From 4bcdbebd83d71e61fe09e37b87e1aa6aa180e4de Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Thu, 18 Jan 2024 12:19:34 +0000 Subject: [PATCH] Disable enumeration support for IPA and AD providers. Deprecation was announced in F39 release notes: https://docs.fedoraproject.org/en-US/fedora/latest/release-notes/sysadmin/Security/#_support_for_the_enumeration_feature_has_been_deprecated_for_ad_and_ipa_backends This is a backport of upstream patch: https://github.com/SSSD/sssd/commit/9240bca7dcc28371ae5dce31c01e85d28409cd04 --- ...itional-build-of-enumeration-support.patch | 244 ++++++++++++++++++ sssd.spec | 10 +- 2 files changed, 253 insertions(+), 1 deletion(-) create mode 100644 0001-ENUMERATION-conditional-build-of-enumeration-support.patch diff --git a/0001-ENUMERATION-conditional-build-of-enumeration-support.patch b/0001-ENUMERATION-conditional-build-of-enumeration-support.patch new file mode 100644 index 0000000..e29fcdc --- /dev/null +++ b/0001-ENUMERATION-conditional-build-of-enumeration-support.patch @@ -0,0 +1,244 @@ +From b42cc3d2bf4ea1751cacb63e53536c8ad1782632 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 23 Jun 2023 16:33:09 +0200 +Subject: [PATCH] ENUMERATION: conditional build of enumeration support for + providers other than LDAP +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +:relnote:Support of 'enumeration' feature (i.e. ability to list all +users/groups using 'getent passwd/group' without argument) for AD/IPA +providers is deprecated and might be removed in further releases. +Those who are interested to keep using it awhile should configure +its build explicitly using '--with-extended-enumeration-support' +./configure option. + +Reviewed-by: Iker Pedrosa +Reviewed-by: Tomáš Halman +(cherry picked from commit 9240bca7dcc28371ae5dce31c01e85d28409cd04) +--- + configure.ac | 1 + + src/conf_macros.m4 | 17 +++++++++++++++++ + src/confdb/confdb.c | 23 ++++++++++++++++++----- + src/db/sysdb_subdomains.c | 4 ++++ + src/man/Makefile.am | 7 ++++++- + src/man/sssd-ldap.5.xml | 4 ++-- + src/man/sssd.conf.5.xml | 14 +++++++++----- + 7 files changed, 57 insertions(+), 13 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 470c04949..adb2c5447 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -185,6 +185,7 @@ WITH_SUDO + WITH_SUDO_LIB_PATH + WITH_AUTOFS + WITH_FILES_PROVIDER ++WITH_EXTENDED_ENUMERATION_SUPPORT + WITH_SUBID + WITH_SUBID_LIB_PATH + WITH_PASSKEY +diff --git a/src/conf_macros.m4 b/src/conf_macros.m4 +index cb97eeb78..5ef257908 100644 +--- a/src/conf_macros.m4 ++++ b/src/conf_macros.m4 +@@ -651,6 +651,23 @@ AC_DEFUN([WITH_FILES_PROVIDER], + AM_CONDITIONAL([BUILD_FILES_PROVIDER], [test x"$with_files_provider" = xyes]) + ]) + ++AC_DEFUN([WITH_EXTENDED_ENUMERATION_SUPPORT], ++ [ AC_ARG_WITH([extended-enumeration-support], ++ [AC_HELP_STRING([--with-extended-enumeration-support], ++ [Whether to build enumeration support for ++ IPA and AD providers [no].] ++ ) ++ ], ++ [with_extended_enumeration_support=$withval], ++ with_extended_enumeration_support=no ++ ) ++ ++ if test x"$with_extended_enumeration_support" = xyes; then ++ AC_DEFINE(BUILD_EXTENDED_ENUMERATION_SUPPORT, 1, [Whether to build extended enumeration support]) ++ fi ++ AM_CONDITIONAL([BUILD_EXTENDED_ENUMERATION_SUPPORT], [test x"$with_extended_enumeration_support" = xyes]) ++ ]) ++ + AC_DEFUN([WITH_SUBID], + [ AC_ARG_WITH([subid], + [AC_HELP_STRING([--with-subid], +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index a7344e166..1760ea6b5 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -1068,6 +1068,9 @@ static errno_t confdb_init_domain_provider_and_enum(struct sss_domain_info *doma + errno_t ret; + const char *tmp, *tmp_pam_target, *tmp_auth; + ++#ifndef BUILD_EXTENDED_ENUMERATION_SUPPORT ++ if (domain->provider != NULL && strcasecmp(domain->provider, "ldap") == 0) { ++#endif + /* TEMP: test if the old bitfield conf value is used and warn it has been + * superseded. */ + val = ldb_msg_find_attr_as_int(res->msgs[0], CONFDB_DOMAIN_ENUMERATE, 0); +@@ -1086,6 +1089,11 @@ static errno_t confdb_init_domain_provider_and_enum(struct sss_domain_info *doma + goto done; + } + } ++#ifndef BUILD_EXTENDED_ENUMERATION_SUPPORT ++ } else { ++ domain->enumerate = false; ++ } ++#endif + + if (is_files_provider(domain)) { + /* The password field must be reported as 'x', else pam_unix won't +@@ -1122,11 +1130,7 @@ static errno_t confdb_init_domain_provider_and_enum(struct sss_domain_info *doma + } + + if (!domain->enumerate) { +- DEBUG(SSSDBG_TRACE_FUNC, "No enumeration for [%s]!