Bug 1895015

Summary: Bad permissions in /etc/sudoers.d drop-in files
Product: Red Hat Enterprise Virtualization Manager Reporter: Juan Orti <jortialc>
Component: vdsmAssignee: Marcin Sobczyk <msobczyk>
Status: CLOSED ERRATA QA Contact: Yaning Wang <yaniwang>
Severity: low Docs Contact:
Priority: low    
Version: 4.3.11CC: lsurette, mavital, mperina, srevivo, ycui
Target Milestone: ovirt-4.4.4Keywords: ZStream
Target Release: 4.4.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: vdsm-4.40.38 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-02 13:59:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Juan Orti 2020-11-05 15:07:16 UTC 
Description of problem:
The sudoers configuration files are expected to have 0440 permissions, but these two files are 0644:

# visudo -cs
/etc/sudoers: parsed OK
/etc/sudoers.d/50_vdsm: bad permissions, should be mode 0440
/etc/sudoers.d/50_vdsm_hook_openstacknet: parsed OK
/etc/sudoers.d/50_vdsm_hook_ovirt_provider_ovn_hook: bad permissions, should be mode 0440
/etc/sudoers.d/50_vdsm_hook_vhostmd: parsed OK
/etc/sudoers.d/60_ovirt-ha: parsed OK

# rpm -qlv ovirt-provider-ovn-driver |grep sudoers
-rw-r--r--    1 root    root                      564 dic 17  2019 /etc/sudoers.d/50_vdsm_hook_ovirt_provider_ovn_hook

# rpm -qlv vdsm |grep sudoers
-rw-r--r--    1 root    root                      581 jul  9 13:16 /etc/sudoers.d/50_vdsm


Version-Release number of selected component (if applicable):
vdsm-4.30.50-1.el7ev.x86_64
ovirt-provider-ovn-driver-1.2.29-1.el7ev.noarch

How reproducible:
Always

Steps to Reproduce:
1. In a RHVH 4.3.11 host:
# ls -la /etc/sudoers.d/

Actual results:
Some files with 0644 permissions.

Expected results:
Sudoers drop-in configuration files are expected to have 0440 permissions.

Additional info:
Also seen in latest RHV 4.4:

vdsm-4.40.26.3-1.el8ev.x86_64
ovirt-provider-ovn-driver-1.2.30-1.el8ev.noarch
Comment 8 errata-xmlrpc 2021-02-02 13:59:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (RHV RHEL Host (ovirt-host) 4.4.z [ovirt-4.4.4]), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0382
Comment 9 meital avital 2022-07-20 07:30:32 UTC 
Due to QE capacity we are not going to cover this issue in our automation