======================= A security bug in SSSD 1.9 ===========================
= Subject: A simple access provider flaw prevents intended ACL use
= when SSSD is configured as an Active Directory client
= CVE ID#: CVE-2013-0287
= Summary: When SSSD is configured as an Active Directory client by
= using the new Active Directory provider or equivalent
= configuration of the LDAP provider, the Simple Access
= Provider does not handle access control correctly.
= If any groups are specified with the simple_deny_groups
= option, the group members are permitted access.
= Impact: medium
= Acknowledgements: The bug was found by Kaushik Banerjee of Red Hat
= Quality Engineering team
= Affects default
= configuration: no
= Introduced with: 1.9.0
==== DESCRIPTION ====
SSSD versions 1.9.0 and later are vulnerable to a security bug.
If the SSSD is configured to use the Active Directory provider (or equivalent
configuration of the LDAP provider) along with the Simple Access Provider
which in turn uses the simple_deny_groups option, then even groups listed
in that configuration option would be allowed access.
The reason is that the AD provider obtains a list of groups the user is a
member of in form of SIDs which are algorithmically transformed into GIDs
during the initgroups operation. Thus, contrary to the LDAP provider,
the group names might not be known during the account phase of the PAM
conversation. As a result, groups listed in the simple_deny_groups option may
be allowed access and groups in the simple_allow_groups may be denied access.
The vulnerable LDAP provider configuration would include the "ldap_schema=ad"
option, use the SID-to-ID mapping (ldap_id_mapping=True), would be connected
to an Active Directory server and use the simple_deny_groups as mentioned
The fix will be delivered as part of the upcoming 1.9.5 release.
The bug is being tracked in the following Red Hat Bugzilla report:
==== PATCH AVAILABILITY ====
The patches for the master branch are available at:
The patches for the sssd-1-9 branch are available at:
Freeipa-interest mailing list