** Description changed: + [Impact] + + * When a username with a trailing newline or carriage return character + is used for authentication, the malformed LDAP query will return that + the username does not exist and then the username will be erased from + the LDB cache. + + [Test Case] + + 1. While the provider is online, request a valid user and confirm it's + cached: + + ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1' + ad1:*:1500:1500:ad1:/home/ad:/bin/bash + + ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries + asq: Unable to register control with rootdse! + # 1 entries + + 2. Request an invalid username: + ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1 + ' + + 3. Confirm the cache entry has disappeared: + ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries + asq: Unable to register control with rootdse! + # 0 entries + + [Regression Potential] + + * None, the sanitizer code is just extended for these two characters + + [Other Info] + + * Upstream bug: https://pagure.io/SSSD/sssd/issue/3317 + * Fix has been merged upstream + + + [Original Description] + Introducing valid usernames with trailing newline characters triggers the removal of valid LDB cache entries - Reproducer: 1. Request a valid user and confirm it's cached: - ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1' + ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1' ad1:*:1500:1500:ad1:/home/ad:/bin/bash - ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries + ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries asq: Unable to register control with rootdse! # 1 entries 2. Request an invalid username: ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1 ' 3. Confirm the cache entry has disappeared: ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries asq: Unable to register control with rootdse! # 0 entries - This is an excerpt from the logs of the request with the newline char: (Tue Feb 28 16:07:40 2017) [sssd[be[UBUNTU.TEST]]] [be_get_account_info] (0x0200): Got request for [0x1001][FAST BE_REQ_USER][1][name=ad1 ] (Tue Feb 28 16:08:33 2017) [sssd[be[UBUNTU.TEST]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=ad1 )(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][CN=Users,DC=ubuntu,DC=test]. (Tue Feb 28 16:08:33 2017) [sssd[be[UBUNTU.TEST]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Tue Feb 28 16:08:33 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/UBUNTU.TEST/ad1 ] to negative cache (Tue Feb 28 16:08:33 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call At this point, the ldb entry removal request for ad1 (without \n) takes place via sysdb_delete_user. - - Adding '\n' to the character list in sss_filter_sanitize_ex() seems to fix this issue. + Adding '\n' to the character list in sss_filter_sanitize_ex() seems to + fix this issue. Upstream bug: https://pagure.io/SSSD/sssd/issue/3317
** Patch added: "xenial-sssd_1.13.4-1ubuntu1.4.debdiff" https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1669712/+attachment/4835274/+files/xenial-sssd_1.13.4-1ubuntu1.4.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1669712 Title: Newline characters (\n) must be sanitized before LDAP requests take place. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1669712/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
