#4105 1.16: Information leak in infopipe due to an improper uid restriction
Closed: wontfix a year ago by pbrezina. Opened 2 years ago by pbrezina.

Currently only a small subset of infopipe methods performs access check. This affects only older branches then 2.x.

Steps to reproduce:
1. Call an infopipe method as a user not-listed in [ifp] allowed_uids
2. Without fix the access is granted

E.g.

$ dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByName string:user-1

Metadata Update from @pbrezina:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1660687

2 years ago

Metadata Update from @pbrezina:
- Issue assigned to pbrezina

2 years ago

This is fixed since 2.0. The security impact is low (by default only posix attributes are available) and we could break users applications that relies on the fact that the data is available to everyone therefore we should not fix it in 1.16 where such change is unacceptable.

Metadata Update from @pbrezina:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

a year ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/5068

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata