Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] user.list_groups omits remote groups #64953

Closed
donkopotamus opened this issue Aug 10, 2023 · 3 comments
Closed

[BUG] user.list_groups omits remote groups #64953

donkopotamus opened this issue Aug 10, 2023 · 3 comments
Assignees
@whytewolf
Labels
Bug broken, incorrect, or confusing behavior
Milestone
Sulfur v3006.4

Comments

@donkopotamus
Copy link

donkopotamus commented Aug 10, 2023
edited
Loading

Description

In salt-3006, #62378 introduced a change in salt.utils.user.get_group_list to no longer use grp.getgrid and to instead filter grp.grall by group id.

On systems with remote groups provided by sssd for example, where user and group enumeration has been disabled, then the following functions no longer return all of the groups a user is in:

  • user.list_groups
  • user.info

Only local groups, and no remote groups, will be returned.

This has other serious side effects:

  • cmd.run runas=<some-user> will no longer have the complete supplementary group vector.

    Note: In our particular case, this means that processes no longer have the same abililty to access paths protected by ACLs, or remote groups, or may no longer be able to escalate rights via sudo when the rules are group driven.

Note that it is common to disable remote group enumeration in large organisations as it is expensive and causes heavy load. Whenever remote providers do not offer enumeration then grp.grall will not reflect all valid groups on the system. (And from a code perspective, even if it does, it is relatively inefficient to filter grp.grall which may contain tens of thousands of remote groups simply to resolve the 10 or 20 a user may belong to).

Setup

On a machine with sssd enabled, with an ldap provider, and with that provider being configured with enumerate = false.

Steps to Reproduce the behavior

Compare salt-call user.list_groups <user> versus the output of eg groups

Expected behavior

user.list_groups should include remote groups for the user

Versions Report

salt --versions-report (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) 
PASTE HERE

Related: #64888, #64891
@donkopotamus donkopotamus added Bug broken, incorrect, or confusing behavior needs-triage labels Aug 10, 2023
@welcome
Copy link

welcome bot commented Aug 10, 2023

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey.
Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar.
If you have additional questions, email us at [email protected]. We’re glad you’ve joined our community and look forward to doing awesome things with you!

@donkopotamus donkopotamus mentioned this issue Aug 10, 2023
Closed
3 tasks
@donkopotamus
Copy link
Author

Tagging @nicholasmhughes

@Ch3LL Ch3LL added this to the Sulfur v3006.2 milestone Aug 14, 2023
@whytewolf
Copy link
Collaborator

looking into this and #64888 to try and determine the best coarse of action. right now it is looking like a revert of the code in question. but i want to talk to @nicholasmhughes first. this does not look like it will be in 3006.3.

@whytewolf whytewolf mentioned this issue Aug 15, 2023
Closed
@whytewolf whytewolf mentioned this issue Aug 25, 2023
Closed
nicholasmhughes added a commit to nicholasmhughes/salt that referenced this issue Aug 29, 2023
@nicholasmhughes
fixes saltstack#64953 user.list_groups omits remote groups
bfc01e1
@nicholasmhughes nicholasmhughes mentioned this issue Aug 29, 2023
Merged
3 tasks
felippeb pushed a commit to felippeb/salt that referenced this issue Oct 27, 2023
@nicholasmhughes @felippeb
fixes saltstack#64953 user.list_groups omits remote groups
c94c908
felippeb pushed a commit to felippeb/salt that referenced this issue Oct 27, 2023
@nicholasmhughes @felippeb
fixes saltstack#64953 user.list_groups omits remote groups
34f4614
m-czernek pushed a commit to openSUSE/salt that referenced this issue Jul 2, 2024
@winddss @nicholasmhughes
Fix user.list_groups omits remote groups
70509ff 
* fixes saltstack/salt#64953 user.list_groups omits remote groups

* fixes saltstack/salt#65029 support for pysss can be removed

* add changlog entries

* add tests for _getgrall and local vs remote group handling

* add negative tests for _getgrall

* root can still read the file and tests run as root

* remove permission check as its probably an unreachable edge case

---------

Co-authored-by: nicholasmhughes <[email protected]>
@Sxderp Sxderp mentioned this issue Aug 7, 2024
Open
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@whytewolf whytewolf

Labels
Bug broken, incorrect, or confusing behavior
Projects
None yet
Milestone
Sulfur v3006.4
Development

No branches or pull requests
3 participants
@whytewolf @donkopotamus @Ch3LL