Bug 985608
Summary: | Request that the bootstrap/deploy script check /etc/sudoers for the includedir line | ||
---|---|---|---|
Product: | [oVirt] otopi | Reporter: | Michael Everette <meverett> |
Component: | RFEs | Assignee: | Alon Bar-Lev <alonbl> |
Status: | CLOSED WONTFIX | QA Contact: | Haim <hateya> |
Severity: | urgent | Docs Contact: | |
Priority: | unspecified | ||
Version: | --- | CC: | acathrow, bazulay, bugs, danken, dougsland, hateya, iheim, lpeer, Rhev-m-bugs, yeylon |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | infra | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-08-08 10:30:04 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michael Everette
2013-07-17 21:10:17 UTC
This doesn't strike me as a security problem. It's a configuration problem. I imagine there is something important in the /etc/sudoers.d/ directory that is no longer being referenced because the customer removed that includedir directive. They should really be looking to see if there is something necessary in there before removing configuration directives (somewhat like Apache won't necessarily work well if you start removing its config files too). (In reply to Vincent Danen from comment #1) > I imagine there is something important in the /etc/sudoers.d/ directory that > is no longer being referenced... Indeed, vdsm puts /etc/sudoers.d/50_vdsm there, and cannot work without this file being inlined by sudo. It makes sense that ovirt-host-deploy fails installation if it cannot find the "#includedir" line in /etc/sudoers. However, there are uncountable other host (mis)configurations which are equally capable of killing vdsm. I am in favor of fixing this one mostly because older sudoers files used to lack #includedir, so enterprises may like it. ovirt-host-deploy is not system validation tool. It cannot check every single component for validity. We do not have the resources to write system validation tool. Administrator should not remove system drop dirs, he can add his own, but he is own his own when removing. I do not know when /etc/sudoers.d was not included by default in rhel, however, host-deploy did not touch sudoers configuration, so there is no known issue here. I tend to close this as WONTFIX. If sysadmin modify its system to ignore basics/documented locations, he is responsible for any breakage. Modifying sudo configuration is one example, another is modify logrotage, or even the /etc/profile in a way that will conflict with software, or change the /etc/security or rename the root user. The role of ovirt-host-deploy is to simplify host installation, not be AI and try to guess if manual changes of admin can effect the outcome. |