mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-16 17:36:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

sys-auth/sssd: Clean slate to reapply our changes

Browse Source
This commit is contained in:
Krzesimir Nowak 2021-12-15 20:35:21 +01:00
parent 4901c02cd6
commit 8701aa0a72
5 changed files with 33 additions and 349 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

284
sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-CVE-2021-3621.patch vendored
View File

@ -1,284 +0,0 @@
From 9377cc4c25a1d889e241f23ec7efcd40fced3c63 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 18 Jun 2021 13:17:19 +0200
Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
user supplied command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
:relnote: A flaw was found in SSSD, where the sssctl command was
vulnerable to shell command injection via the logs-fetch and
cache-expire subcommands. This flaw allows an attacker to trick
the root user into running a specially crafted sssctl command,
such as via sudo, to gain root access. The highest threat from this
vulnerability is to confidentiality, integrity, as well as system
availability.
This patch fixes a flaw by replacing system() with execvp().
:fixes: CVE-2021-3621
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/tools/sssctl/sssctl.c | 39 ++++++++++++++++-------
src/tools/sssctl/sssctl.h | 2 +-
src/tools/sssctl/sssctl_data.c | 57 +++++++++++-----------------------
src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++----
4 files changed, 73 insertions(+), 57 deletions(-)
diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
index 2997dbf96..8adaf3091 100644
--- a/src/tools/sssctl/sssctl.c
+++ b/src/tools/sssctl/sssctl.c
@@ -97,22 +97,36 @@ sssctl_prompt(const char *message,
return SSSCTL_PROMPT_ERROR;
}
-errno_t sssctl_run_command(const char *command)
+errno_t sssctl_run_command(const char *const argv[])
{
int ret;
+ int wstatus;
- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
+ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
- ret = system(command);
+ ret = fork();
if (ret == -1) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
ERROR("Error while executing external command\n");
return EFAULT;
- } else if (WEXITSTATUS(ret) != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
- command, WEXITSTATUS(ret));
+ }
+
+ if (ret == 0) {
+ /* cast is safe - see
+ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
+ "The statement about argv[] and envp[] being constants ... "
+ */
+ execvp(argv[0], discard_const_p(char * const, argv));
ERROR("Error while executing external command\n");
- return EIO;
+ _exit(1);
+ } else {
+ if (waitpid(ret, &wstatus, 0) == -1) {
+ ERROR("Error while executing external command '%s'\n", argv[0]);
+ return EFAULT;
+ } else if (WEXITSTATUS(wstatus) != 0) {
+ ERROR("Command '%s' failed with [%d]\n",
+ argv[0], WEXITSTATUS(wstatus));
+ return EIO;
+ }
}
return EOK;
@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
#elif defined(HAVE_SERVICE)
switch (action) {
case SSSCTL_SVC_START:
- return sssctl_run_command(SERVICE_PATH" sssd start");
+ return sssctl_run_command(
+ (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
case SSSCTL_SVC_STOP:
- return sssctl_run_command(SERVICE_PATH" sssd stop");
+ return sssctl_run_command(
+ (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
case SSSCTL_SVC_RESTART:
- return sssctl_run_command(SERVICE_PATH" sssd restart");
+ return sssctl_run_command(
+ (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
}
#endif
diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
index 0115b2457..599ef6519 100644
--- a/src/tools/sssctl/sssctl.h
+++ b/src/tools/sssctl/sssctl.h
@@ -47,7 +47,7 @@ enum sssctl_prompt_result
sssctl_prompt(const char *message,
enum sssctl_prompt_result defval);
-errno_t sssctl_run_command(const char *command);
+errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */
bool sssctl_start_sssd(bool force);
bool sssctl_stop_sssd(bool force);
bool sssctl_restart_sssd(bool force);
diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
index 8d79b977f..bf2291341 100644
--- a/src/tools/sssctl/sssctl_data.c
+++ b/src/tools/sssctl/sssctl_data.c
@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
