Bug 2222816

Summary: Preflight tests require that sudo allow the remote_execution_ssh_user to run "/usr/bin/true" for REX to work
Product: Red Hat Satellite Reporter: Joniel Pasqualetto <jpasqual>
Component: Remote ExecutionAssignee: Adam Ruzicka <aruzicka>
Status: ASSIGNED --- QA Contact: Satellite QE Team <sat-qe-bz-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.12.4CC: aruzicka, rlavi
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joniel Pasqualetto 2023-07-13 20:40:05 UTC 
Description of problem:
When using remote_execution_ssh_user different than root and allowing the user to run only specific commands (via sudoers configuration), it is required to add /usr/bin/true on the list of allowed commands for REX to work

Version-Release number of selected component (if applicable):
6.12

How reproducible:
Always

Steps to Reproduce:
1. Configure remote_execution_ssh_user to be a non-root user
2. Configure sudoers like below:

Cmnd_Alias      SATCMNDS=/var/tmp/foreman-ssh-cmd-*/script,!/var/tmp/foreman-ssh-cmd-*\ *,!/var/tmp/foreman-ssh-cmd-*..*
SATUSER         ALL=NOPASSWD:SATCMNDS

3. Run any REX job

Actual results:

On the task, got this error:

~~~
   1:
Error initializing command: RuntimeError - Failed to change to effective user, exit code: 1
   2:
Exit status: EXCEPTION
~~~

On the target host, on /var/log/secure:

~~~
Jul 13 20:33:54 josh-medling sshd[2984]: Postponed publickey for rexuser from 192.168.100.100 port 59356 ssh2 [preauth]
Jul 13 20:33:54 josh-medling sshd[2984]: Accepted publickey for rexuser from 192.168.100.100 port 59356 ssh2: RSA SHA256:fngWpLD7nmwGryQgzeHvvU1NtOL/26NXrrCRzD6SWxM
Jul 13 20:33:54 josh-medling sshd[2984]: pam_unix(sshd:session): session opened for user rexuser by (uid=0)
Jul 13 20:33:55 josh-medling unix_chkpwd[3129]: password check failed for user (rexuser)
Jul 13 20:33:55 josh-medling sudo[3104]: pam_unix(sudo:auth): authentication failure; logname=rexuser uid=1000 euid=0 tty=/dev/pts/1 ruser=rexuser rhost=  user=rexuser
Jul 13 20:33:56 josh-medling unix_chkpwd[3131]: password check failed for user (rexuser)
Jul 13 20:33:58 josh-medling unix_chkpwd[3133]: password check failed for user (rexuser)
Jul 13 20:34:00 josh-medling sudo[3104]: rexuser : command not allowed ; TTY=pts/1 ; PWD=/home/rexuser ; USER=root ; COMMAND=/bin/true
~~~

Expected results:
Not any special sudo permissions required. 

Additional info:

These preflight tests were introduced on solve this issue[1] and only landed on Satellite 6.12. Customers that have restrictions on commands that rex users can run with sudo will hit it when they'll get to 6.12.


[1]: https://projects.theforeman.org/issues/34363
Comment 1 Adam Ruzicka 2023-07-17 08:46:57 UTC 
Any suggestions how to pull this off without losing the fix for https://projects.theforeman.org/issues/34363 ?
Comment 2 Joniel Pasqualetto 2023-07-18 13:02:28 UTC 
Deal with the "test" and ¨effective-user-test" scripts the same way we deal with the actual REX script.

Put the commands you want to run (on this case, just "true") inside them and use the script-wrapper to run it. 

This way, we'll simulate exactly (except for the content of the script) what the REX will be doing.
Comment 3 Adam Ruzicka 2023-08-07 15:16:17 UTC 
Created redmine issue https://projects.theforeman.org/issues/36647 from this bug