Please see the attached patches. I tried to split the patches logically
into manageable sets.
Unfortunately I made a minor mistake and I am afraid I will do something
wrong to fix it.
I merged two wrong patches. Fortunately it was three liner with 1 liner
so it is not a big of the deal but I am really scared that I will do
something wrong and loose the work I have done.
So I hope it is Ok to send it as is.
0001--INI-Making-Coverity-happy.patch <- this is the patch I submitted
earlier that I merged by mistake. I was supposed to merge it with patch
25 but picked the wrong one instead.
Patch 25 addresses the real issue found by Coverity as mentioned in
Stephen's review mail but it did not apply cleanly since it relies on
some code from the patches in the middle.
0002--INI-Adding-missing-function-declararion.patch <- this is the
patch that was rejected from the second set sent earlier. Fixed
according to review comment.
0003--BUILD-Allow-trace-per-component.patch <- This patch allows tracing
The following set of patches introduces the merging of sections during
the reading of the file:
Patches related porting of the meta data from old way of doing things to
the new way of doing things:
0021--INI-Avoid-double-free.patch <- patch related to 17 (missed check)
0024--INI-Rename-error-print-function.patch <- rename error printing
function for consistency with new interface
0025--INI-Initialize-variables-in-loops.patch <- Coverity issue
addressed. Related to patch 0001.
0026--INI-Exposing-functions.patch <- Make some internal functions reusable
There is also patch 27. It is a piece of new functionality. It is a
preview. Please see the comment before reviewing it.
Do I need to split it into multiple patches or it is Ok as is? It is
pretty big but all changes are in one file and logically related.
The UNIT test is missing so I am not claiming it actually works as
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
I'm sending two patches related to the last USN detection (ticket #734). I did
some testing and they seem to work just fine. The only thing I'm not sure about
is if I got right what Simo exactly meant by the ticket, but I hope I got it
Running the SSSD from the command-line with -d N would not override a
value set in the sssd.conf. This was due to a few bad architecture
decisions around how to handle the debug_level.
This patch also makes the following changes:
1) The [sssd] debug_level setting no longer acts as a default for
all other sections. This was always accidental, and was never
documented to behave this way, so I think it's an acceptable
change, even if it is a backwards-compatibility break.
2) We will now skip passing the debug argument to the child
processes from the master unless the SSSD was run with a
command-line argument for the debug level.
====== SSSD Security Release 1.5.7 ==========================
= Subject: User impersonation attack
= CVE ID#: CVE-2011-1758
= Summary: The current stable and development version
= of SSSD are vulnerable to a user
= impersonation attack.
= Impact: moderate
= Affects default
= configuration: Negative
= Introduced with: 1.5.0
The current stable and development version of SSSD are vulnerable to a
user impersonation attack.
A malicious user can log in as a legitimate user by using a well-known
plain text under specific circumstances.
The user's legitimate credentials are *not* disclosed.
The vulnerability is present if the automatic ticket renewal option is
enabled, and only if a ticket renewal operation for the user has been
recently performed without any further authentication from the
legitimate user taking place since.
The vulnerability is exploitable only if the SSSD daemon is
authenticating in offline mode (servers not reachable), and offline
authentication is enabled.
The vulnerability is rated moderate due to the fact the vulnerability is
present only in non default configurations and the vulnerability is
available only after a very specific set of circumstances materializes.
A patch addressing this issue is available at:
Disable automatic ticket renewal and flush sssd caches to remove bad
The automatic ticket renewal service in SSSD operates by providing the
active credential cache to the kerberos libraries in order to renew the
user's TGT on their behalf by using their existing credentials.
Internally, SSSD treats this as a standard authentication, which upon
success will update the cached credentials of the user.
The side-effect here is that the user's credentials in the context of
this renewal are actually the path to the credential cache file,
instead of their real password. So as a result, the user's cached
credentials have now become a different string.
The security issue is that this new cached-credential string is now
predictable. Another user on the local system would now be capable of
logging in as the first user by performing an 'ls /tmp' and seeing what
the first user's cache file is called.
The problem gets further complicated if the administrators has modified
the SSSD config option 'krb5_ccache_template' to remove the mkstemp()
suffix. This would then make the credential cache's name predictable to
a network attacker as well.
With this release, we no longer erroneously set the credential cache
path as the user's cached credentials, removing this vulnerability and
restoring the user's ability to log in properly in offline mode.
Thanks to Marko Myllynen (Red Hat) for reporting and to Stephen
Gallagher for identifying the actual problem.
The SSSD team.
When the internal ticket renewal process runs, it has the Kerberos
credential cache saved into the 'authtok' member attribute of the PAM
data. So after it successfully renews the ticket, we're saving this
value to the cache.
We need to skip updating the cached password if it's happening during
automatic ticket renewal.
Currently, we run SSSD on a RHEL5 update 4 box. SSSD version is 1.2.1. For
the main purpose we need it, caching credentials, it works like a charm.
Now, we have a custom compiled sudo version (sudo 1.6) which does query LDAP
for the sudo rules.
I was testing if sudo still worked while using cached credentials. (Which
is one of the requirements of the project, as users are not allowed root
and it did work. I simply pulled the network cable out of the network
interface, rebooted the machine, logged in with cached credentials and tried
a sudo su - (Which I am allowed to do). And it worked. Is this intended
behaviour, am I looking at the wrong things or did I discover a 'hidden
feature/anomaly'due to the custom sudo version ?
I tried searching on sudo and sssd with google, I only read articles that
sudo and sssd are not integrated yet(but in the works), so I am wondering
how this works.