Package: libnss-sss Version: libnss_sss fails on enumeration of users/groups Severity: important Tags: upstream patch
Dear Maintainer, the NSS responder of sssd fails to *rewind* in calls set setXYent(). It succeeds only for the very first call to setXYent() during a session, which makes this bug a bit hidden - as most applications don't try to iterate the XY database multiple times. But - dovecot is a good example, its auth process keeps the NSS "connection" open and may iterate multiple times over the list of users. The first iteration returns all users (from local files and from AD backed sssd, the next iteration returns only the users from local files, but not the users from the AD backed sssd. While this may be considered dovecot's fault, the documentation about setXYent says, that it rewinds the iterator. (It doesn't mention that a consumer *must* use endXYent()) The authors of sssd confirmed that bug, I opened an issue and a pull requrest there already: - https://github.com/SSSD/sssd/issues/5523 - https://github.com/SSSD/sssd/pull/5524 I'm appending a patch I'm using for my private Buster packages of sssd. (The patch is not 100% equivalent to the above mentioned PR, as the version of sssd that is shipped with Debian10 is 1.6.x, and the upstream is at 2.x already, implementing more setXYent()) -- System Information: Debian Release: 10.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (102, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.8.5 (SMP w/8 CPU cores) Kernel taint flags: TAINT_UNSIGNED_MODULE Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libnss-sss depends on: ii libc6 2.28-10 Versions of packages libnss-sss recommends: pn sssd <none> libnss-sss suggests no packages.
Description: Fix setXYent() setXYent() failed to rewind. Usage patterns like setpwent(); while (getpwent()) { … }; endpwent(); setpwent(); while (getpwent()) { … }; endpwent(); failed, if the endpwent() was missing. (Dovecot is a good example for missing the endpwent() call. Author: Heiko Schlittermann <h...@schlittermann.de> Bug: https://github.com/SSSD/sssd/issues/5523 Last-Update: 2021-03-01 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- a/src/responder/nss/nss_cmd.c +++ b/src/responder/nss/nss_cmd.c @@ -939,6 +939,11 @@ static errno_t nss_cmd_setpwent(struct cli_ctx *cli_ctx) { struct nss_ctx *nss_ctx; + struct nss_state_ctx *state_ctx; + + state_ctx = talloc_get_type(cli_ctx->state_ctx, struct nss_state_ctx); + state_ctx->pwent.domain = 0; + state_ctx->pwent.result = 0; nss_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct nss_ctx); @@ -995,6 +1000,11 @@ static errno_t nss_cmd_setgrent(struct cli_ctx *cli_ctx) { struct nss_ctx *nss_ctx; + struct nss_state_ctx *state_ctx; + + state_ctx = talloc_get_type(cli_ctx->state_ctx, struct nss_state_ctx); + state_ctx->grent.domain = 0; + state_ctx->grent.result = 0; nss_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct nss_ctx); @@ -1037,6 +1047,12 @@ static errno_t nss_cmd_setnetgrent(struct cli_ctx *cli_ctx) { + struct nss_state_ctx *state_ctx; + + state_ctx = talloc_get_type(cli_ctx->state_ctx, struct nss_state_ctx); + state_ctx->netgrent.domain = 0; + state_ctx->netgrent.result = 0; + return nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME, nss_protocol_fill_setnetgrent); } @@ -1090,6 +1106,11 @@ static errno_t nss_cmd_setservent(struct cli_ctx *cli_ctx) { struct nss_ctx *nss_ctx; + struct nss_state_ctx *state_ctx; + + state_ctx = talloc_get_type(cli_ctx->state_ctx, struct nss_state_ctx); + state_ctx->svcent.domain = 0; + state_ctx->svcent.result = 0; nss_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct nss_ctx);