}
}
- ret = sssctl_run_command("sss_override user-export "
- SSS_BACKUP_USER_OVERRIDES);
+ ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
+ SSS_BACKUP_USER_OVERRIDES, NULL});
if (ret != EOK) {
ERROR("Unable to export user overrides\n");
return ret;
}
- ret = sssctl_run_command("sss_override group-export "
- SSS_BACKUP_GROUP_OVERRIDES);
+ ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
if (ret != EOK) {
ERROR("Unable to export group overrides\n");
return ret;
@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
}
if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
- ret = sssctl_run_command("sss_override user-import "
- SSS_BACKUP_USER_OVERRIDES);
+ ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
+ SSS_BACKUP_USER_OVERRIDES, NULL});
if (ret != EOK) {
ERROR("Unable to import user overrides\n");
return ret;
@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
}
if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
- ret = sssctl_run_command("sss_override group-import "
- SSS_BACKUP_GROUP_OVERRIDES);
+ ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
if (ret != EOK) {
ERROR("Unable to import group overrides\n");
return ret;
@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
void *pvt)
{
errno_t ret;
- char *cmd_args = NULL;
- const char *cachecmd = SSS_CACHE;
- char *cmd = NULL;
- int i;
-
- if (cmdline->argc == 0) {
- ret = sssctl_run_command(cachecmd);
- goto done;
- }
- cmd_args = talloc_strdup(tool_ctx, "");
- if (cmd_args == NULL) {
- ret = ENOMEM;
- goto done;
+ const char **args = talloc_array_size(tool_ctx,
+ sizeof(char *),
+ cmdline->argc + 2);
+ if (!args) {
+ return ENOMEM;
}
+ memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc);
+ args[0] = SSS_CACHE;
+ args[cmdline->argc + 1] = NULL;
- for (i = 0; i < cmdline->argc; i++) {
- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
- if (i != cmdline->argc - 1) {
- cmd_args = talloc_strdup_append(cmd_args, " ");
- }
- }
-
- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
- if (cmd == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- ret = sssctl_run_command(cmd);
-
-done:
- talloc_free(cmd_args);
- talloc_free(cmd);
+ ret = sssctl_run_command(args);
+ talloc_free(args);
return ret;
}
diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
index 04a32bad8..ebb2c4571 100644
--- a/src/tools/sssctl/sssctl_logs.c
+++ b/src/tools/sssctl/sssctl_logs.c
@@ -31,6 +31,7 @@
#include <ldb.h>
#include <popt.h>
#include <stdio.h>
+#include <glob.h>
#include "util/util.h"
#include "tools/common/sss_process.h"
@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
{
struct sssctl_logs_opts opts = {0};
errno_t ret;
+ glob_t globbuf;
/* Parse command line. */
struct poptOption options[] = {
@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
sss_signal(SIGHUP);
} else {
+ globbuf.gl_offs = 4;
+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
+ return ret;
+ }
+ globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
+ globbuf.gl_pathv[1] = discard_const_p(char, "--no-create");
+ globbuf.gl_pathv[2] = discard_const_p(char, "--size");
+ globbuf.gl_pathv[3] = discard_const_p(char, "0");
+
PRINT("Truncating log files...\n");
- ret = sssctl_run_command("truncate --size 0 " LOG_FILES);
+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
+ globfree(&globbuf);
if (ret != EOK) {
ERROR("Unable to truncate log files\n");
return ret;
@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
void *pvt)
{
const char *file;
- const char *cmd;
errno_t ret;
+ glob_t globbuf;
/* Parse command line. */
ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
return ret;
}
- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
- if (cmd == NULL) {
- ERROR("Out of memory!");
+ globbuf.gl_offs = 3;
+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
+ return ret;
}
+ globbuf.gl_pathv[0] = discard_const_p(char, "tar");
+ globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
+ globbuf.gl_pathv[2] = discard_const_p(char, file);
PRINT("Archiving log files into %s...\n", file);
- ret = sssctl_run_command(cmd);
+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
+ globfree(&globbuf);
if (ret != EOK) {
ERROR("Unable to archive log files\n");
return ret;
--
2.25.1