\n", domain->name); +- DEBUG(SSSDBG_TRACE_FUNC, +- "Please note that when enumeration is disabled `getent " +- "passwd` does not return all users by design. See " +- "sssd.conf man page for more detailed information\n"); ++ DEBUG(SSSDBG_TRACE_FUNC, "No enumeration for [%s]\n", domain->name); + } + + ret = EOK; +@@ -1537,6 +1541,7 @@ static errno_t confdb_init_domain_subdomains(struct sss_domain_info *domain, + errno_t ret; + const char *tmp; + ++#ifdef BUILD_EXTENDED_ENUMERATION_SUPPORT + tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_SUBDOMAIN_ENUMERATE, + CONFDB_DEFAULT_SUBDOMAIN_ENUMERATE); +@@ -1549,6 +1554,14 @@ static errno_t confdb_init_domain_subdomains(struct sss_domain_info *domain, + goto done; + } + } ++#else ++ ret = split_on_separator(domain, "none", ',', true, true, ++ &domain->sd_enumerate, NULL); ++ if (ret != 0) { ++ DEBUG(SSSDBG_FATAL_FAILURE, "Cannot set 'sd_enumerate'\n"); ++ goto done; ++ } ++#endif + + tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_DOMAIN_SUBDOMAIN_INHERIT, +diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c +index 61cf48c31..149e9a161 100644 +--- a/src/db/sysdb_subdomains.c ++++ b/src/db/sysdb_subdomains.c +@@ -494,8 +494,12 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain, + } + mpg_mode = str_to_domain_mpg_mode(str_mpg_mode); + ++#ifdef BUILD_EXTENDED_ENUMERATION_SUPPORT + enumerate = ldb_msg_find_attr_as_bool(res->msgs[i], + SYSDB_SUBDOMAIN_ENUM, false); ++#else ++ enumerate = false; ++#endif + + forest = ldb_msg_find_attr_as_string(res->msgs[i], + SYSDB_SUBDOMAIN_FOREST, NULL); +diff --git a/src/man/Makefile.am b/src/man/Makefile.am +index 1e51aebfd..77b08e84c 100644 +--- a/src/man/Makefile.am ++++ b/src/man/Makefile.am +@@ -55,12 +55,17 @@ FILES_PROVIDER_CONDS = ;with_files_provider + else + FILES_PROVIDER_CONDS = ;without_files_provider + endif ++if BUILD_EXTENDED_ENUMERATION_SUPPORT ++ENUM_CONDS = ;with_ext_enumeration ++else ++ENUM_CONDS = ;without_ext_enumeration ++endif + if SSSD_NON_ROOT_USER + SSSD_NON_ROOT_USER_CONDS = ;with_non_root_user_support + endif + + +-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)$(SSSD_NON_ROOT_USER_CONDS) ++CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(ENUM_CONDS) + + + #Special Rules: +diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml +index 0a814ec35..ccf284abb 100644 +--- a/src/man/sssd-ldap.5.xml ++++ b/src/man/sssd-ldap.5.xml +@@ -323,7 +323,7 @@ + before refreshing its cache of enumerated + records. + +- ++ + This option can be also set per subdomain or + inherited via + subdomain_inherit. +@@ -486,7 +486,7 @@ + cached results are returned (and offline mode is + entered) + +- ++ + This option can be also set per subdomain or + inherited via + subdomain_inherit. +diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml +index e7a8cbd9a..7276d233f 100644 +--- a/src/man/sssd.conf.5.xml ++++ b/src/man/sssd.conf.5.xml +@@ -2673,8 +2673,12 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit + and store ALL user and group entries from the + remote server. + ++ ++ Feature is only supported for domains with ++ id_provider = ldap. ++ + +- Note: Enabling enumeration has a moderate ++ Note: Enabling enumeration has a severe + performance impact on SSSD while enumeration + is running. It may take up to several minutes + after SSSD startup to fully complete enumerations. +@@ -2709,7 +2713,7 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit + + + +- ++ + subdomain_enumerate (string) + + +@@ -3857,10 +3861,10 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit + + ldap_offline_timeout + +- ++ + ldap_enumeration_refresh_timeout + +- ++ + ldap_enumeration_refresh_offset + + +@@ -3876,7 +3880,7 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit + + ldap_krb5_ticket_lifetime + +- ++ + ldap_enumeration_search_timeout + + +-- +2.41.0 diff --git a/sssd.spec b/sssd.spec index 0b90bd8..1d60bf5 100644 --- a/sssd.spec +++ b/sssd.spec @@ -43,13 +43,14 @@ Name: sssd Version: 2.9.4 -Release: 2%{?dist} +Release: 3%{?dist} Summary: System Security Services Daemon License: GPL-3.0-or-later URL: https://github.com/SSSD/sssd/ Source0: https://github.com/SSSD/sssd/releases/download/2.9.4/sssd-2.9.4.tar.gz ### Patches ### +Patch0001: 0001-ENUMERATION-conditional-build-of-enumeration-support.patch ### Dependencies ### @@ -1063,6 +1064,13 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Thu Jan 18 2024 Alexey Tikhonov - 2.9.4-3 +- Disable enumeration support for IPA and AD providers. + Deprecation was announced in F39 release notes: + https://docs.fedoraproject.org/en-US/fedora/latest/release-notes/sysadmin/Security/#_support_for_the_enumeration_feature_has_been_deprecated_for_ad_and_ipa_backends + This is a backport of upstream patch: + https://github.com/SSSD/sssd/commit/9240bca7dcc28371ae5dce31c01e85d28409cd04 + * Mon Jan 15 2024 Colin Walters - 2.9.4-2 - Scope ExcludeArch: ix86 to RHEL10+