Hi all,

On  Do 17 Jan 2019 13:34:29 CET, Mike Gabriel wrote:

Package        : sssd
Version        : 1.11.7-3+deb8u2
CVE ID         : CVE-2019-3811
Debian Bug     : 919051

A vulnerability was found in sssd. If a user was configured with no home
directory set, sssd would return '/' (the root directory) instead of ''
(the empty string / no home directory). This could impact services that
restrict the user's filesystem access to within their home directory
through chroot() etc.

For Debian 8 "Jessie", this problem has been fixed in version

We recommend that you upgrade your sssd packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

I just learned about an impact this security fix might have on not 100% correctly configured systems running sssd + Samba against an ActiveDirectory.

So, let's assume that your sssd provider is an AD. The sssd version in jessie does not yet support AD providers explicitly, I assume they are handled as LDAP providers. However, ActiveDirectory does not contain information on user home directories, unless the admin has added the Unix LDAP schemas to AD.

Today, I was presented with a situation where the homes were not provided properly via AD/sssd and user homes in getent passwd appeared as "/". This can be considered as a configuration flaw in sssd/AD, I'd say.

On that particular system, the admin had Samba home shares configured with "path = /home/user/%S", i.e. he overrode the wrong $HOME with the "path=" parameter. The POSIX side of the system saw $HOME="/", the Samba side saw that, too, but overrode the $HOME path by /home/user/%S.

Up to 1.11.7-3+deb8u1, Samba would think: great, there is a $HOME, but let's ignore its path and replace it by what we have in "[homes]" under "path =". For the end user on the CIFS network, the home share of the given user appeared, so all good.

With the above fix applied, i.e. since 1.11.7-3+deb8u2, sssd now sets the not-properly-configured home to "", so Samba sees it as "there is no home for this given user". Thus, it does not show the "[homes]" share to Windows/CIFS clients. Booom.

Make sure that sssd retrieves home directories from AD.

If your sssd fails to retrieve homes from AD, you can get this fixed on your Linux system, by setting fallback_homedir (or override_homedir) in /etc/sssd/sssd.conf to something like "/home/%u".

light+love + hope that helps,


mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunwea...@debian.org, http://sunweavers.net

Attachment: pgpBq79SLT4Wr.pgp
Description: Digitale PGP-Signatur

Reply via email to