[SSSD] [sssd PR#5841][synchronized] KCM: delete malformed 'cn=default' entries

Wed, 27 Oct 2021 06:11:46 -0700 

   URL: https://github.com/SSSD/sssd/pull/5841
Author: alexey-tikhonov
 Title: #5841: KCM: delete malformed 'cn=default' entries
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5841/head:pr5841
git checkout pr5841

From 1a94264234ffe86e2a61b183b679d0c2619ebdc0 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikh...@redhat.com>
Date: Tue, 26 Oct 2021 22:16:49 +0200
Subject: [PATCH] KCM: delete malformed 'cn=default' entries

This is needed to cleanup outdated entries in old (encrypted)
format that are no longer supported.

Steps to reproduce:

With an old SSSD version that still writes encrypted content in secrets db:
 - obtain any ticket (even one ticket is enough)
 - `kswitch -c ...` to any cache (any successful execution of `kswitch`
   will use `SET_DEFAULT_CACHE` KCM op and create
   'cn=default,cn=$uid,cn=persistent,cn=kcm' entry)

Then update SSSD and try `klist`:
 - 2.6.0 version will fail with "[ccdb_secdb_get_default_send] (0x0040): Unexpected UUID size ..."
 - 2.6.0 + this patch will remove this entry:
```
[ccdb_secdb_get_default_send] (0x0040): Unexpected UUID size 152, deleting this entry
[sss_sec_delete] (0x0400): Removing a secret from [persistent/1000/default]
```
and continue as if default isn't set (since all encrypted entries will be purged,
cache will appear empty)
---
 src/responder/kcm/kcmsrv_ccache_secdb.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c
index 05146b1553..714d6cc2af 100644
--- a/src/responder/kcm/kcmsrv_ccache_secdb.c
+++ b/src/responder/kcm/kcmsrv_ccache_secdb.c
@@ -764,8 +764,22 @@ static struct tevent_req *ccdb_secdb_get_default_send(TALLOC_CTX *mem_ctx,
 
     uuid_size = sss_iobuf_get_size(dfl_iobuf);
     if (uuid_size != UUID_STR_SIZE) {
-        DEBUG(SSSDBG_OP_FAILURE, "Unexpected UUID size %zu\n", uuid_size);
-        ret = EIO;
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Unexpected UUID size %zu, deleting this entry\n", uuid_size);
+        ret = sss_sec_delete(sreq);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Failed to delete entry: [%d]: %s, "
+                  "consider manual removal of "SECRETS_DB_PATH"/secrets.ldb",
+                  ret, sss_strerror(ret));
+            sss_log(SSS_LOG_CRIT,
+                    "Can't delete an entry from "SECRETS_DB_PATH"/secrets.ldb, "
+                    "content seems to be corrupted. Consider file removal. "
+                    "(Take a note, this will delete all credentials managed "
+                    "via sssd_kcm)");
+        }
+        uuid_clear(state->uuid);
+        ret = EOK;
         goto immediate;
     }
 

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to