784 5/3: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137784 5/4: 1
Sorry, user user1 is not allowed to execute '/bin/true' as user2 on client-rhel6.sss-test.test.
1355137784 5/5: 1
--->:---

The logs are to be attached.

Comment 14 Nikolai Kondrashov 2012-12-10 11:17:50 UTC

Created attachment 660722 [details]
host_refresh_logs_default.tar.gz

Comment 15 Nikolai Kondrashov 2012-12-10 11:23:52 UTC

Where should I look for core files?
I have abrtd running.

Comment 16 Nikolai Kondrashov 2012-12-10 11:28:56 UTC

Restoring original component. Don't know the reason it changed, but I've seen this happen to another bug of mine. Could be a bug in Bugzilla.

Comment 17 Nikolai Kondrashov 2012-12-10 11:29:38 UTC

abrt-cli list doesn't show any core files.

Comment 18 Nikolai Kondrashov 2012-12-10 11:39:25 UTC

Created attachment 660745 [details]
nsswitch.conf

Comment 19 Nikolai Kondrashov 2012-12-10 11:39:56 UTC

Created attachment 660746 [details]
sudoers

Comment 20 Nikolai Kondrashov 2012-12-11 20:56:02 UTC

I've noticed similar effect just adding/removing a rule with similar timing.

Comment 22 Nikolai Kondrashov 2012-12-14 13:35:09 UTC

Please note, that although the issue reproduced only with minimal refresh interval, there is no proof that it won't reproduce with other intervals, including the default one. As evidenced by the behavior described in the bug description some internal state corruption could be happening.

As the cause is unknown and the effect is not fully studied, I would say that it is not entirely safe to release the package as is.

Comment 23 Pavel Březina 2012-12-19 12:50:03 UTC

I was able to reproduce this issue on RHEL6.4 machine.

Comment 25 Nikolai Kondrashov 2013-03-12 19:35:59 UTC

Please note, that this bug interferes with automatic testing considerably, as
it uses low smart refresh interval while testing smart refresh and attribute
value handling to speed it up.

The sudo suite has about 20% tests waived currently because of this bug.

I would prefer this bug fixed sooner.

Comment 26 Jakub Hrozek 2013-07-10 16:27:02 UTC

Fixed upstream in 1.10.0

Comment 27 Nikolai Kondrashov 2013-09-11 13:18:06 UTC

Verified as fixed with the following packages:

sssd-common-1.11.0-1.el7.x86_64
sssd-ad-1.11.0-1.el7.x86_64
sssd-ipa-1.11.0-1.el7.x86_64
libsss_idmap-1.11.0-1.el7.x86_64
sssd-client-1.11.0-1.el7.x86_64
sssd-krb5-common-1.11.0-1.el7.x86_64
sssd-ldap-1.11.0-1.el7.x86_64
sssd-proxy-1.11.0-1.el7.x86_64
python-sssdconfig-1.11.0-1.el7.noarch
sssd-krb5-1.11.0-1.el7.x86_64
sssd-1.11.0-1.el7.x86_64

Relevant sudo suite output:

:: [   PASS   ] :: stress_refresh_attr_host (Expected 0, got 0)

Comment 28 Ludek Smid 2014-06-13 11:18:03 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.