[BUG] user.list_groups omits remote groups
#64953
Comments
|
Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey.
There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. |
|
Tagging @nicholasmhughes |
|
looking into this and #64888 to try and determine the best coarse of action. right now it is looking like a revert of the code in question. but i want to talk to @nicholasmhughes first. this does not look like it will be in 3006.3. |
* fixes saltstack/salt#64953 user.list_groups omits remote groups * fixes saltstack/salt#65029 support for pysss can be removed * add changlog entries * add tests for _getgrall and local vs remote group handling * add negative tests for _getgrall * root can still read the file and tests run as root * remove permission check as its probably an unreachable edge case --------- Co-authored-by: nicholasmhughes <[email protected]>
* fixes saltstack/salt#64953 user.list_groups omits remote groups * fixes saltstack/salt#65029 support for pysss can be removed * add changlog entries * add tests for _getgrall and local vs remote group handling * add negative tests for _getgrall * root can still read the file and tests run as root * remove permission check as its probably an unreachable edge case --------- Co-authored-by: nicholasmhughes <[email protected]>
* fixes saltstack#64953 user.list_groups omits remote groups * fixes saltstack#65029 support for pysss can be removed * add changlog entries * add tests for _getgrall and local vs remote group handling * add negative tests for _getgrall * root can still read the file and tests run as root * remove permission check as its probably an unreachable edge case --------- Co-authored-by: nicholasmhughes <[email protected]> BACKPORT-UPSTREAM=saltstack#65077
Description
In
salt-3006, #62378 introduced a change insalt.utils.user.get_group_listto no longer usegrp.getgridand to instead filtergrp.grallby group id.On systems with remote groups provided by
sssdfor example, where user and group enumeration has been disabled, then the following functions no longer return all of the groups a user is in:user.list_groupsuser.infoOnly local groups, and no remote groups, will be returned.
This has other serious side effects:
cmd.run runas=<some-user>will no longer have the complete supplementary group vector.Note: In our particular case, this means that processes no longer have the same abililty to access paths protected by ACLs, or remote groups, or may no longer be able to escalate rights via
sudowhen the rules are group driven.Note that it is common to disable remote group enumeration in large organisations as it is expensive and causes heavy load. Whenever remote providers do not offer enumeration then
grp.grallwill not reflect all valid groups on the system. (And from a code perspective, even if it does, it is relatively inefficient to filtergrp.grallwhich may contain tens of thousands of remote groups simply to resolve the 10 or 20 a user may belong to).Setup
On a machine with
sssdenabled, with anldapprovider, and with that provider being configured withenumerate = false.Steps to Reproduce the behavior
Compare
salt-call user.list_groups <user>versus the output of eggroupsExpected behavior
user.list_groupsshould include remote groups for the userVersions Report
salt --versions-report
(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)PASTE HERERelated: #64888, #64891
The text was updated successfully, but these errors were encountered: