#892 Errors with empty loginShell and proxy provider
Closed: Fixed None Opened 9 years ago by sbose.

This issue was found by Kaushik while testing the proxy provider.

The loginShell attribute is a MAY attribute according to rfc 2307 and 2307bis and neither rfc give a hint what to do if loginShell is missing.

If loginShell is missing or empty for a LDAP user the corresponding attribute is not written to the cache, because sysdb_add_basic_user() drops it in this case. When using the proxy provider in both cases (missing or empty) an empty string is returned by the external getpwnam_r() call and an update of the cached entry will fail. The reason is that sysdb_store_user() only checks if shell==NULL but not if shell is an empty string and now tries to update a non-existent attribute in the cache which is not allowed.

As a side effect it is also not possible to update other attributes, e.g, a change in the gecos field, because all updates and done in a single operation.

To fix this I would like to suggest to introduce a configurable default login shell with a default value of '/dev/null'.

To reproduce this issue configure a domain as

[domain/proxy]
id_provider = proxy
proxy_lib_name = ldap
proxy_pam_target = sss_ldap

start with an empty cache and call 'id ldap_user_with_missing_loginShell'. The following error messages can be found:

(Wed Jun 15 12:23:39 2011) [sssd[be[proxy]]] [sysdb_set_entry_attr] (6): Error: 14 (Bad address)
(Wed Jun 15 12:23:39 2011) [sssd[be[proxy]]] [ldb] (9): cancel ldb transaction (nesting: 1)
(Wed Jun 15 12:23:39 2011) [sssd[be[proxy]]] [sysdb_store_user] (6): Error: 14 (Bad address)
(Wed Jun 15 12:23:39 2011) [sssd[be[proxy]]] [ldb] (9): cancel ldb transaction (nesting: 0)
(Wed Jun 15 12:23:39 2011) [sssd[be[proxy]]] [acctinfo_callback] (4): Request processed. Returned 3,14,Internal Error (Cannot make/remove an entry for the specified session)

Replying to [ticket:892 sbose]:

To fix this I would like to suggest to introduce a configurable default login shell with a default value of '/dev/null'.

This would certainly be wrong.
An empty shell is a perfectly valid value and tells the system to use whatever is the currently configured default shell.

The fix is to check if shell[0] == '\0' and skip adding loginShell entirely if it is (or better run a modify operation to delete loginShell if it is there, to remove stale caches of the attribute).

This will cause us to return an empty shell to getpwnam() which will do the right thing in the system.

As Simo said, this would be an incompatible change. The expected behavior of POSIX is that if the NSS module returns NULL for pw_shell, libc should handle it in a platform-appropriate manner.

In the case of Linux, this generally means that it's treated as /bin/sh.

We want to make sure that the proxy provider behaves the same as our native LDAP provider (which does this correctly).

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.7.0

I agree that '/dev/null' might not be a good choice, but it would be nice if we can store something, e.g. an empty string. This would make updating easier because the modify operation fails if the attribute is missing. Otherwise we have to read the object first, check all attributes and add new one and modify existing attributes.

Should not be a big problem to fix.

milestone: SSSD 1.8.0 => SSSD 1.7.0

Fields changed

priority: major => minor
rhbz: =>

Fields changed

owner: somebody => jzeleny

Fields changed

patch: 0 => 1
status: new => assigned

Fixed in: 72c3fe5

resolution: => fixed
status: assigned => closed

Metadata Update from @sbose:
- Issue assigned to jzeleny
- Issue set to the milestone: SSSD 1.7.0

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/1934

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata