Resolves: rhbz#2073095 - Harden kerberos ticket validation (additional patch)

Resolves: rhbz#2061795 - Unable to lookup AD user if the AD group contains '@' symbol (additional patch)
2022-06-13 12:45:54 +02:00 · 2022-06-13 12:45:54 +02:00 · 4a2d3451f2
commit 4a2d3451f2
parent 61baec62c2
3 changed files with 188 additions and 2 deletions
--- a/0001-pac-relax-default-for-pac_check-option.patch
+++ b/0001-pac-relax-default-for-pac_check-option.patch
@ -0,0 +1,50 @@
 From 26d8601e9b4e35ff89ca9fa72b9db05199096b56 Mon Sep 17 00:00:00 2001
 From: Sumit Bose <sbose@redhat.com>
 Date: Wed, 8 Jun 2022 10:11:15 +0200
 Subject: [PATCH] pac: relax default for pac_check option
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 PAC might not be always present, especially in IPA environments. So the
 default of pac_check should not contain 'pac_present'.
 Resolves: https://github.com/SSSD/sssd/issues/5868
 Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
 (cherry picked from commit 55e93cf1cf4d61c6de7975cbdc97a723545586c0)
 ---
 src/confdb/confdb.h     | 2 +-
 src/man/sssd.conf.5.xml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
 index d9fe571de..83f6be7f9 100644
 --- a/src/confdb/confdb.h
 +++ b/src/confdb/confdb.h
@@ -181,7 +181,7 @@
 #define CONFDB_PAC_LIFETIME "pac_lifetime"
 #define CONFDB_PAC_CHECK "pac_check"
 #define CONFDB_PAC_CHECK_DEFAULT "no_check"
 -#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "pac_present, check_upn, check_upn_dns_info_ex"
 +#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "check_upn, check_upn_dns_info_ex"
 /* InfoPipe */
 #define CONFDB_IFP_CONF_ENTRY "config/ifp"
 diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
 index 705447427..e921ba575 100644
 --- a/src/man/sssd.conf.5.xml
 +++ b/src/man/sssd.conf.5.xml
@@ -2298,7 +2298,7 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
                         </para>
                         <para>
                             Default: no_check (AD and IPA provider
 -                            'pac_present, check_upn, check_upn_dns_info_ex')
 +                            'check_upn, check_upn_dns_info_ex')
                         </para>
                     </listitem>
                 </varlistentry>
 -- 
 2.35.3
--- a/0002-names-only-check-sub-domains-for-regex-match.patch
+++ b/0002-names-only-check-sub-domains-for-regex-match.patch
@ -0,0 +1,131 @@
 From 536dc9e4f72503942e659ca0dbd022d3dfac148f Mon Sep 17 00:00:00 2001
 From: Sumit Bose <sbose@redhat.com>
 Date: Thu, 2 Jun 2022 17:02:31 +0200
 Subject: [PATCH] names: only check sub-domains for regex match
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 It is allowed to have different regular-expression to split the input
 name for different domains. After the regex is evaluated and a domain
 name was found in the input it has to be check if the domain name
 corresponds to the domain the regex is coming from.
 E.g. with the implicit files provider enabled the file provider might
 use a simple default regex while and additional IPA or AD provider will
 have a more complex one which e.g. properly handles @-characters in
 names. When evaluation in input the simple regex will come first and
 will split the name but will miss part of the user name part if the name
 contains an @-character. Currently SSSD check if the found domain name
 matches any of the know domains or sub-domains which is wrong because
 the regex was coming from the files provider and hence it should only
 handle its own objects.
 With this patch not all domains are checked but only the current one and
 its sub-domains, if any. This behavior is also mentioned in a comment
 already in the code. As a result in the above example the check with
 the results form the simple regex with fail and then the more complex
 regex of the other domain will be used which can split the name
 properly.
 Resolves: https://github.com/SSSD/sssd/issues/6055
 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
 Reviewed-by: Tomáš Halman <thalman@redhat.com>
 (cherry picked from commit 9656516b9af2b3ea4627eab42f11c7667564020f)
 ---
 src/tests/cmocka/test_fqnames.c | 50 +++++++++++++++++++++++++++++++++
 src/util/usertools.c            |  2 +-
 2 files changed, 51 insertions(+), 1 deletion(-)
 diff --git a/src/tests/cmocka/test_fqnames.c b/src/tests/cmocka/test_fqnames.c
 index 406ef55a9..5de4faf9a 100644
 --- a/src/tests/cmocka/test_fqnames.c
 +++ b/src/tests/cmocka/test_fqnames.c
@@ -318,6 +318,41 @@ static int parse_name_test_setup(void **state)
     return 0;
 }
 +static int parse_name_test_two_names_ctx_setup(void **state)
 +{
 +    struct parse_name_test_ctx *test_ctx;
 +    struct sss_names_ctx *nctx1 = NULL;
 +    struct sss_names_ctx *nctx2 = NULL;
 +    struct sss_domain_info *dom;
 +    int ret;
 +
 +    assert_true(leak_check_setup());
 +
 +    test_ctx = talloc_zero(global_talloc_context, struct parse_name_test_ctx);
 +    assert_non_null(test_ctx);
 +
 +    ret = sss_names_init_from_args(test_ctx, SSS_DEFAULT_RE,
 +                                   "%1$s@%2$s", &nctx1);
 +    assert_int_equal(ret, EOK);
 +
 +    ret = sss_names_init_from_args(test_ctx, SSS_IPA_AD_DEFAULT_RE,
 +                                   "%1$s@%2$s", &nctx2);
 +    assert_int_equal(ret, EOK);
 +
 +    test_ctx->dom = create_test_domain(test_ctx, DOMNAME, FLATNAME,
 +                                       NULL, nctx1);
 +    assert_non_null(test_ctx->dom);
 +
 +    dom = create_test_domain(test_ctx, DOMNAME2, FLATNAME2,
 +                                       NULL, nctx2);
 +    assert_non_null(dom);
 +    DLIST_ADD_END(test_ctx->dom, dom, struct sss_domain_info *);
 +
 +    check_leaks_push(test_ctx);
 +    *state = test_ctx;
 +    return 0;
 +}
 +
 static int parse_name_test_teardown(void **state)
 {
     struct parse_name_test_ctx *test_ctx = talloc_get_type(*state,
@@ -448,6 +483,18 @@ void test_init_nouser(void **state)
     assert_int_not_equal(ret, EOK);
 }
 +void test_different_regexps(void **state)
 +{
 +    struct parse_name_test_ctx *test_ctx = talloc_get_type(*state,
 +                                                     struct parse_name_test_ctx);
 +    parse_name_check(test_ctx, NAME"@"DOMNAME, NULL, EOK, NAME, DOMNAME);
 +    parse_name_check(test_ctx, NAME"@"DOMNAME2, NULL, EOK, NAME, DOMNAME2);
 +    parse_name_check(test_ctx, NAME"@WITH_AT@"DOMNAME2, NULL, EOK, NAME"@WITH_AT", DOMNAME2);
 +    parse_name_check(test_ctx, FLATNAME"\\"NAME, NULL, EOK, FLATNAME"\\"NAME, NULL);
 +    parse_name_check(test_ctx, FLATNAME2"\\"NAME, NULL, EOK, NAME, DOMNAME2);
 +    parse_name_check(test_ctx, FLATNAME2"\\"NAME"@WITH_AT", NULL, EOK, NAME"@WITH_AT", DOMNAME2);
 +}
 +
 void sss_parse_name_fail(void **state)
 {
     struct parse_name_test_ctx *test_ctx = talloc_get_type(*state,
@@ -502,6 +549,9 @@ int main(int argc, const char *argv[])
         cmocka_unit_test_setup_teardown(sss_parse_name_fail,
                                         parse_name_test_setup,
                                         parse_name_test_teardown),
 +        cmocka_unit_test_setup_teardown(test_different_regexps,
 +                                        parse_name_test_two_names_ctx_setup,
 +                                        parse_name_test_teardown),
     };
     /* Set debug level to invalid value so we can decide if -d 0 was used. */
 diff --git a/src/util/usertools.c b/src/util/usertools.c
 index 511fb2d5d..91df7129e 100644
 --- a/src/util/usertools.c
 +++ b/src/util/usertools.c
@@ -321,7 +321,7 @@ static struct sss_domain_info * match_any_domain_or_subdomain_name(
         return dom;
     }
 -    return find_domain_by_name(dom, dmatch, true);
 +    return find_domain_by_name_ex(dom, dmatch, true, SSS_GND_SUBDOMAINS);
 }
 int sss_parse_name_for_domains(TALLOC_CTX *memctx,
 -- 
 2.35.3
--- a/sssd.spec
+++ b/sssd.spec
@ -27,14 +27,15 @@
 Name: sssd
 Version: 2.7.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: https://github.com/SSSD/sssd/
 Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
 ### Patches ###
-#Patch0001:
+Patch0001: 0001-pac-relax-default-for-pac_check-option.patch
 Patch0002: 0002-names-only-check-sub-domains-for-regex-match.patch
 ### Dependencies ###
@ -1059,6 +1060,10 @@ fi
 %systemd_postun_with_restart sssd.service
 %changelog
 * Mon Jun 13 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.1-2
 - Resolves: rhbz#2073095 - Harden kerberos ticket validation (additional patch)
 - Resolves: rhbz#2061795 - Unable to lookup AD user if the AD group contains '@' symbol (additional patch)
 * Sat Jun  4 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.1-1
 - Resolves: rhbz#2069376 - Rebase SSSD for RHEL 9.1
 - Resolves: rhbz#1893192 - sdap_nested_group_deref_direct_process() triggers internal watchdog for large data sets