danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
Open Source how do I love thee, let me count the ways.
danwalsh
Yesterday I got contacted by Red Hat Support about a problem we had in libselinux.  If you are setting up confined users you can use the semanage login command to setup a group of linux users to be assigned to a confined user type.

# semanage login -a -s staff_u -r s0-s0:c0.c1023 %wheel

This command would cause all linux users in the wheel group to login as the staff_u SELinux user.  Well we had a bug in getseuserbyname function in libseliunux.  When you login to a system the pam_selinux module uses this function to figure out which SELinux user should be used for your UID.  There was a bug where we were not allocating enough memory for reading the entire group file contents.  Basically if the number of users within a group was too large, the library would stop reading.  

A customer of ours found the problem and reported it.  

Now the reason I love Open Source...

The customer did not stop there.  They downloaded our source, found the problem, built a patch and attached it to the bug report.  So all I had to do was apply the patch and start the errata process.   This is the type of stuff that can't happen in a closed source system, and is why Open Source is better...

Open source is like The Elves and the Shoemaker, just don't tell my boss.  :^)

Looks like the customer in question was also quite serious about what they should get in the errata package and did security review of it in advance. ;)

Dan,
Can you post some notes how did the customer came to the conclusion that the problem is in small amount of allocated memory? How did he (and you too) debug the problem, understood its roots and created a working solution?

From Bug Report:

"On Customer's network (sssd with two domain mappings, one ldap one active
directory), moving from 67 members in a particular group to 68 members in that group breaks mapping for all members.

Fortunately this is easy to reproduce in a much simpler environment, it is visible on a standalone machine using nothing but /etc/passwd and /etc/group.
The tipping point on the number of members in a group is not consistent, it seems to be dependent on the size of the username. Larger usernames cause groups to fail out with fewer members.
"

The bug report does not go in to detail on how they figured the problem was in libselinux versus sshd/pam_selinux. But they did. They also wrote some test programs to figure out where the tipping point was. There test programs were returning ERANGE as errno and they figured out what was happening.

You are viewing danwalsh