Hi all, On Do 17 Jan 2019 13:34:29 CET, Mike Gabriel wrote:
Package : sssd Version : 1.11.7-3+deb8u2 CVE ID : CVE-2019-3811 Debian Bug : 919051 A vulnerability was found in sssd. If a user was configured with no home directory set, sssd would return '/' (the root directory) instead of '' (the empty string / no home directory). This could impact services that restrict the user's filesystem access to within their home directory through chroot() etc. For Debian 8 "Jessie", this problem has been fixed in version 1.11.7-3+deb8u2. We recommend that you upgrade your sssd packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
I just learned about an impact this security fix might have on not 100% correctly configured systems running sssd + Samba against an ActiveDirectory.
So, let's assume that your sssd provider is an AD. The sssd version in jessie does not yet support AD providers explicitly, I assume they are handled as LDAP providers. However, ActiveDirectory does not contain information on user home directories, unless the admin has added the Unix LDAP schemas to AD.
Today, I was presented with a situation where the homes were not provided properly via AD/sssd and user homes in getent passwd appeared as "/". This can be considered as a configuration flaw in sssd/AD, I'd say.
On that particular system, the admin had Samba home shares configured with "path = /home/user/%S", i.e. he overrode the wrong $HOME with the "path=" parameter. The POSIX side of the system saw $HOME="/", the Samba side saw that, too, but overrode the $HOME path by /home/user/%S.
Up to 1.11.7-3+deb8u1, Samba would think: great, there is a $HOME, but let's ignore its path and replace it by what we have in "[homes]" under "path =". For the end user on the CIFS network, the home share of the given user appeared, so all good.
With the above fix applied, i.e. since 1.11.7-3+deb8u2, sssd now sets the not-properly-configured home to "", so Samba sees it as "there is no home for this given user". Thus, it does not show the "[homes]" share to Windows/CIFS clients. Booom.
Solution: Make sure that sssd retrieves home directories from AD. Workaround:If your sssd fails to retrieve homes from AD, you can get this fixed on your Linux system, by setting fallback_homedir (or override_homedir) in /etc/sssd/sssd.conf to something like "/home/%u".
light+love + hope that helps, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net
pgpBq79SLT4Wr.pgp
Description: Digitale PGP-Signatur
