#1216 Password logins failing due to a process with high UID
Closed: Fixed None Opened 7 years ago by sgallagh.

https://bugzilla.redhat.com/show_bug.cgi?id=798655 (Red Hat Enterprise Linux 6)

Description of problem:

I'm not sure if this is a bug in the kernel or an issue with sssd, but the
problem is exhibited in sssd, so I'm starting there.  Please reassign as

When I log into a system using a password with kerberos auth, it will succeed
on the first attempt, but fail on subsequent attempts (once a ccache entry
exists).  It fails in get_uid_from_pid (find_uid.c), more specifically when
calling strtouint32(), while looping through processes checking Uid in
/proc/<pid>/status and encounters a UID of -1.

        num = strtouint32(p, &endptr, 10);
        error = errno;
        if (error != 0) {
            DEBUG(1, ("strtol failed [%s].\n", strerror(error)));
            return error;

(Tue Feb 28 14:44:46 2012) [sssd[be[EMPLOYEES]]] [get_uid_from_pid] (1): strtol
failed [Numerical result out of range].
(Tue Feb 28 14:44:46 2012) [sssd[be[EMPLOYEES]]] [get_active_uid_linux] (1):
get_uid_from_pid failed.
(Tue Feb 28 14:44:46 2012) [sssd[be[EMPLOYEES]]] [check_if_uid_is_active] (1):
get_uid_table failed.
(Tue Feb 28 14:44:46 2012) [sssd[be[EMPLOYEES]]] [check_if_ccache_file_is_used]
(1): check_if_uid_is_active failed.
(Tue Feb 28 14:44:46 2012) [sssd[be[EMPLOYEES]]] [krb5_auth_send] (1):
check_if_ccache_file_is_used failed.

It's encountering a Uid of -1 because an nrpe process is defaulting to the UID
of (2^32 - 1), which as far as I can tell is a perfectly acceptable UID since
it's in the unsigned 32 range.  With a UID of 4294967295, /proc/<pid>/status is
showing -1, instead of 4294967295.

[root@host tmp]$ ps -ef | grep nrpe
4294967295 32590   1  0 Feb28 ?        00:00:01 /usr/sbin/nrpe -c
/etc/nagios/nrpe.cfg -d

[root@host tmp]$ grep ^Uid /proc/32590/status
Uid:    -1      -1      -1      -1

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
1. Run a process with a UID of 2^32-1
2. While using kerberos for authentication, login to the host twice

Actual results:
Login fails.

Expected results:
Login succeeds.

Ok, the problem here is that SSSD assumes that PIDs are unsigned 32-bit
integers, but the standard type of pid_t is actually a signed 32-bit integer.

What's happening is that we're using strtoul32() which internally converts the
string to a signed long long and then checks that it's > 0.

Apparently we were working under a faulty assumption that UIDs were guaranteed
to be positive. I'll switch this conversion to use strtol32() instead of
strtoul32() (and then cast it to uint32_t after this).

blockedby: =>
blocking: =>
coverity: =>
feature_milestone: =>
owner: somebody => sgallagh
patch: => 0
status: new => assigned
tests: => 0
testsupdated: => 0
upgrade: => 0

Fixed by:
- 55fcd37 (master)
- f5df473 (sssd-1-8)

resolution: => fixed
status: assigned => closed

Metadata Update from @sgallagh:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.8.1 (LTM)

2 years ago

Login to comment on this ticket.