Skip to content

Avoid race conditions in getHostUsers#61218

Merged
espadolini merged 3 commits intomasterfrom
espadolini/gethostusers-lock
Nov 11, 2025
Merged

Avoid race conditions in getHostUsers#61218
espadolini merged 3 commits intomasterfrom
espadolini/gethostusers-lock

Conversation

@espadolini
Copy link
Copy Markdown
Contributor

@espadolini espadolini commented Nov 11, 2025
edited
Loading

This PR fixes a race condition in the implementation of secretsscanner/authorizedkeys.getHostUsers around the use of getpwent. On darwin, getpwent uses thread-local storage but we were not locking the goroutine running the getpwent loop in a single thread, potentially returning duplicated users if the goroutine changed thread, even with a single copy running. On linux there would be a race if we ever ran two parallel copies of getHostUsers, which doesn't affect agents but might affect tests or might be triggered by code changes in the future, so this PR also adds protections around that.

changelog: fixed rare error in the authorized_keys secret scanner when running the Teleport agent on MacOS

@espadolini espadolini requested a review from tigrato November 11, 2025 14:46
tigrato
tigrato approved these changes Nov 11, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@tigrato tigrato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @espadolini

codingllama
codingllama reviewed Nov 11, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@codingllama codingllama left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just a few Qs.

Comment thread lib/secretsscanner/authorizedkeys/users_list_darwin.go
Comment thread lib/secretsscanner/authorizedkeys/users_list_darwin.go Outdated
Comment thread lib/secretsscanner/authorizedkeys/users_list_linux.go
Comment thread lib/secretsscanner/authorizedkeys/users_list_other.go
@codingllama
Copy link
Copy Markdown
Contributor

codingllama commented Nov 11, 2025

Maybe add a changelog?

@espadolini @codingllama
Copy pw_name once
eb4cb1c 
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
@espadolini espadolini added this pull request to the merge queue Nov 11, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks Nov 11, 2025
@espadolini espadolini added this pull request to the merge queue Nov 11, 2025
@espadolini espadolini removed this pull request from the merge queue due to a manual request Nov 11, 2025
@espadolini espadolini added this pull request to the merge queue Nov 11, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Nov 11, 2025
@espadolini espadolini added this pull request to the merge queue Nov 11, 2025
Merged via the queue into master with commit 4b80185 Nov 11, 2025
41 checks passed
@espadolini espadolini deleted the espadolini/gethostusers-lock branch November 11, 2025 23:51
@backport-bot-workflows
Copy link
Copy Markdown
Contributor

backport-bot-workflows bot commented Nov 11, 2025

@espadolini See the table below for backport results.

Branch Result
branch/v17 Create PR
branch/v18 Create PR

This was referenced Nov 12, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@codingllama codingllama codingllama approved these changes

@tigrato tigrato tigrato approved these changes

Assignees

No one assigned

Labels

backport/branch/v17 backport/branch/v18 size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@espadolini @codingllama @tigrato