#1216 Password logins failing due to a process with high UID
Closed: Fixed None Opened 10 years ago by sgallagh.

https://bugzilla.redhat.com/show_bug.cgi?id=798655 (Red Hat Enterprise Linux 6)

Description of problem:

I'm not sure if this is a bug in the kernel or an issue with sssd, but the
problem is exhibited in sssd, so I'm starting there.  Please reassign as

When I log into a system using a password with kerberos auth, it will succeed
on the first attempt, but fail on subsequent attempts (once a ccache entry
exists).  It fails in get_uid_from_pid (find_uid.c), more specifically when
calling strtouint32(), while looping through processes checking Uid in
/proc/<pid>/status and encounters a UID of -1.

        num = strtouint32(p, &endptr, 10);
        error = errno;
        if (error != 0) {
            DEBUG(1, ("strtol failed [%s].\n", strerror(error)));
            return error;

(Tue Feb 28 14:44:46 2012) [sssd[be[EMPLOYEES]]] [get_uid_from_pid] (1): strtol
failed [Numerical result out of range].
(Tue Feb 28 14:44:46 2012) [sssd[be[EMPLOYEES]]] [get_active_uid_linux] (1):
get_uid_from_pid failed.
(Tue Feb 28 14:44:46 2012) [sssd[be[EMPLOYEES]]] [check_if_uid_is_active] (1):
get_uid_table failed.
(Tue Feb 28 14:44:46 2012) [sssd[be[EMPLOYEES]]] [check_if_ccache_file_is_used]
(1): check_if_uid_is_active failed.
(Tue Feb 28 14:44:46 2012) [sssd[be[EMPLOYEES]]] [krb5_auth_send] (1):
check_if_ccache_file_is_used failed.

It's encountering a Uid of -1 because an nrpe process is defaulting to the UID
of (2^32 - 1), which as far as I can tell is a perfectly acceptable UID since
it's in the unsigned 32 range.  With a UID of 4294967295, /proc/<pid>/status is
showing -1, instead of 4294967295.

[root@host tmp]$ ps -ef | grep nrpe
4294967295 32590   1  0 Feb28 ?        00:00:01 /usr/sbin/nrpe -c
/etc/nagios/nrpe.cfg -d

[root@host tmp]$ grep ^Uid /proc/32590/status
Uid:    -1      -1      -1      -1

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
1. Run a process with a UID of 2^32-1
2. While using kerberos for authentication, login to the host twice

Actual results:
Login fails.

Expected results:
Login succeeds.

Ok, the problem here is that SSSD assumes that PIDs are unsigned 32-bit
integers, but the standard type of pid_t is actually a signed 32-bit integer.

What's happening is that we're using strtoul32() which internally converts the
string to a signed long long and then checks that it's > 0.

Apparently we were working under a faulty assumption that UIDs were guaranteed
to be positive. I'll switch this conversion to use strtol32() instead of
strtoul32() (and then cast it to uint32_t after this).

blockedby: =>
blocking: =>
coverity: =>
feature_milestone: =>
owner: somebody => sgallagh
patch: => 0
status: new => assigned
tests: => 0
testsupdated: => 0
upgrade: => 0

Fixed by:
- 55fcd37 (master)
- f5df473 (sssd-1-8)

resolution: => fixed
status: assigned => closed

Metadata Update from @sgallagh:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.8.1 (LTM)

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2258

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.