10
sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch vendored
View File

@ -1,10 +0,0 @@
--- a/src/external/nsupdate.m4 2020-11-05 16:27:14.661566136 +0100
+++ b/src/external/nsupdate.m4 2020-11-05 16:27:30.060674381 +0100
@@ -9,7 +9,6 @@
AC_MSG_RESULT([yes])
else
AC_MSG_RESULT([no])
- AC_MSG_ERROR([nsupdate does not support 'realm'])
fi
else

9
sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service vendored
View File

@ -1,10 +1,15 @@
[Unit]
Description=System Security Services Daemon
After=nscd.service
# SSSD will not be started until syslog is
After=syslog.target
[Service]
ExecStart=/usr/sbin/sssd -i
ExecStart=/usr/sbin/sssd -D -f
# These two should be used with traditional UNIX forking daemons
# consult systemd.service(5) for more details
Type=forking
PIDFile=/run/sssd.pid
[Install]
WantedBy=multi-user.target

13
sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf vendored
View File

@ -1,13 +0,0 @@
d /etc/sssd 0700 root root - -
C /etc/sssd/sssd.conf 0600 root root - /usr/share/sssd/sssd-example.conf
d /var/lib/sss - root root - -
d /var/lib/sss/deskprofile 0755 root root - -
d /var/lib/sss/db 0700 root root - -
d /var/lib/sss/gpo_cache 0755 root root - -
d /var/lib/sss/keytabs 0700 root root - -
d /var/lib/sss/mc 0700 root root - -
d /var/lib/sss/pipes - root root - -
d /var/lib/sss/pipes/private 0700 root root - -
d /var/lib/sss/pubconf 0700 root root - -
d /var/lib/sss/pubconf/krb5.include.d 0700 root root - -
d /var/lib/sss/secrets 0755 root root - -

66
sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r4.ebuild → sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild vendored
View File

