Bug 89207 - Strictly validate info destined for config files
Summary: Strictly validate info destined for config files
Alias: None
Product: realmd
Classification: Unclassified
Component: realmd (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Stef Walter
QA Contact: yelley
Depends on:
Reported: 2015-02-18 14:38 UTC by Stef Walter
Modified: 2016-04-14 08:05 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Description Stef Walter 2015-02-18 14:38:02 UTC
realmd configures sssd.conf and smb.conf. No data that was retrieved before join (and the point where mutual trust, sealing is established) should be used when configuring sssd.conf and/or smb.conf.

Such data should be retrieved again. I need to check exactly which fields this affects.
Comment 1 Stef Walter 2015-04-14 09:25:34 UTC
After discussing this further, due to the mutual trust inherent in the keytab, we need to make sure that the configuration fields do not contain invalid characters, and are properly parseable. We'll do this in two ways, restricting input from LDAP, and cleaning output to sssd.conf.
Comment 2 Stef Walter 2015-04-14 09:30:02 UTC
Values output to samba.conf and sssd.conf is already clean of newlines, which are the problematic character here.
Comment 3 Stef Walter 2015-04-14 09:45:20 UTC
Fixed with these commits:

commit 6d5ac47cc22c273a55bea89dffbe537a3c86ad2c
Author: Stef Walter <stefw@redhat.com>
Date:   Tue Apr 14 11:30:53 2015 +0200

    service: Limit the characters we read from LDAP
    We strictly limit this to characters expected in domain names.

commit 502980a8a17eddb5fe3d16bcad229a6d0ba11065
Author: Stef Walter <stefw@redhat.com>
Date:   Sat Apr 11 13:29:40 2015 +0200

    service: Only accept specific characters when parsing MSCLDAP response
    This provides an extra layer of protection against injecting
    odd characters into configuration files.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.