diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-CVE-2021-3621.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-CVE-2021-3621.patch new file mode 100644 index 0000000000..477f5b9c22 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-CVE-2021-3621.patch @@ -0,0 +1,284 @@ +From 9377cc4c25a1d889e241f23ec7efcd40fced3c63 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 18 Jun 2021 13:17:19 +0200 +Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of + user supplied command +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +:relnote: A flaw was found in SSSD, where the sssctl command was +vulnerable to shell command injection via the logs-fetch and +cache-expire subcommands. This flaw allows an attacker to trick +the root user into running a specially crafted sssctl command, +such as via sudo, to gain root access. The highest threat from this +vulnerability is to confidentiality, integrity, as well as system +availability. +This patch fixes a flaw by replacing system() with execvp(). + +:fixes: CVE-2021-3621 + +Reviewed-by: Pavel Březina +--- + src/tools/sssctl/sssctl.c | 39 ++++++++++++++++------- + src/tools/sssctl/sssctl.h | 2 +- + src/tools/sssctl/sssctl_data.c | 57 +++++++++++----------------------- + src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++---- + 4 files changed, 73 insertions(+), 57 deletions(-) + +diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c +index 2997dbf96..8adaf3091 100644 +--- a/src/tools/sssctl/sssctl.c ++++ b/src/tools/sssctl/sssctl.c +@@ -97,22 +97,36 @@ sssctl_prompt(const char *message, + return SSSCTL_PROMPT_ERROR; + } + +-errno_t sssctl_run_command(const char *command) ++errno_t sssctl_run_command(const char *const argv[]) + { + int ret; ++ int wstatus; + +- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command); ++ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]); + +- ret = system(command); ++ ret = fork(); + if (ret == -1) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command); + ERROR("Error while executing external command\n"); + return EFAULT; +- } else if (WEXITSTATUS(ret) != 0) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n", +- command, WEXITSTATUS(ret)); ++ } ++ ++ if (ret == 0) { ++ /* cast is safe - see ++ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html ++ "The statement about argv[] and envp[] being constants ... " ++ */ ++ execvp(argv[0], discard_const_p(char * const, argv)); + ERROR("Error while executing external command\n"); +- return EIO; ++ _exit(1); ++ } else { ++ if (waitpid(ret, &wstatus, 0) == -1) { ++ ERROR("Error while executing external command '%s'\n", argv[0]); ++ return EFAULT; ++ } else if (WEXITSTATUS(wstatus) != 0) { ++ ERROR("Command '%s' failed with [%d]\n", ++ argv[0], WEXITSTATUS(wstatus)); ++ return EIO; ++ } + } + + return EOK; +@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action) + #elif defined(HAVE_SERVICE) + switch (action) { + case SSSCTL_SVC_START: +- return sssctl_run_command(SERVICE_PATH" sssd start"); ++ return sssctl_run_command( ++ (const char *[]){SERVICE_PATH, "sssd", "start", NULL}); + case SSSCTL_SVC_STOP: +- return sssctl_run_command(SERVICE_PATH" sssd stop"); ++ return sssctl_run_command( ++ (const char *[]){SERVICE_PATH, "sssd", "stop", NULL}); + case SSSCTL_SVC_RESTART: +- return sssctl_run_command(SERVICE_PATH" sssd restart"); ++ return sssctl_run_command( ++ (const char *[]){SERVICE_PATH, "sssd", "restart", NULL}); + } + #endif + +diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h +index 0115b2457..599ef6519 100644 +--- a/src/tools/sssctl/sssctl.h ++++ b/src/tools/sssctl/sssctl.h +@@ -47,7 +47,7 @@ enum sssctl_prompt_result + sssctl_prompt(const char *message, + enum sssctl_prompt_result defval); + +-errno_t sssctl_run_command(const char *command); ++errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */ + bool sssctl_start_sssd(bool force); + bool sssctl_stop_sssd(bool force); + bool sssctl_restart_sssd(bool force); +diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c +index 8d79b977f..bf2291341 100644 +--- a/src/tools/sssctl/sssctl_data.c ++++ b/src/tools/sssctl/sssctl_data.c +@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force) + } + } + +- ret = sssctl_run_command("sss_override user-export " +- SSS_BACKUP_USER_OVERRIDES); ++ ret = sssctl_run_command((const char *[]){"sss_override", "user-export", ++ SSS_BACKUP_USER_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to export user overrides\n"); + return ret; + } + +- ret = sssctl_run_command("sss_override group-export " +- SSS_BACKUP_GROUP_OVERRIDES); ++ ret = sssctl_run_command((const char *[]){"sss_override", "group-export", ++ SSS_BACKUP_GROUP_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to export group overrides\n"); + return ret; +@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) + } + + if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { +- ret = sssctl_run_command("sss_override user-import " +- SSS_BACKUP_USER_OVERRIDES); ++ ret = sssctl_run_command((const char *[]){"sss_override", "user-import", ++ SSS_BACKUP_USER_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to import user overrides\n"); + return ret; +@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) + } + + if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { +- ret = sssctl_run_command("sss_override group-import " +- SSS_BACKUP_GROUP_OVERRIDES); ++ ret = sssctl_run_command((const char *[]){"sss_override", "group-import", ++ SSS_BACKUP_GROUP_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to import group overrides\n"); + return ret; +@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline, + void *pvt) + { + errno_t ret; +- char *cmd_args = NULL; +- const char *cachecmd = SSS_CACHE; +- char *cmd = NULL; +- int i; +- +- if (cmdline->argc == 0) { +- ret = sssctl_run_command(cachecmd); +- goto done; +- } + +- cmd_args = talloc_strdup(tool_ctx, ""); +- if (cmd_args == NULL) { +- ret = ENOMEM; +- goto done; ++ const char **args = talloc_array_size(tool_ctx, ++ sizeof(char *), ++ cmdline->argc + 2); ++ if (!args) { ++ return ENOMEM; + } ++ memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc); ++ args[0] = SSS_CACHE; ++ args[cmdline->argc + 1] = NULL; + +- for (i = 0; i < cmdline->argc; i++) { +- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]); +- if (i != cmdline->argc - 1) { +- cmd_args = talloc_strdup_append(cmd_args, " "); +- } +- } +- +- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args); +- if (cmd == NULL) { +- ret = ENOMEM; +- goto done; +- } +- +- ret = sssctl_run_command(cmd); +- +-done: +- talloc_free(cmd_args); +- talloc_free(cmd); ++ ret = sssctl_run_command(args); + ++ talloc_free(args); + return ret; + } +diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c +index 04a32bad8..ebb2c4571 100644 +--- a/src/tools/sssctl/sssctl_logs.c ++++ b/src/tools/sssctl/sssctl_logs.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + + #include "util/util.h" + #include "tools/common/sss_process.h" +@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, + { + struct sssctl_logs_opts opts = {0}; + errno_t ret; ++ glob_t globbuf; + + /* Parse command line. */ + struct poptOption options[] = { +@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, + + sss_signal(SIGHUP); + } else { ++ globbuf.gl_offs = 4; ++ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf); ++ if (ret != 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n"); ++ return ret; ++ } ++ globbuf.gl_pathv[0] = discard_const_p(char, "truncate"); ++ globbuf.gl_pathv[1] = discard_const_p(char, "--no-create"); ++ globbuf.gl_pathv[2] = discard_const_p(char, "--size"); ++ globbuf.gl_pathv[3] = discard_const_p(char, "0"); ++ + PRINT("Truncating log files...\n"); +- ret = sssctl_run_command("truncate --size 0 " LOG_FILES); ++ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv); ++ globfree(&globbuf); + if (ret != EOK) { + ERROR("Unable to truncate log files\n"); + return ret; +@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline, + void *pvt) + { + const char *file; +- const char *cmd; + errno_t ret; ++ glob_t globbuf; + + /* Parse command line. */ + ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL, +@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline, + return ret; + } + +- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES); +- if (cmd == NULL) { +- ERROR("Out of memory!"); ++ globbuf.gl_offs = 3; ++ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf); ++ if (ret != 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n"); ++ return ret; + } ++ globbuf.gl_pathv[0] = discard_const_p(char, "tar"); ++ globbuf.gl_pathv[1] = discard_const_p(char, "-czf"); ++ globbuf.gl_pathv[2] = discard_const_p(char, file); + + PRINT("Archiving log files into %s...\n", file); +- ret = sssctl_run_command(cmd); ++ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv); ++ globfree(&globbuf); + if (ret != EOK) { + ERROR("Unable to archive log files\n"); + return ret; +-- +2.25.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch new file mode 100644 index 0000000000..7d80dc8415 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd-2.3.1-disable-nsupdate-realm.patch @@ -0,0 +1,10 @@ +--- a/src/external/nsupdate.m4 2020-11-05 16:27:14.661566136 +0100 ++++ b/src/external/nsupdate.m4 2020-11-05 16:27:30.060674381 +0100 +@@ -9,7 +9,6 @@ + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) +- AC_MSG_ERROR([nsupdate does not support 'realm']) + fi + + else diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service index 1821089a60..a6afb4682c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/sssd.service @@ -1,15 +1,10 @@ [Unit] Description=System Security Services Daemon -# SSSD will not be started until syslog is -After=syslog.target +After=nscd.service [Service] -ExecStart=/usr/sbin/sssd -D -f -# These two should be used with traditional UNIX forking daemons -# consult systemd.service(5) for more details -Type=forking +ExecStart=/usr/sbin/sssd -i PIDFile=/run/sssd.pid [Install] WantedBy=multi-user.target - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf new file mode 100644 index 0000000000..f8074a4332 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf @@ -0,0 +1,13 @@ +d /etc/sssd 0700 root root - - +C /etc/sssd/sssd.conf 0600 root root - /usr/share/sssd/sssd-example.conf +d /var/lib/sss - root root - - +d /var/lib/sss/deskprofile 0755 root root - - +d /var/lib/sss/db 0700 root root - - +d /var/lib/sss/gpo_cache 0755 root root - - +d /var/lib/sss/keytabs 0700 root root - - +d /var/lib/sss/mc 0700 root root - - +d /var/lib/sss/pipes - root root - - +d /var/lib/sss/pipes/private 0700 root root - - +d /var/lib/sss/pubconf 0700 root root - - +d /var/lib/sss/pubconf/krb5.include.d 0700 root root - - +d /var/lib/sss/secrets 0755 root root - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r4.ebuild similarity index 79% rename from sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r4.ebuild index c5c20e6794..f1c75c95f1 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/sssd-2.3.1-r4.ebuild @@ -1,16 +1,23 @@ +# Flatcar modifications: +# - changed files/sssd.service +# - added files/tmpfiles.d/sssd.conf +# - other ebuild modifications marked below +# # Copyright 1999-2020 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 -PYTHON_COMPAT=( python3_7 ) +PYTHON_COMPAT=( python3_{6..10} ) -inherit autotools flag-o-matic linux-info multilib-minimal python-single-r1 pam systemd toolchain-funcs +TMPFILES_OPTIONAL=1 +inherit autotools flag-o-matic linux-info multilib-minimal python-single-r1 pam systemd toolchain-funcs tmpfiles DESCRIPTION="System Security Services Daemon provides access to identity and authentication" HOMEPAGE="https://github.com/SSSD/sssd" SRC_URI="https://github.com/SSSD/sssd/releases/download/${PN}-${PV//./_}/${P}.tar.gz" -KEYWORDS="amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc x86" +# Flatcar: stabilize arm64 +KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc x86" LICENSE="GPL-3" SLOT="0" @@ -20,6 +27,8 @@ RESTRICT="!test? ( test )" REQUIRED_USE="pac? ( samba ) python? ( ${PYTHON_REQUIRED_USE} )" +# Flatcar: do not force gssapi for >=net-dns/bind-tools-9.9 +# do not force winbind for net-fs/samba DEPEND=" >=app-crypt/mit-krb5-1.10.3 app-crypt/p11-kit @@ -29,7 +38,7 @@ DEPEND=" >=dev-libs/libpcre-8.30:= >=dev-libs/popt-1.16 >=dev-libs/openssl-1.0.2:0= - >=net-dns/bind-tools-9.9[gssapi] + >=net-dns/bind-tools-9.9 >=net-dns/c-ares-1.7.4 >=net-nds/openldap-2.4.30[sasl] >=sys-apps/dbus-1.6 @@ -53,7 +62,7 @@ DEPEND=" net-fs/samba ) python? ( ${PYTHON_DEPS} ) - samba? ( >=net-fs/samba-4.10.2[winbind] ) + samba? ( >=net-fs/samba-4.10.2 ) selinux? ( >=sys-libs/libselinux-2.1.9 >=sys-libs/libsemanage-2.1 @@ -69,8 +78,9 @@ RDEPEND="${DEPEND} >=sys-libs/glibc-2.17[nscd] selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 ) " -BDEPEND="${DEPEND} - >=sys-devel/autoconf-2.69-r5 +# Flatcar: require only autoconf:2.69 +BDEPEND=" + sys-devel/autoconf:2.69 doc? ( app-doc/doxygen ) test? ( dev-libs/check @@ -104,6 +114,9 @@ MULTILIB_WRAPPED_HEADERS=( PATCHES=( "${FILESDIR}"/${P}-test_ca-Look-for-libsofthsm2.so-in-usr-libdir-sofths.patch + "${FILESDIR}"/${P}-disable-nsupdate-realm.patch + # Flatcar: add a patch for CVE-2021-3621 + "${FILESDIR}"/${P}-CVE-2021-3621.patch ) pkg_setup() { @@ -133,7 +146,6 @@ multilib_src_configure() { myconf+=( --localstatedir="${EPREFIX}"/var - --runstatedir="${EPREFIX}"/run --with-pid-path="${EPREFIX}"/run --with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd --enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir) @@ -149,6 +161,12 @@ multilib_src_configure() { --with-nscd="${EPREFIX}"/usr/sbin/nscd --with-unicode-lib="glib2" --disable-rpath + # Flatcar: make nss lookups succeed when not running + --enable-sss-default-nss-plugin + # Flatcar: prevent cross-compilation error + # when autotools does not want to compile and run the test + $(use_with samba smb-idmap-interface-version=6) + # --sbindir=/usr/sbin --with-crypto="libcrypto" --enable-local-provider @@ -178,6 +196,11 @@ multilib_src_configure() { myconf+=( --with-initscript="systemd" --with-systemdunitdir=$(systemd_get_systemunitdir) + # Flatcar: Set the systemd system + # configuration directory explicitly through + # _systemd_get_dir, as it will do the right + # thing in cross-compilation environment. + --with-systemdconfdir=$(_systemd_get_dir systemdsystemconfdir /etc/systemd/system) ) else myconf+=(--with-initscript="sysv") @@ -208,7 +231,8 @@ multilib_src_configure() { multilib_src_compile() { if multilib_is_native_abi; then - default + # Flatcar: add runstatedir to make commands to avoid configure error + default runstatedir="${EPREFIX}"/run use doc && emake docs if use man || use nls; then emake update-po @@ -222,7 +246,9 @@ multilib_src_compile() { multilib_src_install() { if multilib_is_native_abi; then - emake -j1 DESTDIR="${D}" "${_at_args[@]}" install + # Flatcar: add runstatedir, sysconfdir + emake -j1 DESTDIR="${D}" runstatedir="${EPREFIX}"/run \ + sysconfdir="/usr/share" "${_at_args[@]}" install if use python; then python_optimize python_fix_shebang "${ED}" @@ -251,26 +277,15 @@ multilib_src_install_all() { einstalldocs find "${ED}" -type f -name '*.la' -delete || die - insinto /etc/sssd - insopts -m600 + # Flatcar: store on /usr + insinto /usr/share/sssd doins "${S}"/src/examples/sssd-example.conf - insinto /etc/logrotate.d - insopts -m644 - newins "${S}"/src/examples/logrotate sssd - - newconfd "${FILESDIR}"/sssd.conf sssd - - keepdir /var/lib/sss/db - keepdir /var/lib/sss/deskprofile - keepdir /var/lib/sss/gpo_cache - keepdir /var/lib/sss/keytabs - keepdir /var/lib/sss/mc - keepdir /var/lib/sss/pipes/private - keepdir /var/lib/sss/pubconf/krb5.include.d - keepdir /var/lib/sss/secrets - keepdir /var/log/sssd + # Flatcar: delete, remove /var files taken care of by tmpfiles + # Flatcar: add tmpfile directive and remove /etc/rc.d + dotmpfiles "${FILESDIR}/tmpfiles.d/sssd.conf" + rm -rf "${D}/etc/rc.d" # strip empty dirs if ! use doc ; then rm -r "${ED}"/usr/share/doc/"${PF}"/doc || die