Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

General hardening #7764

Closed
wants to merge 2 commits into from
Closed

General hardening #7764

wants to merge 2 commits into from

Conversation

alexey-tikhonov
Copy link
Member

@alexey-tikhonov alexey-tikhonov commented Dec 13, 2024
edited
Loading

Clear env of privileged 'sssd_pam' as a security hardening measure.

@alexey-tikhonov
Copy link
Member Author

Looks like clearing 'LDB_MODULES_PATH' breaks a lot of integration tests:

sssd/Makefile.am

Line 2050 in af65c00

TESTS_ENVIRONMENT = LDB_MODULES_PATH=$(abs_top_builddir)/ldb_mod_test_dir \

so I've split this PR into two (see #7774)

This one will be probably blocked until we get rid of intg-tests...

@jengelh
Copy link
Contributor

jengelh commented Dec 19, 2024

Ironically, I did spot that previously and applied it in cc675eb in part.

@eslerm
Copy link

eslerm commented Dec 19, 2024

This PR is mentioned in a vulnerability report. By not assigning CVEs, downstream maintainers (like distros) will not know which security patches are required for backporting to make downstream users of SSSD secure.

https://www.openwall.com/lists/oss-security/2024/12/19/1

@alexey-tikhonov
Copy link
Member Author

This PR is mentioned in a vulnerability report.

Not a "vulnerability" but a "weaknesses".
No way to exploit it was presented thus no CVEs were assigned.

sumit-bose
sumit-bose approved these changes Jan 20, 2025
View reviewed changes
Copy link
Contributor

@sumit-bose sumit-bose left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

thanks, looks like integrations tests are passing now. I'm fine with the patch, but I might be biased, nevertheless, ACK.

bye,
Sumit

aplopez
aplopez approved these changes Jan 20, 2025
View reviewed changes
Copy link
Contributor

@aplopez aplopez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@aplopez aplopez self-assigned this Jan 20, 2025
@alexey-tikhonov alexey-tikhonov added Ready to push Ready to push and removed Ready to push Ready to push labels Jan 20, 2025
@alexey-tikhonov
Copy link
Member Author

Pushed PR: #7764

  • master
    • 50892b6 - Don't clear 'sssd_pam' env when built for intg-tests
    • 6cb2de5 - Clear env of privileged 'sssd_pam' as a security hardening measure.
  • sssd-2-10
    • a1dba9c - Don't clear 'sssd_pam' env when built for intg-tests
    • 6fc4cc3 - Clear env of privileged 'sssd_pam' as a security hardening measure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aplopez aplopez aplopez approved these changes

@sumit-bose sumit-bose sumit-bose approved these changes

Assignees

@sumit-bose sumit-bose

@aplopez aplopez

Labels
branch: sssd-2-10 Pushed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@alexey-tikhonov @jengelh @eslerm @sumit-bose @aplopez