From 3e34abbb7cb3dd7fe31c1ebb09f98d7fb060dc7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Tue, 21 Nov 2023 13:11:39 +0100 Subject: [PATCH 1/2] requirement: bump pytest-mh minimum version --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 969f5d30..f2597101 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ jc pytest python-ldap -pytest-mh >= 1.0.5 +pytest-mh >= 1.0.7 From 071b2d3a56b30a4f63af5c87f86b2a37800d9bb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Tue, 21 Nov 2023 13:11:01 +0100 Subject: [PATCH 2/2] passkey: avoid an infinite loop in cares The issue is an infinite loop in cares. generate_unique_id() caused by 'LD_PRELOAD=/opt/random.so'. generate_unique_id() is calling arc4random_buf() and the loop in cares is keeping a list of old ids to avoid those. But arc4random_buf() is overwritten by random.so and always returns the same value and as a result the same id is always used and causes the infinite loop. To make the environment only available to passkey_child not to add those environment variable to /etc/sysconfig/sssd but rename passkey_child. Signed-off-by: Madhuri Upadhye --- sssd_test_framework/utils/authentication.py | 28 +++++++++++++-------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/sssd_test_framework/utils/authentication.py b/sssd_test_framework/utils/authentication.py index 8b82c0de..5445fd3e 100644 --- a/sssd_test_framework/utils/authentication.py +++ b/sssd_test_framework/utils/authentication.py @@ -320,22 +320,28 @@ def passkey(self, username: str, *, pin: str | int, device: str, ioctl: str, scr :return: True if authentication was successful, False otherwise. :rtype: bool """ - self.fs.backup("/etc/sysconfig/sssd") + self.fs.backup("/usr/libexec/sssd/passkey_child") + self.fs.copy("/usr/libexec/sssd/passkey_child", "/usr/libexec/sssd/passkey_child.orig") + device_path = self.fs.upload_to_tmp(device, mode="a=r") ioctl_path = self.fs.upload_to_tmp(ioctl, mode="a=r") script_path = self.fs.upload_to_tmp(script, mode="a=r") run_su = self.fs.mktmp( rf""" - #!/bin/bash - set -ex - env | grep ^UMOCKDEV_ > /etc/sysconfig/sssd - printf "LD_PRELOAD=$LD_PRELOAD" >> /etc/sysconfig/sssd - systemctl restart sssd - chmod -R a+rwx $UMOCKDEV_DIR - - su --shell /bin/sh nobody -c "su - '{username}'" - """, + #!/bin/bash + set -ex + echo '#!/bin/bash' > /usr/libexec/sssd/passkey_child + echo -n 'export ' >> /usr/libexec/sssd/passkey_child + env | grep ^UMOCKDEV_ >> /usr/libexec/sssd/passkey_child + echo -n 'export ' >> /usr/libexec/sssd/passkey_child + printf "LD_PRELOAD=$LD_PRELOAD\n" >> /usr/libexec/sssd/passkey_child + echo 'exec /usr/libexec/sssd/passkey_child.orig $@' >> /usr/libexec/sssd/passkey_child + chmod 755 /usr/libexec/sssd/passkey_child + chmod -R a+rwx $UMOCKDEV_DIR + + su --shell /bin/sh nobody -c "su - '{username}'" + """, mode="a=rx", ) @@ -384,6 +390,8 @@ def passkey(self, username: str, *, pin: str | int, device: str, ioctl: str, scr """ ) + self.fs.restore("/usr/libexec/sssd/passkey_child") + if result.rc > 200: raise ExpectScriptError(result.rc)