Bug#983510: dovecot-core: repeated user enumeration fails with sssd backend (and probably others)

Thu, 25 Feb 2021 07:45:49 -0800 

Package: dovecot-core
Version: 2.3.4.1-5+deb10u1
Severity: important
Tags: patch upstream

Dear Maintainer,

the issue can be found on the dovecot mailing list: 
https://dovecot.org/pipermail/dovecot/2021-February/121478.html

When using sssd as nss plugin, fast repeating calls to `doveadm user *`
do not return the full list of users for each invocation, but for the first
invocation only. 

After a longer period of time (when the started dovecot/auth processes
died), or directly after killing dovecot/auth processes, the user list
is complete again.

This seems to be caused by a missing call to endpwent() in the
userdb-passwd auth plugin of dovecot.

It breaks other tools that rely on the user enumeration, if they are
called in a fast successive order (`doveadm quota recalc -A`, followed
by other `doveadm XXX -A` commands, and thelike).

I created the attached patch and deployed it to my systems, and it seems
to solve the issue. I assume that it doesn't introduce other problems.

(Maybe, the issue can be handled on the sssd side as well, if the sssd
nss plugin sees successive calls to setpwend() with a missing
endpwent(), it could do the endpwend() on its own.)

-- System Information:
Debian Release: 10.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (102, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.8.5 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 
(charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages dovecot-core depends on:
ii  adduser              3.118
ii  libapparmor1         2.13.2-10
ii  libbz2-1.0           1.0.6-9.2~deb10u1
ii  libc6                2.28-10
ii  libexttextcat-2.0-0  3.4.5-1
ii  libicu63             63.1-6+deb10u1
ii  liblua5.3-0          5.3.3-1.1
ii  liblz4-1             1.8.3-1
ii  liblzma5             5.2.4-1
ii  libpam-runtime       1.3.1-5
ii  libpam0g             1.3.1-5
ii  libsodium23          1.0.17-1
ii  libssl1.1            1.1.1d-0+deb10u5
ii  libstemmer0d         0+svn585-1+b2
ii  libwrap0             7.6.q-28
ii  lsb-base             10.2019051400
ii  openssl              1.1.1d-0+deb10u5
pn  ssl-cert             <none>
ii  ucf                  3.0038+nmu1
ii  zlib1g               1:1.2.11.dfsg-1

dovecot-core recommends no packages.

Versions of packages dovecot-core suggests:
pn  dovecot-gssapi        <none>
pn  dovecot-imapd         <none>
pn  dovecot-ldap          <none>
pn  dovecot-lmtpd         <none>
pn  dovecot-lucene        <none>
pn  dovecot-managesieved  <none>
pn  dovecot-mysql         <none>
pn  dovecot-pgsql         <none>
pn  dovecot-pop3d         <none>
pn  dovecot-sieve         <none>
pn  dovecot-solr          <none>
pn  dovecot-sqlite        <none>
pn  dovecot-submissiond   <none>
pn  ntp                   <none>

From: Heiko Schlittermann <h...@schlittermann.de>
Subject: Add missing endpwent() to the userdb-passwd iterator.
--- a/src/auth/userdb-passwd.c
+++ b/src/auth/userdb-passwd.c
@@ -210,6 +210,7 @@
                cur_userdb_iter_to = timeout_add(0, passwd_iterate_next_timeout,
                                                 (void *)NULL);
        }
+        endpwent();
        return ret;
 }

Reply via email to