On Wed, Oct 11, 2017 at 06:03:27PM -0400, Douglas Duckworth wrote:
To mitigate could one make the cache only readable by root which I
would be the default?
Yes, the cache file is only readable as root. But is it read by SSSD
components running as root as well.
On Oct 11, 2017 5:43 PM, "Lachlan Musicman" <datakid(a)gmail.com> wrote:
Will the COPR repos will be republished?
"The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics
is the insistence that we cannot ignore the truth, nor should we panic
about it. It is a shared consciousness that our institutions have failed
and our ecosystem is collapsing, yet we are still here — and we are
creative agents who can shape our destinies. Apocalyptic civics is the
conviction that the only way out is through, and the only way through is
*Greg Bloom* @greggish https://twitter.com/greggish/
On 12 October 2017 at 02:41, Sumit Bose <sbose(a)redhat.com> wrote:
> =============== A security bug in SSSD 1.12 and later
> = Subject: Unsanitized input when searching in local cache
> = CVE ID#: CVE-2017-12173
> = Summary: SSSD stores its cached data in an LDAP like local
> = file using libldb. To lookup cached data LDAP search
> = filters like '(objectClass=user)(name=user_name)' are
> = However, in sysdb_search_user_by_upn_res(), the input
> = not sanitized and allows to manipulate the search
> = for cache lookups.
> = This would allow a logged in user to discover the
> = hash of a different user.
> = Impact: Moderate
> = Affects default
> = configuration: When configured with tools like realmd or
> = ipa-client-install
> = Introduced with: 1.12.0
> ==== DESCRIPTION ====
> SSSD stores its cached data in an LDAP like local database file using
> To lookup cached data LDAP search filters like
> '(objectClass=user)(name=user_name)' are used. However, in
> sysdb_search_user_by_upn_res(), the input is not sanitized and allows to
> manipulate the search filter for cache lookups.
> This would allow a logged in user to discover the password hash of a
> While in the default configuration the sssd.conf parameter
> is set to 'False' it is typically switched to 'True' by tools like
> ipa-client-install to support offline authentication.
> To remove the only password hashes from the cache 'cache_credentials'
> should be
> set to 'False' in all [domain/...] sections of sssd.conf. Additionally the
> already stored hashes must be remove e.g. by calling
> ldbedit -H /var/lib/sss/db/cache_DOMAIN-NAME.ldb
> for each configured domain and removing all 'cachedPassword' attributes.
> ==== PATCH AVAILABILITY ====
> The patch is available at:
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org