Description of problem: In neutron spec, we have the following 'magic fix' for incorrect sudoers file: %postun ... # Fix sudoers file on old installations sed -i 's/^neutron ALL = (root) NOPASSWD: SETENV: \/usr\/bin\/neutron-rootwrap$/neutron ALL = (root) NOPASSWD: \/usr\/bin\/neutron-rootwrap \/etc\/neutron\/ro ... This is to enforce update for sudoers file that had a security issue before bug 1039817 was fixed. This 'magic fix' makes TPS test fail as in: http://nest.test.redhat.com/mnt/qa/scratch/stable-rhos5-rhel6-01/2014:17999/tps/tps-rpmtest.html The sudoers file is a config file with 'noreplace' tag, meaning that it's not replaced on package update in case that it was touched by a user. In that case, an .rpmnew file is created, and a user is expected to merge new changes back to the config file. We should not change that. So the fix cited above should be removed. Steps to Reproduce: - install openstack-neutron-2013.2.1-1 or earlier. - modify /etc/sudoers.d/neutron. - upgrade it to openstack-neutron-2013.2.1-2. - check that /etc/sudoers.d/neutron was modified on package update. Expected results: - /etc/sudoers.d/neutron should not be touched on package update. Instead, .rpmnew file is created, and a user is expected to update the config file manually.
I've marked that bug for 'async' release because it blocks errata process for another CVE bug that is also async: https://bugzilla.redhat.com/show_bug.cgi?id=1108549
FYI the issue is not present in all branches for RDO.
> Expected results: > - /etc/sudoers.d/neutron should not be touched on package update. Instead, > .rpmnew file is created, and a user is expected to update the config file > manually. Expected result should be: (for argumentation see bug 1039817 comment 16) - /etc/sudoers.d/neutron should updated with the new RPM content, ensuring security issue is fixed - .rpmsave file is created in case there were local changes, user is expected to use separate sudoers file for custom changes
OK, we've had IRC discussion with both Neutron team and Alan, and we're now more keen to just drop that 'noreplace' tag, meaning any local changes to the file will be moved to .rpmsave on update. Moving back to ON_DEV to update spec for the new behaviour.
FYI Terry Wilson was concerned about removing 'noreplace' from the file because it may result in unexpected changes to user's config files in case they modified sudoers.d/neutron. We should make it explicit that package update will require merging changes from .rpmsave, if any. See doc text for example of the description.
Note that the expected behavior of the changes from this bugzilla only take place when upgrading from openstack-neutron-2013.2.3-14.el6ost to a later version of the package. Previous packages (for example openstack-neutron-2013.2.3-14.el6ost) have a 'sed' in the %postun scriptlet. RPM ordering means that the *new* neutron sudoers file is edited/touched by this sed script after the installation of the new package has completed, causing a timestamp mismatch after installation (if checked with 'rpm -V'. When upgrading from -14 to a later package, it's likely users will have to remove /etc/sudoers.d/neutron prior to updating the openstack-neutron package unless the contents of /etc/sudoers.d/neutron changes.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2014-0899.html