Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot start agent, socket path location is not trustworthy #603

Open
wsusrasp opened this issue Sep 12, 2024 · 11 comments
Open

Cannot start agent, socket path location is not trustworthy #603

wsusrasp opened this issue Sep 12, 2024 · 11 comments

Comments

@wsusrasp
Copy link

Hi. Recently my oidc-agent has stopped working, when running oidc-agent-service use or start i get:

Error: socket path location is not trustworthy
Error: Could not connect to oidc-agent

I am on Fedora 40, my installed oidc-agent is oidc-agent-cli-5.2.1-1.fc40.x86_64.
I have tried reinstalling it but it did not help.
Running the agent with sudo starts it but I was under the impression that it should not be required (or am I wrong?)

@zachmann
Copy link
Member

This is not expected. We have implemented some logic to evaluate if the socket path location is trustworthy. Normally, this is (of course) should be the case.

Can you try to start the agent with eval $(oidc-agent -a /tmp/oidc-agent-service-1000/oidc-agent.sock)? And see if that works.

@wsusrasp
Copy link
Author

wsusrasp commented Sep 12, 2024

This is not expected. We have implemented some logic to evaluate if the socket path location is trustworthy. Normally, this is (of course) should be the case.

Can you try to start the agent with eval $(oidc-agent -a /tmp/oidc-agent-service-1000/oidc-agent.sock)? And see if that works.

Thank you for fast response. Running the provided command yields the same results:

$ eval $(oidc-agent -a /tmp/oidc-agent-service-1000/oidc-agent.sock)
Error: socket path location is not trustworthy

If it will be of any help my tmp dir has following permissions: drwxrwxrwt., and the /tmp/oidc-agent-service-1000 has drwx------., I did also try rebooting and it didn't affect these.
But I also noticed that there is no oidc-agent.sock inside /tmp/oidc-agent-service-1000 directory.
When running the oidc-agent use as root the sock file is created in /tmp/oidc-agent-service-0.
If I can help in any way let me know. Thanks

@zachmann
Copy link
Member

The permissions on /tmp look fine. What are the permissions on /tmp/oidc-agent-service-1000?
What happens if you rm it and create it manually?

@wsusrasp
Copy link
Author

I have updated the comment with them (drwx------.), creating the directory manually sets it to drwxr-xr-x.. Running the command afterwards yields identical results (Socket path untrustworthy). The permissions are not modified and the sock file is not created.

@zachmann
Copy link
Member

It's expected that the socket is not created. The agent first checks the path, and aborts if it is not trustworthy.

However, I currently don't know why it thinks so, since I have the same permissions.

@wsusrasp
Copy link
Author

What I find weird is that it was working fine up until now and I didn't change anything in my system config recently.

@wsusrasp
Copy link
Author

I've got the debugger working. Trying to figure out what exactly is happening, for now I've noticed that this line

int status = trust_matrix[parent_dir_trust][child_trust];
sets status to 0, which ten is compared with enum value SAFE_PATH_UNTRUSTED here:
if (status <= SAFE_PATH_UNTRUSTED) {
and this leads to exit with error. I'll try to figure out why this happens, perhaps this will be of some help.

@wsusrasp
Copy link
Author

wsusrasp commented Sep 12, 2024

Okay, so it seems to fail because the tmp dir has gid = 0 which is not in the trusted gid list. This causes the is_untrusted_gid_writable to be set to 1 and consequently fail the safety check.

@wsusrasp
Copy link
Author

(at least I think it's the tmp directory that fails and not /)

@wsusrasp
Copy link
Author

wsusrasp commented Sep 12, 2024

FYI after adding 0 go trusted_gids here https://github.com/indigo-dc/oidc-agent/blob/prerel/src/utils/file_io/safefile/check_file_path.c#L30 and running the command you provided (eval $(oidc-agent -a /tmp/oidc-agent-service-1000/oidc-agent.sock)) it works. If I am not mistaken the problem is that both / and /tmp have gid=0 and it is not on the list.

If I run it without the -a switch I get a file not found error but I guess its something else (it seems to use /tmp/oidc-XXXXXX path by default now).

If you'd like me to I can prepare a PR with this change, although I do not know if this is the preferred solution.

@zachmann
Copy link
Member

Sorry, for the long delay. I must have missed your responses and completely forgot about this.

It sounds reasonable to add 0 to the trusted gids; it also rings a bell that I added such an exception at some point; but I cannot find it anywhere.

So yes I'm happy to merge if you submit a PR for this @wsusrasp . Otherwise I can also add it myself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants