RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 902716 - Rule mismatch isn't noticed before smart refresh on ppc64 and s390x
Summary: Rule mismatch isn't noticed before smart refresh on ppc64 and s390x
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 905536
TreeView+ depends on / blocked
 
Reported: 2013-01-22 10:28 UTC by Nikolai Kondrashov
Modified: 2020-05-02 17:15 UTC (History)
6 users (show)

Fixed In Version: sssd-1.9.2-79.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Clone Of:
Environment:
Last Closed: 2013-02-21 09:43:49 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
mismatch_refresh_test.ldif (3.47 KB, text/plain)
2013-01-22 10:29 UTC, Nikolai Kondrashov 		no flags Details
sssd.conf (677 bytes, text/plain)
2013-01-22 10:30 UTC, Nikolai Kondrashov 		no flags Details
mismatch_refresh_test.ldif (3.47 KB, text/plain)
2013-01-22 10:32 UTC, Nikolai Kondrashov 		no flags Details
Show Obsolete (1) View All


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2821 0 None closed Rule mismatch isn't noticed before smart refresh on ppc64 and s390x 2020-05-02 17:15:08 UTC
Red Hat Product Errata RHSA-2013:0508 0 normal SHIPPED_LIVE Low: sssd security, bug fix and enhancement update 2013-02-20 21:30:10 UTC

Description Nikolai Kondrashov 2013-01-22 10:28:39 UTC 
Description of problem:
SSSD doesn't notice rule becoming a mismatch immediately, but only after a smart refresh on ppc64 and s390x with directory server running on x86_64.

Version-Release number of selected component (if applicable):
sssd-client-1.9.2-74.el6.s390x
libsss_idmap-1.9.2-74.el6.s390x
libsss_sudo-1.9.2-74.el6.s390x
sssd-1.9.2-74.el6.s390x

How reproducible:
always

Steps to Reproduce:
1. Setup LDAP directory, using the attached mismatch_refresh_test.ldif file as reference.
2. Setup SSSD client using the attached sssd.conf as reference.
3. Execute the following, replacing the server hostname:
---:<---
service sssd restart >/dev/null
ldapmodify -h dell-pe840-01.rhts.eng.bos.redhat.com -x -D cn=Manager,dc=example,dc=com -w Secret123 <<<"
dn: cn=test,ou=Sudoers,dc=example,dc=com
replace: sudoUser
sudoUser: user2" >/dev/null
su -c 'sudo -u user2 true' user1 && echo ALLOWED || echo DENIED
sleep 11
su -c 'sudo -u user2 true' user1 && echo ALLOWED || echo DENIED
--->:---

Actual results:
ALLOWED
user1 is not allowed to run sudo on ibm-z10-02.  This incident will be reported.
DENIED

Expected results:
user1 is not allowed to run sudo on ibm-z10-02.  This incident will be reported.
DENIED
user1 is not allowed to run sudo on ibm-z10-02.  This incident will be reported.
DENIED

Additional info:
This works as documented on x86_64 and i386.

Use the following command for test teardown, replacing the server hostname:
---:<---
ldapmodify  -h dell-pe840-01.rhts.eng.bos.redhat.com -x -D cn=Manager,dc=example,dc=com -w Secret123 <<<"
dn: cn=test,ou=Sudoers,dc=example,dc=com
replace: sudoUser
sudoUser: user1" >/dev/null
--->:---
Comment 1 Nikolai Kondrashov 2013-01-22 10:29:37 UTC 
Created attachment 685018 [details]
mismatch_refresh_test.ldif
Comment 2 Nikolai Kondrashov 2013-01-22 10:30:02 UTC 
Created attachment 685019 [details]
sssd.conf
Comment 3 Nikolai Kondrashov 2013-01-22 10:32:20 UTC 
Created attachment 685034 [details]
mismatch_refresh_test.ldif
Comment 5 Nikolai Kondrashov 2013-01-22 10:51:39 UTC 
I'd say this bug could lead to a security issue, where an administrator would expect access right revocation to become effective immediately on ppc64 or s390x, similarly to what happens on i386 or x86_64, and not only after smart refresh interval, which could be set noticeably long.
Comment 6 Pavel Březina 2013-01-22 11:49:21 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1779
Comment 7 Pavel Březina 2013-01-22 11:53:55 UTC 
Hi,
can you please attach logs? Also, would you be so kind as to prepare me test environment on these architectures? Thanks.
Comment 8 Jakub Hrozek 2013-01-22 12:10:18 UTC 
(In reply to comment #7)
> Hi,
> can you please attach logs? Also, would you be so kind as to prepare me test
> environment on these architectures? Thanks.

Details on reproduction environment were passed on IRC.
Comment 10 Nikolai Kondrashov 2013-01-29 18:49:08 UTC 
Verified as fixed with the following packages:
sssd-client-1.9.2-82.el6.s390x
libsss_idmap-1.9.2-82.el6.s390x
sssd-1.9.2-82.el6.s390x
libsss_sudo-1.9.2-82.el6.s390x

Relevant sudo suite output:

:: [   PASS   ] :: refresh_mod_rule_user_to_mismatch
Comment 11 errata-xmlrpc 2013-02-21 09:43:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html
Note You need to log in before you can comment on or make changes to this bug.