On Wed, Oct 11, 2017 at 06:03:27PM -0400, Douglas Duckworth wrote:
To mitigate could one make the cache only readable by root which I
thought
would be the default?
Yes, the cache file is only readable as root. But is it read by SSSD
components running as root as well.
bye,
Sumit
On Oct 11, 2017 5:43 PM, "Lachlan Musicman" <datakid(a)gmail.com> wrote:
Will the COPR repos will be republished?
------
"The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics
is the insistence that we cannot ignore the truth, nor should we panic
about it. It is a shared consciousness that our institutions have failed
and our ecosystem is collapsing, yet we are still here — and we are
creative agents who can shape our destinies. Apocalyptic civics is the
conviction that the only way out is through, and the only way through is
together. "
*Greg Bloom* @greggish
https://twitter.com/greggish/
status/873177525903609857
<
https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_greggish...
On 12 October 2017 at 02:41, Sumit Bose <sbose(a)redhat.com> wrote:
> =============== A security bug in SSSD 1.12 and later
> =========================
> =
> = Subject: Unsanitized input when searching in local cache
> database
> =
> = CVE ID#: CVE-2017-12173
> =
> = Summary: SSSD stores its cached data in an LDAP like local
> database
> = file using libldb. To lookup cached data LDAP search
> = filters like '(objectClass=user)(name=user_name)' are
> used.
> = However, in sysdb_search_user_by_upn_res(), the input
> is
> = not sanitized and allows to manipulate the search
> filter
> = for cache lookups.
> =
> = This would allow a logged in user to discover the
> password
> = hash of a different user.
> =
> = Impact: Moderate
> =
> = Affects default
> = configuration: When configured with tools like realmd or
> = ipa-client-install
> =
> = Introduced with: 1.12.0
> =
> ============================================================
> ==================
>
> ==== DESCRIPTION ====
>
> SSSD stores its cached data in an LDAP like local database file using
> libldb.
> To lookup cached data LDAP search filters like
> '(objectClass=user)(name=user_name)' are used. However, in
> sysdb_search_user_by_upn_res(), the input is not sanitized and allows to
> manipulate the search filter for cache lookups.
>
> This would allow a logged in user to discover the password hash of a
> different
> user.
>
> While in the default configuration the sssd.conf parameter
> 'cache_credentials'
> is set to 'False' it is typically switched to 'True' by tools like
realmd
> or
> ipa-client-install to support offline authentication.
>
> To remove the only password hashes from the cache 'cache_credentials'
> should be
> set to 'False' in all [domain/...] sections of sssd.conf. Additionally the
> already stored hashes must be remove e.g. by calling
>
> ldbedit -H /var/lib/sss/db/cache_DOMAIN-NAME.ldb
>
> for each configured domain and removing all 'cachedPassword' attributes.
>
> ==== PATCH AVAILABILITY ====
>
> The patch is available at:
>
https://pagure.io/SSSD/sssd/c/1f2662c8f97c9c0fa250055d4b6750
> abfc6d0835?branch=master
>
<
https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_SSSD_sssd_...
>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org