Ubuntu
sssd package

Newline characters (\n) must be sanitized before LDAP requests take place.

Bug #1669712 reported by Victor Tapia
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Fix Released
Medium
Victor Tapia
Nominated for Xenial by Victor Tapia
Nominated for Yakkety by Victor Tapia
Nominated for Zesty by Victor Tapia
Trusty
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Yakkety
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

 * When a username with a trailing newline or carriage return character is used for authentication, the malformed LDAP query will return that the username does not exist and then the username will be erased from the LDB cache.

[Test Case]

 1. While the provider is online, request a valid user and confirm it's cached:

ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1'
ad1:*:1500:1500:ad1:/home/ad:/bin/bash

ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 1 entries

 2. Request an invalid username:
ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1
'

 3. Confirm the cache entry has disappeared:
ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 0 entries

[Regression Potential]

 * None, the sanitizer code is just extended for these two characters

[Other Info]

 * Upstream bug: https://pagure.io/SSSD/sssd/issue/3317
 * Fix has been merged upstream

[Original Description]

Introducing valid usernames with trailing newline characters triggers the removal of valid LDB cache entries

Reproducer:

1. Request a valid user and confirm it's cached:
ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1'
ad1:*:1500:1500:ad1:/home/ad:/bin/bash

ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 1 entries

2. Request an invalid username:
ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1
'

3. Confirm the cache entry has disappeared:
ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 0 entries

This is an excerpt from the logs of the request with the newline char:

(Tue Feb 28 16:07:40 2017) [sssd[be[UBUNTU.TEST]]] [be_get_account_info] (0x0200): Got request for [0x1001][FAST BE_REQ_USER][1][name=ad1
]

(Tue Feb 28 16:08:33 2017) [sssd[be[UBUNTU.TEST]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=ad1
)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][CN=Users,DC=ubuntu,DC=test].
(Tue Feb 28 16:08:33 2017) [sssd[be[UBUNTU.TEST]]] [sdap_get_users_done] (0x0040): Failed to retrieve users
(Tue Feb 28 16:08:33 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/UBUNTU.TEST/ad1
] to negative cache
(Tue Feb 28 16:08:33 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call

At this point, the ldb entry removal request for ad1 (without \n) takes place via sysdb_delete_user.

Adding '\n' to the character list in sss_filter_sanitize_ex() seems to fix this issue.

Upstream bug: https://pagure.io/SSSD/sssd/issue/3317

See original description
Revision history for this message
Nish Aravamudan (nacc) wrote :

Upstream PR is at: https://github.com/SSSD/sssd/pull/178

Changed in sssd (Ubuntu):
status: New → Triaged
Revision history for this message
Victor Tapia (vtapia) wrote :
description: updated
Revision history for this message
Victor Tapia (vtapia) wrote :
Revision history for this message
Victor Tapia (vtapia) wrote :
Revision history for this message
Victor Tapia (vtapia) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "xenial-sssd_1.13.4-1ubuntu1.4.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Victor, or anyone else affected,

Accepted sssd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.13.4-1ubuntu1.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sssd (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Hello Victor, or anyone else affected,

Accepted sssd into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.13.4-3ubuntu0.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sssd (Ubuntu Yakkety):
status: New → Fix Committed
Revision history for this message
Victor Tapia (vtapia) wrote :

# VERIFICATION FOR XENIAL

Following the instructions in the description, 'user1' is present in the db:

root@vtapia-xenial:/var/log/sssd# sudo sss_cache -E; getent passwd 'user1'
root@vtapia-xenial:/var/log/sssd# sudo ldbsearch -H /var/lib/sss/db/cache_openstacklocal.ldb -b name=user1,cn=users,cn=openstacklocal,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 1 entries

And after a manipulated user request, the entry in the db persists:
root@vtapia-xenial:/var/log/sssd# sudo sss_cache -E; getent passwd 'user1
> '
 root@vtapia-xenial:/var/log/sssd# sudo ldbsearch -H /var/lib/sss/db/cache_openstacklocal.ldb -b name=user1,cn=users,cn=openstacklocal,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 1 entries

