#2655 proxy provider does not work in non-root mode
Closed: Fixed None Opened 5 years ago by lslebodn.

Design doccument[1] says:
proxy_child

In general, we can't make assumptions on what the PAM module we wrap using the proxy backend requires, so at least the part of proxy child that runs the PAM conversation should run as root. During development, we should consider splitting the proxy_child into a small setuid helper that would still run privileged and only wrap the PAM module and the rest of the proxy_child that would run unprivileged.

However initialization of proxy_child failed:

(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [proxy_child_send] (0x2000): Queueing request [1]
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [proxy_child_init_send] (0x1000): Starting proxy child with args [/usr/libexec/sssd/proxy_child -d 0x77f0 --debug-timestamps=1 --debug-micros
econds=0 --debug-to-files --domain PROXY --id 1]
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [pc_init_sig_handler] (0x1000): Waiting for child [13398].
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [pc_init_sig_handler] (0x0100): child [13398] exited with status [2].
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [proxy_child_init_done] (0x0400): Proxy child init failed [5]
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [proxy_child_destructor] (0x2000): Removing proxy child id [1]
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 5, PAM child failed) [Internal Error (Memory buffer error)]
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [be_pam_handler_callback] (0x0100): Sending result [4][PROXY]
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [be_pam_handler_callback] (0x0100): Sent result [4][PROXY]



May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: chown failed for [proxy_child_PROXY]: [1]
May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Cannot chown the debug files, debugging might not work!
May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Trying to become user [0][0].
May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: setgroups failed [1][Operation not permitted].
May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Cannot become user [0][0].
May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Could not set up mainloop [1]

[1] https://fedorahosted.org/sssd/wiki/DesignDocs/NotRootSSSD


Fields changed

description: Design doccument[1] says:
'''proxy_child'''

In general, we can't make assumptions on what the PAM module we wrap using the proxy backend requires, so at least the part of proxy child that runs the PAM conversation should run as root. During development, we should consider splitting the proxy_child into a small setuid helper that would still run privileged and only wrap the PAM module and the rest of the proxy_child that would run unprivileged.

However initialization of proxy_child failed:
{{{
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [proxy_child_send] (0x2000): Queueing request [1]
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [proxy_child_init_send] (0x1000): Starting proxy child with args [/usr/libexec/sssd/proxy_child -d 0x77f0 --debug-timestamps=1 --debug-micros
econds=0 --debug-to-files --domain PROXY --id 1]
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [pc_init_sig_handler] (0x1000): Waiting for child [13398].
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [pc_init_sig_handler] (0x0100): child [13398] exited with status [2].
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [proxy_child_init_done] (0x0400): Proxy child init failed [5]
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [proxy_child_destructor] (0x2000): Removing proxy child id [1]
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 5, PAM child failed) [Internal Error (Memory buffer error)]
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [be_pam_handler_callback] (0x0100): Sending result [4][PROXY]
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [be_pam_handler_callback] (0x0100): Sent result [4][PROXY]
}}}

{{{
May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: chown failed for [proxy_child_PROXY]: [1]
May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Cannot chown the debug files, debugging might not work!
May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Trying to become user [0][0].
May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: setgroups failed [1][Operation not permitted].
May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Cannot become user [0][0].
May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Could not set up mainloop [1]
}}} => Design doccument[1] says:
'''proxy_child'''

In general, we can't make assumptions on what the PAM module we wrap using the proxy backend requires, so at least the part of proxy child that runs the PAM conversation should run as root. During development, we should consider splitting the proxy_child into a small setuid helper that would still run privileged and only wrap the PAM module and the rest of the proxy_child that would run unprivileged.

However initialization of proxy_child failed:
{{{
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [proxy_child_send] (0x2000): Queueing request [1]
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [proxy_child_init_send] (0x1000): Starting proxy child with args [/usr/libexec/sssd/proxy_child -d 0x77f0 --debug-timestamps=1 --debug-micros
econds=0 --debug-to-files --domain PROXY --id 1]
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [pc_init_sig_handler] (0x1000): Waiting for child [13398].
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [pc_init_sig_handler] (0x0100): child [13398] exited with status [2].
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [proxy_child_init_done] (0x0400): Proxy child init failed [5]
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [proxy_child_destructor] (0x2000): Removing proxy child id [1]
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 5, PAM child failed) [Internal Error (Memory buffer error)]
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [be_pam_handler_callback] (0x0100): Sending result [4][PROXY]
(Mon May 18 12:31:30 2015) [sssd[be[PROXY]]] [be_pam_handler_callback] (0x0100): Sent result [4][PROXY]
}}}

{{{
May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: chown failed for [proxy_child_PROXY]: [1]
May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Cannot chown the debug files, debugging might not work!
May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Trying to become user [0][0].
May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: setgroups failed [1][Operation not permitted].
May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Cannot become user [0][0].
May 18 12:31:30 ibm-x3250m4-05.example.com proxy_child[13398]: Could not set up mainloop [1]
}}}

[1] https://fedorahosted.org/sssd/wiki/DesignDocs/NotRootSSSD
summary: proxy_child does not work in non-root mode => proxy provider does not work in non-root mode

Fields changed

owner: somebody => lslebodn
patch: 0 => 1
status: new => assigned

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12.5

resolution: => fixed
status: assigned => closed

Metadata Update from @lslebodn:
- Issue assigned to lslebodn
- Issue set to the milestone: SSSD 1.12.5

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3696

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata