Bug 2222816

Summary: Preflight tests require that sudo allow the remote_execution_ssh_user to run "/usr/bin/true" for REX to work
Product: Red Hat Satellite Reporter: Joniel Pasqualetto <jpasqual>
Component: Remote ExecutionAssignee: Adam Ruzicka <aruzicka>
Status: CLOSED ERRATA QA Contact: Lukáš Hellebrandt <lhellebr>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.12.4CC: aruzicka, iballou, jbhatia, mkalyat, pcreech, pmoravec, rlavi, saydas, smallamp
Target Milestone: 6.15.0Keywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rubygem-smart_proxy_remote_execution_ssh-0.10.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-04-23 17:11:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Hotfix RPM for Satellite 6.13.7
none
Hotfix RPM for Satellite 6.14.4 none

Description Joniel Pasqualetto 2023-07-13 20:40:05 UTC 
Description of problem:
When using remote_execution_ssh_user different than root and allowing the user to run only specific commands (via sudoers configuration), it is required to add /usr/bin/true on the list of allowed commands for REX to work

Version-Release number of selected component (if applicable):
6.12

How reproducible:
Always

Steps to Reproduce:
1. Configure remote_execution_ssh_user to be a non-root user
2. Configure sudoers like below:

Cmnd_Alias      SATCMNDS=/var/tmp/foreman-ssh-cmd-*/script,!/var/tmp/foreman-ssh-cmd-*\ *,!/var/tmp/foreman-ssh-cmd-*..*
SATUSER         ALL=NOPASSWD:SATCMNDS

3. Run any REX job

Actual results:

On the task, got this error:

~~~
   1:
Error initializing command: RuntimeError - Failed to change to effective user, exit code: 1
   2:
Exit status: EXCEPTION
~~~

On the target host, on /var/log/secure:

~~~
Jul 13 20:33:54 josh-medling sshd[2984]: Postponed publickey for rexuser from 192.168.100.100 port 59356 ssh2 [preauth]
Jul 13 20:33:54 josh-medling sshd[2984]: Accepted publickey for rexuser from 192.168.100.100 port 59356 ssh2: RSA SHA256:fngWpLD7nmwGryQgzeHvvU1NtOL/26NXrrCRzD6SWxM
Jul 13 20:33:54 josh-medling sshd[2984]: pam_unix(sshd:session): session opened for user rexuser by (uid=0)
Jul 13 20:33:55 josh-medling unix_chkpwd[3129]: password check failed for user (rexuser)
Jul 13 20:33:55 josh-medling sudo[3104]: pam_unix(sudo:auth): authentication failure; logname=rexuser uid=1000 euid=0 tty=/dev/pts/1 ruser=rexuser rhost=  user=rexuser
Jul 13 20:33:56 josh-medling unix_chkpwd[3131]: password check failed for user (rexuser)
Jul 13 20:33:58 josh-medling unix_chkpwd[3133]: password check failed for user (rexuser)
Jul 13 20:34:00 josh-medling sudo[3104]: rexuser : command not allowed ; TTY=pts/1 ; PWD=/home/rexuser ; USER=root ; COMMAND=/bin/true
~~~

Expected results:
Not any special sudo permissions required. 

Additional info:

These preflight tests were introduced on solve this issue[1] and only landed on Satellite 6.12. Customers that have restrictions on commands that rex users can run with sudo will hit it when they'll get to 6.12.


[1]: https://projects.theforeman.org/issues/34363
Comment 1 Adam Ruzicka 2023-07-17 08:46:57 UTC 
Any suggestions how to pull this off without losing the fix for https://projects.theforeman.org/issues/34363 ?
Comment 2 Joniel Pasqualetto 2023-07-18 13:02:28 UTC 
Deal with the "test" and ¨effective-user-test" scripts the same way we deal with the actual REX script.

Put the commands you want to run (on this case, just "true") inside them and use the script-wrapper to run it. 

This way, we'll simulate exactly (except for the content of the script) what the REX will be doing.
Comment 3 Adam Ruzicka 2023-08-07 15:16:17 UTC 
Created redmine issue https://projects.theforeman.org/issues/36647 from this bug
Comment 4 Brad Buckingham 2023-10-30 11:29:29 UTC 
Bulk setting Target Milestone = 6.15.0 where sat-6.15.0+ is set.
Comment 5 Bryan Kearney 2023-11-10 20:02:31 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/36647 has been resolved.
Comment 6 Lukáš Hellebrandt 2023-12-11 12:52:35 UTC 
Verified with Sat 6.15 snap 1.0

1)
On the host:
# useradd SATUSER
# passwd SATUSER
# visudo
# grep SATCMNDS /etc/sudoers 
Cmnd_Alias      SATCMNDS=/var/tmp/foreman-ssh-cmd-*/script,!/var/tmp/foreman-ssh-cmd-*\ *,!/var/tmp/foreman-ssh-cmd-*..*
SATUSER         ALL=NOPASSWD:SATCMNDS

2)
In WebUI:
Administer -> Settings
Search for "remote_execution_ssh_user"
Set it to SATUSER

3)
Run the REX job against the host:
Template: Script default
Command: echo $(whoami),$(date) >> /tmp/test
Effective user: root

4)
# cat /tmp/test
root,Mon Dec 11 07:45:04 EST 2023

5)
On Satellite, empty output:
# grep "command not allowed" /var/log/foreman/production.log


QED

6)
To verify that the user was indeed used:
# userdel SATUSER

7)
Do 3) again, the job should fail:
```
Error initializing command: RuntimeError - Could not establish connection to remote host using any available authentication method, tried publickey
Exit status: EXCEPTION
StandardError: Job execution failed

```
Comment 9 errata-xmlrpc 2024-04-23 17:11:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.15.0 release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2024:2010
Comment 12 Ian Ballou 2024-05-15 19:08:00 UTC 
Created attachment 2033427 [details]
Hotfix RPM for Satellite 6.13.7

A hotfix RPM is available for this BZ for Satellite 6.13.7 on RHEL 8

INSTALL INSTRUCTIONS:

1. Take a complete backup or snapshot of Satellite 6.13.7 server

2. Download the hotfix RPM from this attachment

3. # dnf install ./rubygem-smart_proxy_remote_execution_ssh-0.10.3-1.HOTFIXRHBZ2222816.el8sat.noarch.rpm --disableplugin=foreman-protector

4. # satellite-maintain service restart
Comment 13 Ian Ballou 2024-05-15 19:27:13 UTC 
Created attachment 2033428 [details]
Hotfix RPM for Satellite 6.14.4

A hotfix RPM is available for this BZ for Satellite 6.14.4 on RHEL 8

This hotfix RPM is the same as for Satellite 6.13.7

INSTALL INSTRUCTIONS:

1. Take a complete backup or snapshot of Satellite 6.14.4 server

2. Download the hotfix RPM from this attachment

3. # dnf install ./rubygem-smart_proxy_remote_execution_ssh-0.10.3-1.HOTFIXRHBZ2222816.el8sat.noarch.rpm --disableplugin=foreman-protector

4. # satellite-maintain service restart
Comment 14 Sudhir Mallamprabhakara 2024-05-16 14:58:44 UTC 
Jayant,

Can you check with the customer if the provided hotfix helped?

-Sudhir