The log shows how the username has been sanitized:

(Thu Mar 30 13:55:19 2017) [sssd[be[openstacklocal]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=user1\0a)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=openstacklocal].

tags: added: verification-done-xenial
Revision history for this message
Victor Tapia (vtapia) wrote :

# VERIFICATION FOR YAKKETY

Using the same verification used for Xenial:

root@vtapia-yakkety:/home/ubuntu# sss_cache -E; getent passwd 'user1'
user1:*:10000:5000:user1:/home/user1:/bin/bash
root@vtapia-yakkety:/home/ubuntu# sudo ldbsearch -H /var/lib/sss/db/cache_openstacklocal.ldb -b name=user1,cn=users,cn=openstacklocal,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 1 entries
root@vtapia-yakkety:/home/ubuntu# sudo sss_cache -E; getent passwd 'user1
> '
 root@vtapia-yakkety:/home/ubuntu# sudo ldbsearch -H /var/lib/sss/db/cache_openstacklocal.ldb -b name=user1,cn=users,cn=openstacklocal,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 1 entries

The log shows the sanitization:

(Fri Mar 31 09:00:30 2017) [sssd[be[openstacklocal]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=user1\0a)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=openstacklocal].

So far, both xenial and yakkety are working as expected

tags: added: verification-done-yakkety
Revision history for this message
Brian Murray (brian-murray) wrote : Proposed package upload rejected

An upload of sssd to trusty-proposed has been rejected from the upload queue for the following reason: "This upload adds a new patch and renames existing patches.".

Victor Tapia (vtapia)
tags: added: verification-failed
removed: verification-done-xenial verification-done-yakkety verification-needed
Victor Tapia (vtapia)
tags: added: verification-failed-xenial verification-failed-yakkety
removed: verification-failed
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Victor, or anyone else affected,

Accepted sssd into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.13.4-3ubuntu0.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Victor, or anyone else affected,

Accepted sssd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.13.4-1ubuntu1.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Victor Tapia (vtapia) wrote :

#VERIFICATION FOR XENIAL (1.13.4-1ubuntu1.5)

Using the following script to test "faulty" users (with trailing /r /n):

ubuntu@vtapia-xenial:~$ cat san.sh
#!/bin/bash

echo '- SSSD version'
dpkg -l | grep sssd-common

echo '- Query "user1"'
sss_cache -E; getent passwd 'user1'
ldbsearch -H /var/lib/sss/db/cache_openstacklocal.ldb -b name=user1,cn=users,cn=openstacklocal,cn=sysdb 2>&1 | grep entries

echo '- Query "user1\n"'
sudo sss_cache -E; getent passwd 'user1
'
ldbsearch -H /var/lib/sss/db/cache_openstacklocal.ldb -b name=user1,cn=users,cn=openstacklocal,cn=sysdb 2>&1 | grep entries

echo '- Query "user1\r"'
sudo sss_cache -E; getent passwd $(echo -e "user1\r")
ldbsearch -H /var/lib/sss/db/cache_openstacklocal.ldb -b name=user1,cn=users,cn=openstacklocal,cn=sysdb 2>&1 | grep entries

echo '- SSSD log'
grep 'calling ldap_search_ext with' /var/log/sssd/sssd_openstacklocal.log | grep user1 | tail -n3

I can confirm the bug is fixed:

ubuntu@vtapia-xenial:~$ sudo ./san.sh
- SSSD version
ii sssd-common 1.13.4-1ubuntu1.5 amd64 System Security Services Daemon -- common files
- Query "user1"
user1:*:10000:5000:user1:/home/user1:/bin/bash
# 1 entries
- Query "user1\n"
# 1 entries
- Query "user1\r"
# 1 entries
- SSSD log
(Thu May 4 10:51:52 2017) [sssd[be[openstacklocal]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=user1)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=openstacklocal].
(Thu May 4 10:51:52 2017) [sssd[be[openstacklocal]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=user1\0a)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=openstacklocal].
(Thu May 4 10:51:52 2017) [sssd[be[openstacklocal]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=user1\0d)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=openstacklocal].

