[Bug 1669712] Re: Newline characters (\n) must be sanitized before LDAP requests take place.

Ubuntu Foundations Team Bug Bot 1669712 at bugs.launchpad.net
Fri Mar 10 16:27:42 UTC 2017 

The attachment "xenial-sssd_1.13.4-1ubuntu1.4.debdiff" seems to be a
debdiff.  The ubuntu-sponsors team has been subscribed to the bug report
so that they can review and hopefully sponsor the debdiff.  If the
attachment isn't a patch, please remove the "patch" flag from the
attachment, remove the "patch" tag, and if you are member of the
~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issue please contact him.]

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1669712

Title:
  Newline characters (\n) must be sanitized before LDAP requests take
  place.

Status in sssd package in Ubuntu:
  Triaged

Bug description:
  [Impact]

   * When a username with a trailing newline or carriage return
  character is used for authentication, the malformed LDAP query will
  return that the username does not exist and then the username will be
  erased from the LDB cache.

  [Test Case]

   1. While the provider is online, request a valid user and confirm
  it's cached:

  ubuntu at ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1'
  ad1:*:1500:1500:ad1:/home/ad:/bin/bash

  ubuntu at ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries
  asq: Unable to register control with rootdse!
  # 1 entries

   2. Request an invalid username:
  ubuntu at ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1
  '

   3. Confirm the cache entry has disappeared:
  ubuntu at ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries
  asq: Unable to register control with rootdse!
  # 0 entries

  [Regression Potential]

   * None, the sanitizer code is just extended for these two characters

  [Other Info]

   * Upstream bug: https://pagure.io/SSSD/sssd/issue/3317
   * Fix has been merged upstream 


  [Original Description]

  Introducing valid usernames with trailing newline characters triggers
  the removal of valid LDB cache entries

  Reproducer:

  1. Request a valid user and confirm it's cached:
  ubuntu at ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1'
  ad1:*:1500:1500:ad1:/home/ad:/bin/bash

  ubuntu at ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries
  asq: Unable to register control with rootdse!
  # 1 entries

  2. Request an invalid username:
  ubuntu at ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1
  '

  3. Confirm the cache entry has disappeared:
  ubuntu at ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries
  asq: Unable to register control with rootdse!
  # 0 entries

  This is an excerpt from the logs of the request with the newline char:

  (Tue Feb 28 16:07:40 2017) [sssd[be[UBUNTU.TEST]]] [be_get_account_info] (0x0200): Got request for [0x1001][FAST BE_REQ_USER][1][name=ad1
  ]

  (Tue Feb 28 16:08:33 2017) [sssd[be[UBUNTU.TEST]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=ad1
  )(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][CN=Users,DC=ubuntu,DC=test].
  (Tue Feb 28 16:08:33 2017) [sssd[be[UBUNTU.TEST]]] [sdap_get_users_done] (0x0040): Failed to retrieve users
  (Tue Feb 28 16:08:33 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/UBUNTU.TEST/ad1
  ] to negative cache
  (Tue Feb 28 16:08:33 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call

  At this point, the ldb entry removal request for ad1 (without \n)
  takes place via sysdb_delete_user.

  Adding '\n' to the character list in sss_filter_sanitize_ex() seems to
  fix this issue.

  Upstream bug: https://pagure.io/SSSD/sssd/issue/3317

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1669712/+subscriptions

More information about the Ubuntu-sponsors mailing list