On Wed, Oct 11, 2017 at 06:03:27PM -0400, Douglas Duckworth wrote: > To mitigate could one make the cache only readable by root which I thought > would be the default?
Yes, the cache file is only readable as root. But is it read by SSSD components running as root as well. bye, Sumit > > On Oct 11, 2017 5:43 PM, "Lachlan Musicman" <[email protected]> wrote: > > Will the COPR repos will be republished? > > ------ > "The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics > is the insistence that we cannot ignore the truth, nor should we panic > about it. It is a shared consciousness that our institutions have failed > and our ecosystem is collapsing, yet we are still here — and we are > creative agents who can shape our destinies. Apocalyptic civics is the > conviction that the only way out is through, and the only way through is > together. " > > *Greg Bloom* @greggish https://twitter.com/greggish/ > status/873177525903609857 > <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_greggish_status_873177525903609857&d=DwMFaQ&c=lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=W4lRniLWM4bp0WLxP8X1uGlB9gSn9moWJ4_V6AtgRl8&s=GFCuOsq64dXl04cgNK8jJV9X0f9TckVNwsd8Dcu8et0&e=> > > On 12 October 2017 at 02:41, Sumit Bose <[email protected]> wrote: > > > =============== A security bug in SSSD 1.12 and later > > ========================= > > = > > = Subject: Unsanitized input when searching in local cache > > database > > = > > = CVE ID#: CVE-2017-12173 > > = > > = Summary: SSSD stores its cached data in an LDAP like local > > database > > = file using libldb. To lookup cached data LDAP search > > = filters like '(objectClass=user)(name=user_name)' are > > used. > > = However, in sysdb_search_user_by_upn_res(), the input > > is > > = not sanitized and allows to manipulate the search > > filter > > = for cache lookups. > > = > > = This would allow a logged in user to discover the > > password > > = hash of a different user. > > = > > = Impact: Moderate > > = > > = Affects default > > = configuration: When configured with tools like realmd or > > = ipa-client-install > > = > > = Introduced with: 1.12.0 > > = > > ============================================================ > > ================== > > > > ==== DESCRIPTION ==== > > > > SSSD stores its cached data in an LDAP like local database file using > > libldb. > > To lookup cached data LDAP search filters like > > '(objectClass=user)(name=user_name)' are used. However, in > > sysdb_search_user_by_upn_res(), the input is not sanitized and allows to > > manipulate the search filter for cache lookups. > > > > This would allow a logged in user to discover the password hash of a > > different > > user. > > > > While in the default configuration the sssd.conf parameter > > 'cache_credentials' > > is set to 'False' it is typically switched to 'True' by tools like realmd > > or > > ipa-client-install to support offline authentication. > > > > To remove the only password hashes from the cache 'cache_credentials' > > should be > > set to 'False' in all [domain/...] sections of sssd.conf. Additionally the > > already stored hashes must be remove e.g. by calling > > > > ldbedit -H /var/lib/sss/db/cache_DOMAIN-NAME.ldb > > > > for each configured domain and removing all 'cachedPassword' attributes. > > > > ==== PATCH AVAILABILITY ==== > > > > The patch is available at: > > https://pagure.io/SSSD/sssd/c/1f2662c8f97c9c0fa250055d4b6750 > > abfc6d0835?branch=master > > <https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_SSSD_sssd_c_1f2662c8f97c9c0fa250055d4b6750abfc6d0835-3Fbranch-3Dmaster&d=DwMFaQ&c=lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=W4lRniLWM4bp0WLxP8X1uGlB9gSn9moWJ4_V6AtgRl8&s=ZXTdgk6xvtkrVYbNmGiFV9CPSyIA4y1tRamZlhy4MDE&e=> > > > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