The correct entry persists as the queries are sanitized (user\0a / user\0d)

Revision history for this message
Victor Tapia (vtapia) wrote :

#VERIFICATION FOR YAKKETY (1.13.4-3ubuntu0.4)

Same script as in #14. This is the output:

ubuntu@vtapia-yakkety:~$ sudo ./san.sh
- SSSD version
ii sssd-common 1.13.4-3ubuntu0.4 amd64 System Security Services Daemon -- common files
- Query "user1"
user1:*:10000:5000:user1:/home/user1:/bin/bash
# 1 entries
- Query "user1\n"
# 1 entries
- Query "user1\r"
# 1 entries
- SSSD log
(Thu May 4 10:53:30 2017) [sssd[be[openstacklocal]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=user1\0a)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=openstacklocal].
(Thu May 4 10:53:30 2017) [sssd[be[openstacklocal]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=user1\0d)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=openstacklocal].
(Thu May 4 10:53:35 2017) [sssd[be[openstacklocal]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=user1)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=openstacklocal].

Entry persists and users are sanitized

tags: added: verification-done-xenial verification-done-yakkety
removed: verification-failed-xenial verification-failed-yakkety
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.13.4-1ubuntu1.5

---------------
sssd (1.13.4-1ubuntu1.5) xenial; urgency=medium

  * d/p/pidfile-creation.diff: Delay the pidfile creation until the
    responders are up (LP: #1566508)
  * d/p/sanitize_newline.diff: Sanitize newline and carriage return
    characters before LDAP queries. (LP: #1669712)

 -- Victor Tapia <email address hidden> Tue, 24 Mar 2017 11:20:32 +0100

Changed in sssd (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.13.4-3ubuntu0.4

---------------
sssd (1.13.4-3ubuntu0.4) yakkety; urgency=medium

  * d/p/pidfile-creation.diff: Delay the pidfile creation until the
    responders are up (LP: #1566508)
  * d/p/sanitize_newline.diff: Sanitize newline and carriage return
    characters before LDAP queries. (LP: #1669712)

 -- Victor Tapia <email address hidden> Fri, 24 Mar 2017 11:14:10 +0100

Changed in sssd (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Revision history for this message
Andy Whitcroft (apw) wrote :

Hello Victor, or anyone else affected,

Accepted sssd into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.11.8-0ubuntu0.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sssd (Ubuntu Trusty):
status: New → Fix Committed
Revision history for this message
Victor Tapia (vtapia) wrote :

# VERIFICATION FOR TRUSTY (1.11.8-0ubuntu0.6)

Same script as in #14. This is the output:

- SSSD version
ii sssd-common 1.11.8-0ubuntu0.6 amd64 System Security Services Daemon -- common files
- Query "user1"
user1:*:10000:5000:user1:/home/user1:/bin/bash
# 1 entries
- Query "user1\n"
# 1 entries
- Query "user1\r"
# 1 entries
- SSSD log
(Thu May 25 15:59:07 2017) [sssd[be[openstacklocal]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=user1\0a)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=openstacklocal].
(Thu May 25 15:59:07 2017) [sssd[be[openstacklocal]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=user1\0d)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=openstacklocal].
(Thu May 25 15:59:12 2017) [sssd[be[openstacklocal]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=user1)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=openstacklocal].

Correct entry persists and users are sanitized

tags: added: verification-done
removed: verification-done-xenial verification-done-yakkety verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.11.8-0ubuntu0.6

---------------
sssd (1.11.8-0ubuntu0.6) trusty; urgency=medium

  * d/p/pidfile-creation.diff: Delay the pidfile creation until the
    responders are up (LP: #1566508)
  * d/p/sanitize_newline.diff: Sanitize newline and carriage return
    characters before LDAP queries. (LP: #1669712)

 -- Victor Tapia <email address hidden> Fri, 24 Mar 2017 11:26:41 +0100

Changed in sssd (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for sssd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Nish Aravamudan (nacc) wrote :

Fixed in sssd 1.15.2 upstream (which is in 17.04 and 17.10).

Changed in sssd (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.