Bug 491896
| Summary: | Sudoers commands called from tomcat should be split off those called from apache | ||
|---|---|---|---|
| Product: | Red Hat Satellite 5 | Reporter: | Jan Pazdziora <jpazdziora> |
| Component: | Server | Assignee: | Jan Pazdziora <jpazdziora> |
| Status: | CLOSED WONTFIX | QA Contact: | Red Hat Satellite QA List <satqe-list> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 530 | CC: | cperry |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-05-09 10:37:12 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 462714 | ||
Punting as requested. We have not addressed this specific bug in over 5 years years. This does not seem to have an active customer case with the bug report either. Closing out as wontfix to clear from backlog. Please re-open if you disagree and wish further review. Cliff |
Description of problem: As of Satellite-5.3.0-RHEL5-re20090323.0, the Satellite-specific part of /etc/sudoers after installation is ## RHN specifics ## Cmnd_Alias CONFIG_RHN = /usr/sbin/rhn-sat-restart-silent,\ /usr/bin/rhn-config-satellite.pl,\ /usr/bin/rhn-satellite-activate,\ /usr/bin/rhn-bootstrap,\ /usr/bin/rhn-load-ssl-cert.pl,\ /usr/bin/rhn-ssl-tool,\ /etc/rc.d/np.d/step Monitoring install,\ /etc/rc.d/np.d/step MonitoringScout install,\ /etc/rc.d/np.d/step Monitoring uninstall,\ /etc/rc.d/np.d/step MonitoringScout uninstall,\ /sbin/service Monitoring restart,\ /sbin/service MonitoringScout restart,\ /sbin/service taskomatic restart # The CONFIG_RHN commands are required for reconfiguration of a # running RHN Satellite. They should be enabled for proper operation # of the RHN Satellite. apache ALL=(root) NOPASSWD: CONFIG_RHN tomcat ALL=(root) NOPASSWD: CONFIG_RHN # These two directives allow tomcat and apache to invoke CONFIG_RHN # commands via sudo even without a real tty Defaults:tomcat !requiretty Defaults:apache !requiretty Thus, the same set of commands (CONFIG_RHN) is allowed to be called both from apache and from tomcat. This does not seem to be correct -- so far (thanks to SELinux catching the problem for us, bug 491687) I only know of one case when mod_perl (and thus apache user) is calling rhn-ssl-tool. The rest of the invocation paths seems to have been moved to Java code and thus is called from tomcat. We should decide if we want to harden the sudoers even more, for 5.3.0. Version-Release number of selected component (if applicable): Satellite-5.3.0-RHEL5-re20090323.0 How reproducible: Deterministic. Steps to Reproduce: 1. Look at /etc/sudoers after installing Satellite. Actual results: There is one, CONFIG_RHN, section, and apache ALL=(root) NOPASSWD: CONFIG_RHN tomcat ALL=(root) NOPASSWD: CONFIG_RHN lines giving access to whole CONFIG_RHN to both tomcat and apache users. Expected results: The file /etc/sudoers should have that CONFIG_RHN split to two parts, one for apache and one for tomcat, with possible small overlap. And Satellite should continue functioning. Additional info: Please, cast your preference of when to address this, by either aligning to 5.3.0 or to later version.