Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proxy_child hardening #3730

Closed
sssd-bot opened this issue May 2, 2020 · 1 comment
Closed

proxy_child hardening #3730

sssd-bot opened this issue May 2, 2020 · 1 comment
Assignees
@alexey-tikhonov
Labels
Closed: Fixed Issue was closed as fixed. Next milestone

Comments

@sssd-bot
Copy link

sssd-bot commented May 2, 2020

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2689

proxy_child should perform chdir("/"), umask(022) (or equivalent, but not 0), and reset the environment (with clearenv(), or some more careful approach if there are environment dependencies).

The --domain argument should be sanitized, currently funny names such as /../foo are accepted.

All this just seems to be hardening, no imminent security impact.

Comments

Comment from jhrozek at 2015-06-25 15:52:07

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.15 beta

Comment from jhrozek at 2015-07-20 22:28:11

Fields changed

rhbz: => 0

Comment from lslebodn at 2015-08-17 12:59:44

It should be a similar fix to #2754
plus additional hardening to the argument "--domain"

owner: somebody => pcech

Comment from fweimer at 2017-02-24 14:23:39

Metadata Update from @fweimer:

  • Issue assigned to pcech
  • Issue set to the milestone: SSSD Future releases (no date set yet)

Comment from amitkumar25nov at 2018-05-23 09:01:33

#578

Comment from atikhonov at 2019-10-24 15:01:37

Metadata Update from @atikhonov:

  • Custom field design_review reset (from 0)
  • Custom field mark reset (from 0)
  • Custom field patch reset (from 0)
  • Custom field review reset (from 0)
  • Custom field sensitive reset (from 0)
  • Custom field testsupdated reset (from 0)
  • Issue assigned to atikhonov (was: pcech)
  • Issue close_status updated to: None

Comment from thalman at 2020-03-11 15:18:53

Metadata Update from @thalman:

  • Custom field design_review reset (from false)
  • Custom field mark reset (from false)
  • Custom field patch reset (from false)
  • Custom field review reset (from false)
  • Custom field sensitive reset (from false)
  • Custom field testsupdated reset (from false)
  • Issue tagged with: Next milestone
alexey-tikhonov added a commit to alexey-tikhonov/sssd that referenced this issue Aug 10, 2020
@alexey-tikhonov
PROXY: child process security hardening
fe37fc6 
Resolves:
SSSD#3730
alexey-tikhonov added a commit to alexey-tikhonov/sssd that referenced this issue Aug 10, 2020
@alexey-tikhonov
UTIL: added helper to facilitate domain name validation
28cf9a8 
Relates:
SSSD#3730
alexey-tikhonov added a commit to alexey-tikhonov/sssd that referenced this issue Aug 10, 2020
@alexey-tikhonov
Data provider & proxy child: validation of "--domain" param
2b36644 
Resolves:
SSSD#3730
@alexey-tikhonov alexey-tikhonov mentioned this issue Aug 10, 2020
Closed
alexey-tikhonov added a commit to alexey-tikhonov/sssd that referenced this issue Jan 22, 2021
@alexey-tikhonov
PROXY: child process security hardening
3e190ca 
Resolves: SSSD#3730
alexey-tikhonov added a commit to alexey-tikhonov/sssd that referenced this issue Jan 22, 2021
@alexey-tikhonov
PROXY: sanitize --domain option to allow safe usage
254dbbb 
as a part of log file name

Resolves: SSSD#3730
alexey-tikhonov added a commit to alexey-tikhonov/sssd that referenced this issue Jan 22, 2021
@alexey-tikhonov
PROXY: sanitize --domain option to allow safe usage
58291c1 
as a part of log file name

Resolves: SSSD#3730
alexey-tikhonov added a commit to alexey-tikhonov/sssd that referenced this issue Jan 26, 2021
@alexey-tikhonov
PROXY: child process security hardening
cea755f 
Resolves: SSSD#3730
alexey-tikhonov added a commit to alexey-tikhonov/sssd that referenced this issue Jan 26, 2021
@alexey-tikhonov
Sanitize --domain option to allow safe usage as a part of log file name
e518ef1 
Resolves: SSSD#3730
pbrezina pushed a commit that referenced this issue Jan 29, 2021
@alexey-tikhonov @pbrezina
Sanitize --domain option to allow safe usage as a part of log file name
b6fc7c0 
Resolves: #3730

Reviewed-by: Sumit Bose <sbose@redhat.com>
@pbrezina
Copy link
Member

Pushed PR: #5268

  • master
    • b6fc7c0 - Sanitize --domain option to allow safe usage as a part of log file name
    • 3986dea - PROXY: child process security hardening

@pbrezina pbrezina added the Closed: Fixed Issue was closed as fixed. label Jan 29, 2021
3v1n0 pushed a commit to 3v1n0/sssd that referenced this issue Apr 8, 2021
@alexey-tikhonov @3v1n0
PROXY: child process security hardening
d5d6471 
Resolves: SSSD#3730

Reviewed-by: Sumit Bose <sbose@redhat.com>
3v1n0 pushed a commit to 3v1n0/sssd that referenced this issue Apr 8, 2021
@alexey-tikhonov @3v1n0
Sanitize --domain option to allow safe usage as a part of log file name
b76b5f2 
Resolves: SSSD#3730

Reviewed-by: Sumit Bose <sbose@redhat.com>
akuster pushed a commit to akuster/sssd that referenced this issue May 18, 2021
@alexey-tikhonov @akuster
PROXY: child process security hardening
b15befb 
Resolves: SSSD#3730

Reviewed-by: Sumit Bose <sbose@redhat.com>
akuster pushed a commit to akuster/sssd that referenced this issue May 18, 2021
@alexey-tikhonov @akuster
Sanitize --domain option to allow safe usage as a part of log file name
7e8d250 
Resolves: SSSD#3730

Reviewed-by: Sumit Bose <sbose@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alexey-tikhonov alexey-tikhonov

Labels
Closed: Fixed Issue was closed as fixed. Next milestone
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

(WiP) proxy_child hardening alexey-tikhonov/sssd
3 participants
@pbrezina @alexey-tikhonov @sssd-bot