#3966 Responders: PAM: calling blocking NSS API is dangerous
Closed: cloned-to-github 11 months ago by pbrezina. Opened 2 years ago by atikhonov.

pam_process_init() -> get_trusted_uids() -> csv_string_to_uid_array() -> unsetenv("_SSS_LOOPS") && sss_user_by_name_or_uid() -> getpw*()

Depending on nsswitch.conf content this might result in pam_process_init() being blocked for a long time and terminated by own responders watchdog (similarly to description provided in https://bugzilla.redhat.com/show_bug.cgi?id=1666819#c57). And this might lead to fail of responder startup and hence to fail of sssd startup.

As @jhrozek pointed out, one of possible solutions could be not to call get_trusted_uids() during startup but lazily when first pam request come. This is still dangerous (might result in restart of responder by watchdog) but better then totally failed sssd startup.

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.2

2 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD Future releases (no date set yet) (was: SSSD 2.2)

2 years ago

Metadata Update from @thalman:
- Issue tagged with: Future milestone

a year ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4939

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @pbrezina:
- Issue close_status updated to: cloned-to-github
- Issue status updated to: Closed (was: Open)

11 months ago

Login to comment on this ticket.