[Pkg-sssd-devel] Bug#983795: libnss-sss: libnss_sss fails to enumerate users/groups if the call to endXXent() is missing. (observed with Dovecot)

Mon Mar 1 21:16:40 GMT 2021

Package: libnss-sss
Version: libnss_sss fails on enumeration of users/groups
Severity: important
Tags: upstream patch

Dear Maintainer,

the NSS responder of sssd fails to *rewind* in calls set setXYent().
It succeeds only for the very first call to setXYent() during a session,
which makes this bug a bit hidden - as most applications don't try to
iterate the XY database multiple times.

But - dovecot is a good example, its auth process keeps the NSS
"connection" open and may iterate multiple times over the list of users.
The first iteration returns all users (from local files and from AD
backed sssd, the next iteration returns only the users from local files,
but not the users from the AD backed sssd. While this may be considered
dovecot's fault, the documentation about setXYent says, that it rewinds
the iterator. (It doesn't mention that a consumer *must* use endXYent())

The authors of sssd confirmed that bug, I opened an issue and a pull
requrest there already:

- https://github.com/SSSD/sssd/issues/5523
- https://github.com/SSSD/sssd/pull/5524

I'm appending a patch I'm using for my private Buster packages of sssd.
(The patch is not 100% equivalent to the above mentioned PR, as the
version of sssd that is shipped with Debian10 is 1.6.x, and the upstream
is at 2.x already, implementing more setXYent())

-- System Information:
Debian Release: 10.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (102, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.8.5 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libnss-sss depends on:
ii  libc6  2.28-10

Versions of packages libnss-sss recommends:
pn  sssd  <none>

libnss-sss suggests no packages.
-------------- next part --------------
Description: Fix setXYent()
 setXYent() failed to rewind. Usage patterns like
	 setpwent(); while (getpwent()) { ? }; endpwent();
	 setpwent(); while (getpwent()) { ? }; endpwent();
 failed, if the endpwent() was missing. (Dovecot is a good example
 for missing the endpwent() call.
Author: Heiko Schlittermann <hs at schlittermann.de>
Bug: https://github.com/SSSD/sssd/issues/5523
Last-Update: 2021-03-01
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/

--- a/src/responder/nss/nss_cmd.c
+++ b/src/responder/nss/nss_cmd.c
@@ -939,6 +939,11 @@
 static errno_t nss_cmd_setpwent(struct cli_ctx *cli_ctx)
 {
     struct nss_ctx *nss_ctx;
+    struct nss_state_ctx *state_ctx;
+
+    state_ctx = talloc_get_type(cli_ctx->state_ctx, struct nss_state_ctx);
+    state_ctx->pwent.domain = 0;
+    state_ctx->pwent.result = 0;
 
     nss_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct nss_ctx);
 
@@ -995,6 +1000,11 @@
 static errno_t nss_cmd_setgrent(struct cli_ctx *cli_ctx)
 {
     struct nss_ctx *nss_ctx;
+    struct nss_state_ctx *state_ctx;
+
+    state_ctx = talloc_get_type(cli_ctx->state_ctx, struct nss_state_ctx);
+    state_ctx->grent.domain = 0;
+    state_ctx->grent.result = 0;
 
     nss_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct nss_ctx);
 
@@ -1037,6 +1047,12 @@
 
 static errno_t nss_cmd_setnetgrent(struct cli_ctx *cli_ctx)
 {
+    struct nss_state_ctx *state_ctx;
+
+    state_ctx = talloc_get_type(cli_ctx->state_ctx, struct nss_state_ctx);
+    state_ctx->netgrent.domain = 0;
+    state_ctx->netgrent.result = 0;
+
     return nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME,
                            nss_protocol_fill_setnetgrent);
 }
@@ -1090,6 +1106,11 @@
 static errno_t nss_cmd_setservent(struct cli_ctx *cli_ctx)
 {
     struct nss_ctx *nss_ctx;
+    struct nss_state_ctx *state_ctx;
+
+    state_ctx = talloc_get_type(cli_ctx->state_ctx, struct nss_state_ctx);
+    state_ctx->svcent.domain = 0;
+    state_ctx->svcent.result = 0;
 
     nss_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct nss_ctx);
 
