Passkey: Avoid an infinite loop in cares

The issue is an infinite loop in cares. generate_unique_id() caused by 'LD_PRELOAD=/opt/random.so'. generate_unique_id() is calling arc4random_buf() and the loop in cares is keeping a list of old ids to avoid those. But arc4random_buf() is overwritten by random.so and always returns the same value and as a result the same id is always used and causes the infinite loop. To make the environment only available to passkey_child not to add those environment variable to /etc/sysconfig/sssd but rename passkey_child. Signed-off-by: Madhuri Upadhye <[email protected]>
SSSD · Nov 21, 2023 · e9cb7fe · e9cb7fe
1 parent d98fb8d
commit e9cb7fe
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 11 deletions.
diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,4 @@
 jc
 pytest
 python-ldap
-pytest-mh >= 1.0.5
+pytest-mh >= 1.0.7
diff --git a/sssd_test_framework/utils/authentication.py b/sssd_test_framework/utils/authentication.py
@@ -320,22 +320,28 @@ def passkey(self, username: str, *, pin: str | int, device: str, ioctl: str, scr
         :return: True if authentication was successful, False otherwise.
         :rtype: bool
         """
-        self.fs.backup("/etc/sysconfig/sssd")
+        self.fs.backup("/usr/libexec/sssd/passkey_child")
+        self.fs.copy("/usr/libexec/sssd/passkey_child", "/usr/libexec/sssd/passkey_child.orig")
+
         device_path = self.fs.upload_to_tmp(device, mode="a=r")
         ioctl_path = self.fs.upload_to_tmp(ioctl, mode="a=r")
         script_path = self.fs.upload_to_tmp(script, mode="a=r")
 
         run_su = self.fs.mktmp(
             rf"""
-            #!/bin/bash
-            set -ex
-            env | grep ^UMOCKDEV_ > /etc/sysconfig/sssd
-            printf "LD_PRELOAD=$LD_PRELOAD" >> /etc/sysconfig/sssd
-            systemctl restart sssd
-            chmod -R a+rwx $UMOCKDEV_DIR
-
-            su --shell /bin/sh nobody -c "su - '{username}'"
-            """,
+                #!/bin/bash
+                set -ex
+                echo '#!/bin/bash' > /usr/libexec/sssd/passkey_child
+                echo -n 'export ' >> /usr/libexec/sssd/passkey_child
+                env | grep ^UMOCKDEV_ >> /usr/libexec/sssd/passkey_child
+                echo -n 'export ' >> /usr/libexec/sssd/passkey_child
+                printf "LD_PRELOAD=$LD_PRELOAD\n" >> /usr/libexec/sssd/passkey_child
+                echo 'exec /usr/libexec/sssd/passkey_child.orig $@' >> /usr/libexec/sssd/passkey_child
+                chmod 755 /usr/libexec/sssd/passkey_child
+                chmod -R a+rwx $UMOCKDEV_DIR
+
+                su --shell /bin/sh nobody -c "su - '{username}'"
+                """,
             mode="a=rx",
         )
 
@@ -384,6 +390,8 @@ def passkey(self, username: str, *, pin: str | int, device: str, ioctl: str, scr
             """
         )
 
+        self.fs.restore("/usr/libexec/sssd/passkey_child")
+
         if result.rc > 200:
             raise ExpectScriptError(result.rc)