sysflow icon indicating copy to clipboard operation
sysflow copied to clipboard
verified publisher icon sysflow-telemetry

Missing user and group information for domain users

Open gentooise opened this issue 1 year ago • 1 comments

Indicate project libsysflow

Describe the bug The user name is not reported for domain users.

To reproduce Steps to reproduce the behavior (on a Ubuntu 22):

  1. Setup LDAP (used local IP as LDAP server name): https://ubuntu.com/server/docs/install-and-configure-ldap
  2. Enable TLS (required by SSSD): https://ubuntu.com/server/docs/ldap-and-transport-layer-security-tls
  3. Setup SSSD with LDAP: https://ubuntu.com/server/docs/how-to-set-up-sssd-with-ldap
  4. Login with newly created LDAP user and run commands (e.g. whoami, ls)

Expected behavior Events are reported with the correct user name and group, like

Environment (please complete the following information):

  • OS: Ubuntu 22.04, 5.15.0-69-generic
  • SysFlow version: 0.6.3

Additional context getpwuid and getgrgid standard C functions might be used to retrieve user/group information from uid/gid:

  • https://pubs.opengroup.org/onlinepubs/009604499/functions/getpwuid.html
  • https://pubs.opengroup.org/onlinepubs/009604499/functions/getgrgid.html Should fix also related issue: https://github.com/sysflow-telemetry/sysflow/issues/109

Files

****************************************************************
Header: Exporter , IP , File name 
Process: PID 103194 Creation Time, 1713946076546863602, Exe /usr/bin/whoami, Exe Args , User Name <NA>, Group Name <NA>, TTY 1
Proc Evt: TID 103194, OpFlags 2, Ret 0
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 103195 Creation Time, 1713946077821078567, Exe /usr/bin/ls, Exe Args --color=auto, User Name <NA>, Group Name <NA>, TTY 1
Proc Evt: TID 103195, OpFlags 2, Ret 0
****************************************************************

gentooise avatar Apr 24 '24 08:04 gentooise

After analysis and workaround implementation on consumer side, I would like to share a piece of information if you plan to resolve this. The musl implementation of getpwuid differs from glibc and cannot be used to resolve the issue as I initially thought.

  • musl just looks into /etc/passwd: https://github.com/rofl0r/musl/blob/master/src/passwd/getpw_r.c
  • glibc leverages nss lookup: https://github.com/lattera/glibc/blob/master/pwd/getpwuid_r.c (https://en.wikipedia.org/wiki/Name_Service_Switch), so it also supports domain users

musl specifically does not use nss itself because it's not compatible with static linking and because loading arbitrary module libraries into the calling process's core is not safe and goes against best practices.

gentooise avatar May 13 '24 16:05 gentooise