#1098 SSSD with Posix ACL break the permissions on /var/lib/sss/pipe/nss and /var/lib/sss/pipe/pam
Closed: Invalid None Opened 12 years ago by sidecontrol.

I noticed when I enabled Posix ACLs to configure a directory specific umask. Each time I restarted sssd, the following file permissions were not world writable or readable.

/var/lib/sssd/pipe/nss
/var/lib/sssd/pipe/pam

Creating the following error when logging in; id: cannot find name for user ID

[sidecontrol@heavy:~]# ssh sidecontrol.com
Last login: Thu Nov 24 01:41:16 2011 from sidecontrol.com
id: cannot find name for user ID 2000
id: cannot find name for group ID 1000
id: cannot find name for user ID 2000
[I have no name!@heavy:~]#

This does not prevent you from logging in but it will prevent you for using your sudoers file to escalate your privileges.

/var/lib/sss/ permissions

[I have no name!@heavy:/var/lib/sss/pipes]# ls -ltrh
total 16K
drwx------+ 2 root root 4.0K Nov 24 01:41 private
srw--w-r--+ 1 root root    0 Nov 24 01:41 pam
srw--w-r--+ 1 root root    0 Nov 24 01:41 nss
[I have no name!@heavy:/var/lib/sss/pipes]# getfacl nss
# file: nss
# owner: root
# group: root
user::rw-
group::r-x          #effective:---
mask::-w-
other::r--

A simple chmod 666 on the files resolved the issue.

[root@heavy:~]# cd /var/lib/sss/pipes/
[root@heavy:/var/lib/sss/pipes]# ls
nss  pam  private
[root@heavy:/var/lib/sss/pipes]# chmod 666 nss pam
[root@heavy:/var/lib/sss/pipes]# su - sidecontrol
[sidecontrol@heavy:~]#

However this happens each time I restart SSSD, this did not happen on a machine without the Posix ACLs. Granted I can setup an ACL to force all files to be read write in that folder, but it seems like it might be worth taking a look at. I hope this helps.

Cheers.


I haven't been able to reproduce this. We explicitly set umask to 111 before creating the socket.

Can you check if there are any default ACLs set with "getfacl /var/lib/sss/pipes" ?

After restarting sssd, these are the pipes permissions.

# file: var/lib/sss/pipes
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x      #effective:---
default:mask::-w-
default:other::r-x

As seen in the getfacl output, /var/lib/sss/pipes has default ACLs. That affects the permissions on the newly created files inside it.

Can you try running:

setfacl --remove-default /var/lib/sss/pipes/

and then restarting SSSD? That should fix your problem.

Did the trick, thank you.

I'm glad it works now. Closing the ticket.

resolution: => invalid
status: new => closed

Fields changed

rhbz: => 0

Fields changed

milestone: NEEDS_TRIAGE => void

Metadata Update from @sidecontrol:
- Issue set to the milestone: void

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2140

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata