sssd-ifp man page description of user_attributes misleading

[Hawk777]

The sssd-ifp man page has the following to say about the user_attributes field:

Specifies the comma-separated list of white or blacklisted attributes.

By default, the InfoPipe responder only allows the default set of POSIX attributes to be requested. This set is the same as returned by getpwnam(3) and includes:

The use of the terminology “white or blacklisted” and “only allows” suggests to me that it is not possible to read attributes that are not specified in user_attributes via IFP. However, in practice, that does not appear to be the case. Even without specifying mail in user_attributes (an attribute which is not in the list of supported-by-default attributes), I can run sudo gdbus call --system --dest org.freedesktop.sssd.infopipe --object-path /org/freedesktop/sssd/infopipe --method org.freedesktop.sssd.infopipe.GetUserAttr myname '["mail"]' and my e-mail address is returned. In reality, as far as I can tell, user_attributes just selects which attributes are populated into the extraAttributes property of a org.freedesktop.sssd.infopipe.Users.User object, but not which attributes are possible to access via IFP in general. Maybe it also has some impact on caching; I’m not sure. Describing it in the documentation as permitting or prohibiting access to certain attributes seems confusing.

At least, this is the case with version 2.9.4. I’m not really easily able to test newer versions, since 2.9.4 is what’s shipped with Ubuntu LTS and I’d rather not have downtime on the few important domain-joined machines I manage just to test this on newer versions.

[justin-stephenson]

Hi @Hawk777

You are correct, the difference is that you are sending the method org.freedesktop.sssd.infopipe.GetUserAttr which does not perform any filtering based on your defined configuration value of user_attributes. This interface will return any object stored in the SSSD cache for the user.

Can you try using the org.freedesktop.sssd.infopipe.Users.User interface instead to see if it behaves as you expect?

Note that org.freedesktop.sssd.infopipe.GetUserAttr was deprecated many years ago 4b8f260

[Hawk777]

I believe I answered your question in my original message: the extraAttributes property of a User object contains only those attributes listed in user_attributes. My point was that, deprecated or not, GetUserAttr exists. The wording of user_attributes makes it sound like a security control: clients cannot access any other attributes. If that is the case, GetUserAttr is a security hole, because it lets clients bypass that restriction. I doubt that the right interpretation; thus, my assumption that instead the documentation is just confusing (extraAttributes is documented in a way that sounds like a security control, but it really isn’t).

[justin-stephenson]

@Hawk777 Please check #8193 if the proposed changes help to make the man page more clear, or if you have any other suggestion you can add.

[Hawk777]

Yes, thank you!