oidc-agent icon indicating copy to clipboard operation
oidc-agent copied to clipboard
verified publisher icon indigo-dc

Cannot start agent, socket path location is not trustworthy

Open wsusrasp opened this issue 1 year ago • 11 comments

Hi. Recently my oidc-agent has stopped working, when running oidc-agent-service use or start i get:

Error: socket path location is not trustworthy
Error: Could not connect to oidc-agent

I am on Fedora 40, my installed oidc-agent is oidc-agent-cli-5.2.1-1.fc40.x86_64. I have tried reinstalling it but it did not help. Running the agent with sudo starts it but I was under the impression that it should not be required (or am I wrong?)

wsusrasp avatar Sep 12 '24 10:09 wsusrasp

This is not expected. We have implemented some logic to evaluate if the socket path location is trustworthy. Normally, this is (of course) should be the case.

Can you try to start the agent with eval $(oidc-agent -a /tmp/oidc-agent-service-1000/oidc-agent.sock)? And see if that works.

zachmann avatar Sep 12 '24 12:09 zachmann

This is not expected. We have implemented some logic to evaluate if the socket path location is trustworthy. Normally, this is (of course) should be the case.

Can you try to start the agent with eval $(oidc-agent -a /tmp/oidc-agent-service-1000/oidc-agent.sock)? And see if that works.

Thank you for fast response. Running the provided command yields the same results:

$ eval $(oidc-agent -a /tmp/oidc-agent-service-1000/oidc-agent.sock)
Error: socket path location is not trustworthy

If it will be of any help my tmp dir has following permissions: drwxrwxrwt., and the /tmp/oidc-agent-service-1000 has drwx------., I did also try rebooting and it didn't affect these. But I also noticed that there is no oidc-agent.sock inside /tmp/oidc-agent-service-1000 directory. When running the oidc-agent use as root the sock file is created in /tmp/oidc-agent-service-0. If I can help in any way let me know. Thanks

wsusrasp avatar Sep 12 '24 12:09 wsusrasp

The permissions on /tmp look fine. What are the permissions on /tmp/oidc-agent-service-1000? What happens if you rm it and create it manually?

zachmann avatar Sep 12 '24 12:09 zachmann

I have updated the comment with them (drwx------.), creating the directory manually sets it to drwxr-xr-x.. Running the command afterwards yields identical results (Socket path untrustworthy). The permissions are not modified and the sock file is not created.

wsusrasp avatar Sep 12 '24 12:09 wsusrasp

It's expected that the socket is not created. The agent first checks the path, and aborts if it is not trustworthy.

However, I currently don't know why it thinks so, since I have the same permissions.

zachmann avatar Sep 12 '24 13:09 zachmann

What I find weird is that it was working fine up until now and I didn't change anything in my system config recently.

wsusrasp avatar Sep 12 '24 13:09 wsusrasp

I've got the debugger working. Trying to figure out what exactly is happening, for now I've noticed that this line https://github.com/indigo-dc/oidc-agent/blob/0f237ef6c0ca04d83a762a65db378b11a8097e28/src/utils/file_io/safefile/safe_is_path_trusted.c#L182 sets status to 0, which ten is compared with enum value SAFE_PATH_UNTRUSTED here: https://github.com/indigo-dc/oidc-agent/blob/0f237ef6c0ca04d83a762a65db378b11a8097e28/src/utils/file_io/safefile/safe_is_path_trusted.c#L1282 and this leads to exit with error. I'll try to figure out why this happens, perhaps this will be of some help.

wsusrasp avatar Sep 12 '24 13:09 wsusrasp

Okay, so it seems to fail because the tmp dir has gid = 0 which is not in the trusted gid list. This causes the is_untrusted_gid_writable to be set to 1 and consequently fail the safety check. https://github.com/indigo-dc/oidc-agent/blob/0f237ef6c0ca04d83a762a65db378b11a8097e28/src/utils/file_io/safefile/safe_is_path_trusted.c#L88

wsusrasp avatar Sep 12 '24 14:09 wsusrasp

(at least I think it's the tmp directory that fails and not /)

wsusrasp avatar Sep 12 '24 14:09 wsusrasp

FYI after adding 0 go trusted_gids here https://github.com/indigo-dc/oidc-agent/blob/prerel/src/utils/file_io/safefile/check_file_path.c#L30 and running the command you provided (eval $(oidc-agent -a /tmp/oidc-agent-service-1000/oidc-agent.sock)) it works. If I am not mistaken the problem is that both / and /tmp have gid=0 and it is not on the list.

If I run it without the -a switch I get a file not found error but I guess its something else (it seems to use /tmp/oidc-XXXXXX path by default now).

If you'd like me to I can prepare a PR with this change, although I do not know if this is the preferred solution.

wsusrasp avatar Sep 12 '24 14:09 wsusrasp

Sorry, for the long delay. I must have missed your responses and completely forgot about this.

It sounds reasonable to add 0 to the trusted gids; it also rings a bell that I added such an exception at some point; but I cannot find it anywhere.

So yes I'm happy to merge if you submit a PR for this @wsusrasp . Otherwise I can also add it myself.

zachmann avatar Jan 22 '25 08:01 zachmann