[Bug 1669712] [NEW] Newline characters (\n) must be sanitized before LDAP requests take place.
Launchpad Bug Tracker
1669712 at bugs.launchpad.net
Fri Mar 10 16:27:42 UTC 2017
You have been subscribed to a public bug by Ubuntu Foundations Team Bug Bot (crichton):
[Impact]
* When a username with a trailing newline or carriage return character
is used for authentication, the malformed LDAP query will return that
the username does not exist and then the username will be erased from
the LDB cache.
[Test Case]
1. While the provider is online, request a valid user and confirm it's
cached:
ubuntu at ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1'
ad1:*:1500:1500:ad1:/home/ad:/bin/bash
ubuntu at ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 1 entries
2. Request an invalid username:
ubuntu at ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1
'
3. Confirm the cache entry has disappeared:
ubuntu at ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 0 entries
[Regression Potential]
* None, the sanitizer code is just extended for these two characters
[Other Info]
* Upstream bug: https://pagure.io/SSSD/sssd/issue/3317
* Fix has been merged upstream
[Original Description]
Introducing valid usernames with trailing newline characters triggers
the removal of valid LDB cache entries
Reproducer:
1. Request a valid user and confirm it's cached:
ubuntu at ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1'
ad1:*:1500:1500:ad1:/home/ad:/bin/bash
ubuntu at ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 1 entries
2. Request an invalid username:
ubuntu at ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1
'
3. Confirm the cache entry has disappeared:
ubuntu at ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries
asq: Unable to register control with rootdse!
# 0 entries
This is an excerpt from the logs of the request with the newline char:
(Tue Feb 28 16:07:40 2017) [sssd[be[UBUNTU.TEST]]] [be_get_account_info] (0x0200): Got request for [0x1001][FAST BE_REQ_USER][1][name=ad1
]
(Tue Feb 28 16:08:33 2017) [sssd[be[UBUNTU.TEST]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=ad1
)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][CN=Users,DC=ubuntu,DC=test].
(Tue Feb 28 16:08:33 2017) [sssd[be[UBUNTU.TEST]]] [sdap_get_users_done] (0x0040): Failed to retrieve users
(Tue Feb 28 16:08:33 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/UBUNTU.TEST/ad1
] to negative cache
(Tue Feb 28 16:08:33 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
At this point, the ldb entry removal request for ad1 (without \n) takes
place via sysdb_delete_user.
Adding '\n' to the character list in sss_filter_sanitize_ex() seems to
fix this issue.
Upstream bug: https://pagure.io/SSSD/sssd/issue/3317
** Affects: sssd (Ubuntu)
Importance: Medium
Assignee: Victor Tapia (vtapia)
Status: Triaged
** Tags: patch sts
--
Newline characters (\n) must be sanitized before LDAP requests take place.
https://bugs.launchpad.net/bugs/1669712
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.
More information about the Ubuntu-sponsors
mailing list