Merge ~orion-cora/ubuntu/+source/sssd:xenial-sssd-hbac-rule-1722936 into ~usd-import-team/ubuntu/+source/sssd:ubuntu/xenial-devel

Proposed by Orion-cora on 2017-11-27
Status: Needs review
Proposed branch: ~orion-cora/ubuntu/+source/sssd:xenial-sssd-hbac-rule-1722936
Merge into: ~usd-import-team/ubuntu/+source/sssd:ubuntu/xenial-devel
Diff against target: 199 lines (+177/-0)
3 files modified
debian/changelog (+6/-0)
debian/patches/hbac.patch (+170/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Andreas Hasenack (community) 2017-11-27 Needs Information on 2017-11-28
Canonical Server packageset reviewers 2017-11-28 Pending
Ubuntu Server Dev import team 2017-11-27 Pending
Review via email: mp+334317@code.launchpad.net

Description of the Change

Add upstream HBAC patch. Closes LP: #1722936.

To post a comment you must log in.
Andreas Hasenack (ahasenack) wrote :

Thanks! Could you please also add a review slot for "canonical-server"? Then it will show up in our queue more easily.

Andreas Hasenack (ahasenack) wrote :

- lint: OK
- source build: OK
- binary build: OK
- packaging: OK

Do you have a simple way that we can use to test this patch? Or do we need to setup AD and IPA?

review: Needs Information
Orion-cora (orion-cora) wrote :

I don't have a simple test. The issue we see with AD users trusted by IPA is that sometimes the supplemental group list is not correct. This then can lead to logins not being allowed due to HBAC rules not applying any more. I've been running with this patch applied on one system with no troubles for a month or so. It's highly recommended by upstream, they just have never released a 1.13.5 version with it. But this patch is from the 1.13 branch.

Andreas Hasenack (ahasenack) wrote :

I'll have to come up with a test plan for this change if we want to SRU it. I should be able to start work on that this week.

Unmerged commits

4241de7... by Orion-cora on 2017-11-27

Add upstream HBAC patch. Closes LP: #1722936.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index d89041d..8882cb4 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,9 @@
6+sssd (1.13.4-1ubuntu1.10) xenial; urgency=medium
7+
8+ * Add upstream HBAC patch. Closes LP: #1722936.
9+
10+ -- Orion Poplawski <orion@nwra.com> Mon, 27 Nov 2017 09:38:29 -0700
11+
12 sssd (1.13.4-1ubuntu1.9) xenial; urgency=medium
13
14 * debian/patches/bad-initgroups-results-3045.patch: sdap: Fix
15diff --git a/debian/patches/hbac.patch b/debian/patches/hbac.patch
16new file mode 100644
17index 0000000..b65daff
18--- /dev/null
19+++ b/debian/patches/hbac.patch
20@@ -0,0 +1,170 @@
21+From 88f6d8ad4eef4b4fa032fd451ad732cf8201b0bf Mon Sep 17 00:00:00 2001
22+From: Jakub Hrozek <jhrozek@redhat.com>
23+Date: Jul 27 2017 07:39:58 +0000
24+Subject: HBAC: Do not rely on originalMemberOf, use the sysdb memberof links instead
25+
26+
27+The IPA HBAC code used to read the group members from the
28+originalMemberOf attribute value for performance reasons. However,
29+especially on IPA clients trusting an AD domain, the originalMemberOf
30+attribute value is often not synchronized correctly.
31+
32+Instead of going through the work of maintaining both member/memberOf
33+and originalMemberOf, let's just do an ASQ search for the group names of
34+the groups the user is a member of in the cache and read their
35+SYSBD_NAME attribute.
36+
37+To avoid clashing between similarly-named groups in IPA and in AD, we
38+look at the container of the group.
39+
40+Resolves:
41+https://pagure.io/SSSD/sssd/issue/3382
42+
43+(cherry picked from commit c92e49144978ad3b6c9fffa8803ebdad8f6f5b18)
44+
45+Reviewed-by: Sumit Bose <sbose@redhat.com>
46+Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
47+
48+---
49+
50+diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c
51+index 72a620e..4afe44e 100644
52+--- a/src/providers/ipa/ipa_hbac_common.c
53++++ b/src/providers/ipa/ipa_hbac_common.c
54+@@ -510,14 +510,14 @@ hbac_eval_user_element(TALLOC_CTX *mem_ctx,
55+ struct hbac_request_element **user_element)
56+ {
57+ errno_t ret;
58+- unsigned int i;
59+ unsigned int num_groups = 0;
60+ TALLOC_CTX *tmp_ctx;
61+- const char *member_dn;
62+ struct hbac_request_element *users;
63+- struct ldb_message *msg;
64+- struct ldb_message_element *el;
65+- const char *attrs[] = { SYSDB_ORIG_MEMBEROF, NULL };
66++ const char *groupname;
67++ struct sss_domain_info *ipa_domain;
68++ struct ldb_dn *ipa_groups_basedn;
69++ struct ldb_result *res;
70++ int exp_comp;
71+
72+ tmp_ctx = talloc_new(mem_ctx);
73+ if (tmp_ctx == NULL) return ENOMEM;
74+@@ -530,56 +530,90 @@ hbac_eval_user_element(TALLOC_CTX *mem_ctx,
75+
76+ users->name = username;
77+
78+- /* Read the originalMemberOf attribute
79+- * This will give us the list of both POSIX and
80+- * non-POSIX groups that this user belongs to.
81++ ipa_domain = get_domains_head(domain);
82++ if (ipa_domain == NULL) {
83++ ret = EINVAL;
84++ goto done;
85++ }
86++
87++ ipa_groups_basedn = ldb_dn_new_fmt(tmp_ctx, sysdb_ctx_get_ldb(domain->sysdb),
88++ SYSDB_TMPL_GROUP_BASE, ipa_domain->name);
89++ if (ipa_groups_basedn == NULL) {
90++ ret = ENOMEM;
91++ goto done;
92++ }
93++
94++ /* +1 because there will be a RDN preceding the base DN */
95++ exp_comp = ldb_dn_get_comp_num(ipa_groups_basedn) + 1;
96++
97++ /*
98++ * Get all the groups the user is a member of.
99++ * This includes both POSIX and non-POSIX groups.
100+ */
101+- ret = sysdb_search_user_by_name(tmp_ctx, domain, users->name,
102+- attrs, &msg);
103++ ret = sysdb_initgroups(tmp_ctx, domain, username, &res);
104+ if (ret != EOK) {
105+ DEBUG(SSSDBG_CRIT_FAILURE,
106+- "Could not determine user memberships for [%s]\n",
107+- users->name);
108++ "sysdb_asq_search failed [%d]: %s\n", ret, sss_strerror(ret));
109+ goto done;
110+ }
111+
112+- el = ldb_msg_find_element(msg, SYSDB_ORIG_MEMBEROF);
113+- if (el == NULL || el->num_values == 0) {
114++ if (res->count == 0) {
115++ /* This should not happen at this point */
116++ DEBUG(SSSDBG_MINOR_FAILURE,
117++ "User [%s] not found in cache.\n", username);
118++ ret = ENOENT;
119++ goto done;
120++ } else if (res->count == 1) {
121++ /* The first item is the user entry */
122+ DEBUG(SSSDBG_TRACE_LIBS, "No groups for [%s]\n", users->name);
123+ ret = create_empty_grouplist(users);
124+ goto done;
125+ }
126+ DEBUG(SSSDBG_TRACE_LIBS,
127+- "[%d] groups for [%s]\n", el->num_values, users->name);
128++ "[%u] groups for [%s]\n", res->count - 1, username);
129+
130+- users->groups = talloc_array(users, const char *, el->num_values + 1);
131++ /* This also includes the sentinel, b/c we'll skip the user entry below */
132++ users->groups = talloc_array(users, const char *, res->count);
133+ if (users->groups == NULL) {
134+ ret = ENOMEM;
135+ goto done;
136+ }
137+
138+- for (i = 0; i < el->num_values; i++) {
139+- member_dn = (const char *)el->values[i].data;
140++ /* Start counting from 1 to exclude the user entry */
141++ for (size_t i = 1; i < res->count; i++) {
142++ /* Only groups from the IPA domain can be referenced from HBAC rules. To
143++ * avoid evaluating groups which might even have the same name, but come
144++ * from a trusted domain, we first copy the DN to a temporary one..
145++ */
146++ if (ldb_dn_get_comp_num(res->msgs[i]->dn) != exp_comp
147++ || ldb_dn_compare_base(ipa_groups_basedn,
148++ res->msgs[i]->dn) != 0) {
149++ DEBUG(SSSDBG_FUNC_DATA,
150++ "Skipping non-IPA group %s\n",
151++ ldb_dn_get_linearized(res->msgs[i]->dn));
152++ continue;
153++ }
154+
155+- ret = get_ipa_groupname(users->groups, domain->sysdb, member_dn,
156+- &users->groups[num_groups]);
157+- if (ret != EOK && ret != ERR_UNEXPECTED_ENTRY_TYPE) {
158++ groupname = ldb_msg_find_attr_as_string(res->msgs[i], SYSDB_NAME, NULL);
159++ if (groupname == NULL) {
160+ DEBUG(SSSDBG_MINOR_FAILURE,
161+- "Skipping malformed entry [%s]\n", member_dn);
162++ "Skipping malformed entry [%s]\n",
163++ ldb_dn_get_linearized(res->msgs[i]->dn));
164+ continue;
165+- } else if (ret == EOK) {
166+- DEBUG(SSSDBG_TRACE_LIBS, "Added group [%s] for user [%s]\n",
167+- users->groups[num_groups], users->name);
168+- num_groups++;
169++ }
170++
171++ users->groups[num_groups] = talloc_strdup(users->groups, groupname);
172++ if (users->groups[num_groups] == NULL) {
173+ continue;
174+ }
175+- /* Skip entries that are not groups */
176+- DEBUG(SSSDBG_TRACE_INTERNAL,
177+- "Skipping non-group memberOf [%s]\n", member_dn);
178++
179++ DEBUG(SSSDBG_TRACE_LIBS, "Added group [%s] for user [%s]\n",
180++ users->groups[num_groups], users->name);
181++ num_groups++;
182+ }
183+ users->groups[num_groups] = NULL;
184+
185+- if (num_groups < el->num_values) {
186++ if (num_groups < (res->count - 1)) {
187+ /* Shrink the array memory */
188+ users->groups = talloc_realloc(users, users->groups, const char *,
189+ num_groups+1);
190+
191diff --git a/debian/patches/series b/debian/patches/series
192index d556fe1..1ea2a07 100644
193--- a/debian/patches/series
194+++ b/debian/patches/series
195@@ -5,3 +5,4 @@ pidfile-creation.diff
196 sanitize_newline.diff
197 attempt_ptr_update_on_nonzero_return.diff
198 bad-initgroups-results-3045.patch
199+hbac.patch

Subscribers

People subscribed via source and target branches