@ -1,22 +1,16 @@
# Flatcar modifications:
# - changed files/sssd.service
# - added files/tmpfiles.d/sssd.conf
# - other ebuild modifications marked below
#
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
PYTHON_COMPAT=( python3_{6..10} )
PYTHON_COMPAT=( python3_7 )
inherit autotools flag-o-matic linux-info multilib-minimal python-single-r1 pam systemd toolchain-funcs
DESCRIPTION="System Security Services Daemon provides access to identity and authentication"
HOMEPAGE="https://github.com/SSSD/sssd"
SRC_URI="https://github.com/SSSD/sssd/releases/download/${PN}-${PV//./_}/${P}.tar.gz"
# Flatcar: stabilize arm64
KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc x86"
KEYWORDS="amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc x86"
LICENSE="GPL-3"
SLOT="0"
@ -26,8 +20,6 @@ RESTRICT="!test? ( test )"
REQUIRED_USE="pac? ( samba )
python? ( ${PYTHON_REQUIRED_USE} )"
# Flatcar: do not force gssapi for >=net-dns/bind-tools-9.9
# do not force winbind for net-fs/samba
DEPEND="
>=app-crypt/mit-krb5-1.10.3
app-crypt/p11-kit
@ -37,7 +29,7 @@ DEPEND="
>=dev-libs/libpcre-8.30:=
>=dev-libs/popt-1.16
>=dev-libs/openssl-1.0.2:0=
>=net-dns/bind-tools-9.9
>=net-dns/bind-tools-9.9[gssapi]
>=net-dns/c-ares-1.7.4
>=net-nds/openldap-2.4.30[sasl]
>=sys-apps/dbus-1.6
@ -61,7 +53,7 @@ DEPEND="
net-fs/samba
)
python? ( ${PYTHON_DEPS} )
samba? ( >=net-fs/samba-4.10.2 )
samba? ( >=net-fs/samba-4.10.2[winbind] )
selinux? (
>=sys-libs/libselinux-2.1.9
>=sys-libs/libsemanage-2.1
@ -77,9 +69,8 @@ RDEPEND="${DEPEND}
>=sys-libs/glibc-2.17[nscd]
selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 )
"
# Flatcar: require only autoconf:2.69
BDEPEND="
sys-devel/autoconf:2.69
BDEPEND="${DEPEND}
>=sys-devel/autoconf-2.69-r5
doc? ( app-doc/doxygen )
test? (
dev-libs/check
@ -113,9 +104,6 @@ MULTILIB_WRAPPED_HEADERS=(
PATCHES=(
"${FILESDIR}"/${P}-test_ca-Look-for-libsofthsm2.so-in-usr-libdir-sofths.patch
"${FILESDIR}"/${P}-disable-nsupdate-realm.patch
# Flatcar: add a patch for CVE-2021-3621
"${FILESDIR}"/${P}-CVE-2021-3621.patch
)
pkg_setup() {
@ -145,6 +133,7 @@ multilib_src_configure() {
myconf+=(
--localstatedir="${EPREFIX}"/var
--runstatedir="${EPREFIX}"/run
--with-pid-path="${EPREFIX}"/run
--with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd
--enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir)
@ -160,12 +149,6 @@ multilib_src_configure() {
--with-nscd="${EPREFIX}"/usr/sbin/nscd
--with-unicode-lib="glib2"
--disable-rpath
# Flatcar: make nss lookups succeed when not running
--enable-sss-default-nss-plugin
# Flatcar: prevent cross-compilation error
# when autotools does not want to compile and run the test
$(use_with samba smb-idmap-interface-version=6)
#
--sbindir=/usr/sbin
--with-crypto="libcrypto"
--enable-local-provider
@ -195,11 +178,6 @@ multilib_src_configure() {
myconf+=(
--with-initscript="systemd"
--with-systemdunitdir=$(systemd_get_systemunitdir)
# Flatcar: Set the systemd system
# configuration directory explicitly through
# _systemd_get_dir, as it will do the right
# thing in cross-compilation environment.
--with-systemdconfdir=$(_systemd_get_dir systemdsystemconfdir /etc/systemd/system)
)
else
myconf+=(--with-initscript="sysv")
@ -230,8 +208,7 @@ multilib_src_configure() {
multilib_src_compile() {
if multilib_is_native_abi; then
# Flatcar: add runstatedir to make commands to avoid configure error
default runstatedir="${EPREFIX}"/run
default
use doc && emake docs
if use man || use nls; then
emake update-po
@ -245,9 +222,7 @@ multilib_src_compile() {
multilib_src_install() {
if multilib_is_native_abi; then
# Flatcar: add runstatedir, sysconfdir
emake -j1 DESTDIR="${D}" runstatedir="${EPREFIX}"/run \
sysconfdir="/usr/share" "${_at_args[@]}" install
emake -j1 DESTDIR="${D}" "${_at_args[@]}" install
if use python; then
python_optimize
python_fix_shebang "${ED}"
@ -276,15 +251,26 @@ multilib_src_install_all() {
einstalldocs
find "${ED}" -type f -name '*.la' -delete || die
# Flatcar: store on /usr
insinto /usr/share/sssd
insinto /etc/sssd
insopts -m600
doins "${S}"/src/examples/sssd-example.conf
# Flatcar: delete, remove /var files taken care of by tmpfiles
insinto /etc/logrotate.d
insopts -m644
newins "${S}"/src/examples/logrotate sssd
newconfd "${FILESDIR}"/sssd.conf sssd
keepdir /var/lib/sss/db
keepdir /var/lib/sss/deskprofile
keepdir /var/lib/sss/gpo_cache
keepdir /var/lib/sss/keytabs
keepdir /var/lib/sss/mc
keepdir /var/lib/sss/pipes/private
keepdir /var/lib/sss/pubconf/krb5.include.d
keepdir /var/lib/sss/secrets
keepdir /var/log/sssd
# Flatcar: add tmpfile directive and remove /etc/rc.d
systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/sssd.conf"
rm -rf "${D}/etc/rc.d"
# strip empty dirs
if ! use doc ; then
rm -r "${ED}"/usr/share/doc/"${PF}"/doc || die