Bug 1278202

Summary: Permission denied errors when logging in with non-root users
Product: Red Hat CloudForms Management Engine Reporter: Jared Deubel <jdeubel>
Component: ApplianceAssignee: Jason Frey <jfrey>
Status: CLOSED ERRATA QA Contact: Milan Falešník <mfalesni>
Severity: high Docs Contact:
Priority: high    
Version: 5.4.0CC: abellott, cpelland, jhardy, mfalesni, mfeifer, obarenbo, simaishi, ssainkar, tcarlin
Target Milestone: GA   
Target Release: 5.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 5.5.0.11 Doc Type: Bug Fix
Doc Text:
Previously, there were permission denied errors when logging in with non-root users. This patch fixes the cfme-gemset RPM spec by separating the parts of the enable script that are for one-time setup into a setup script, and calling the setup script from the kickstart.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-08 13:44:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jared Deubel 2015-11-04 22:52:51 UTC 
Description of problem:

When logging in as a non-root user permission denied errors fill screen. 


Output:
====================================================
rm: cannot remove `/var/www/miq/vmdb/Gemfile.lock': Permission denied
ln: creating symbolic link `/var/www/miq/vmdb/Gemfile.lock': File exists
rm: cannot remove `/var/www/miq/vmdb/.bundle': Permission denied
ln: creating symbolic link `/var/www/miq/vmdb/.bundle/.bundle': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/xsd2ruby.rb': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/ri': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/ziyafy': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/fission': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/thin': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/rake': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/aws-rb': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/httpclient': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/nokogiri': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/tt': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/rubyrep': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/oauth': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/fog': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/scss': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/rdoc': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/thor': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/lessc': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/restclient': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/user_agent_parser': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/sprockets': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/techbook': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/sass': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/bundler': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/rackup': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/rails': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/haml': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/wsdl2ruby.rb': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/erubis': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/sass-convert': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/tilt': Permission denied
cp: cannot create directory `/var/www/miq/vmdb/bin/bin': Permission denied
====================================================

The file under /etc/profile.d called evm.sh:

[test@test_01 profile.d]$ cat evm.sh
[[ -s "/etc/default/evm" ]] && source "/etc/default/evm"

# Aliases:
alias vmdb='cd /var/www/miq/vmdb'


Under /etc/default/evm there are three scripts 
====================================================
[test@test_01 default]$ ls -lrth
total 8.0K
-rw-------. 1 root root  119 Mar 27  2015 useradd
-rw-r--r--. 1 root root 1.8K Aug 26 06:07 nss
lrwxrwxrwx. 1 root root   40 Oct 29 18:00 evm -> /var/www/miq/system/LINK/etc/default/evm
lrwxrwxrwx. 1 root root   55 Oct 29 18:00 evm_productization -> /var/www/miq/system/LINK/etc/default/evm_productization
lrwxrwxrwx. 1 root root   48 Oct 29 18:00 evm_bundler -> /var/www/miq/system/LINK/etc/default/evm_bundler
====================================================

When digging deeper and sourcing /etc/default/evm_productization it appears that sourcing /opt/rh/cfme-gemset/enable is the culprit (shown below)
====================================================
[test@dhcp181-37 default]$ cat evm_productization 
[[ -s /opt/rh/ruby200/enable ]] && source /opt/rh/ruby200/enable
[[ -s /opt/rh/v8314/enable ]] && source /opt/rh/v8314/enable
[[ -s /opt/rh/cfme-gemset/enable ]] && source /opt/rh/cfme-gemset/enable
====================================================

It seems that this file should not be sourced and should not be run on every user login as this could cause issues. Also, why is this being run while logging in as a non-root user?


Version-Release number of selected component (if applicable):
5.4

How reproducible:
100%
Comment 2 Jason Frey 2015-11-05 15:51:22 UTC 
Jared,

What is the use case for logging in as a non-root user?
Comment 3 Jared Deubel 2015-11-06 21:20:04 UTC 
Root logins are disabled on there systems, users log in and issue commands via sudo.
Comment 4 Jason Frey 2015-11-17 22:31:02 UTC 
Related to BZ1278076

Fixed in our cfme-gemset RPM spec by separating the parts of the enable script that are really for one-time setup into a setup script, and calling the setup script from the kickstart.

http://pkgs.devel.redhat.com/cgit/rpms/cfme-gemset/commit/?h=cfme-rh-ruby22-5.5-rhel-7&id=1786f29bfbd65ad2306a993b6c9d2fb467fb9cf8
http://pkgs.devel.redhat.com/cgit/rpms/cfme-appliance/commit/?h=cfme-5.5-rhel-7&id=68780064a4dd1259a35d3794a16cd05ac0a32111
Comment 5 Milan Falešník 2015-11-19 16:29:02 UTC 
Verified in 5.5.0.11
Comment 7 errata-xmlrpc 2015-12-08 13:44:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:2551