Bug 1278202 - Permission denied errors when logging in with non-root users
Permission denied errors when logging in with non-root users
Status: CLOSED ERRATA
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance (Show other bugs)
5.4.0
Unspecified Unspecified
high Severity high
: GA
: 5.5.0
Assigned To: Jason Frey
Milan Falešník
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-04 17:52 EST by Jared Deubel
Modified: 2015-12-08 08:44 EST (History)
9 users (show)

See Also:
Fixed In Version: 5.5.0.11
Doc Type: Bug Fix
Doc Text:
Previously, there were permission denied errors when logging in with non-root users. This patch fixes the cfme-gemset RPM spec by separating the parts of the enable script that are for one-time setup into a setup script, and calling the setup script from the kickstart.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-08 08:44:19 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2551 normal SHIPPED_LIVE Moderate: CFME 5.5.0 bug fixes and enhancement update 2015-12-08 12:58:09 EST

  None (edit)
Description Jared Deubel 2015-11-04 17:52:51 EST
Description of problem:

When logging in as a non-root user permission denied errors fill screen. 


Output:
====================================================
rm: cannot remove `/var/www/miq/vmdb/Gemfile.lock': Permission denied
ln: creating symbolic link `/var/www/miq/vmdb/Gemfile.lock': File exists
rm: cannot remove `/var/www/miq/vmdb/.bundle': Permission denied
ln: creating symbolic link `/var/www/miq/vmdb/.bundle/.bundle': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/xsd2ruby.rb': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/ri': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/ziyafy': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/fission': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/thin': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/rake': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/aws-rb': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/httpclient': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/nokogiri': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/tt': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/rubyrep': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/oauth': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/fog': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/scss': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/rdoc': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/thor': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/lessc': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/restclient': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/user_agent_parser': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/sprockets': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/techbook': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/sass': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/bundler': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/rackup': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/rails': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/haml': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/wsdl2ruby.rb': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/erubis': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/sass-convert': Permission denied
rm: cannot remove `/var/www/miq/vmdb/bin/tilt': Permission denied
cp: cannot create directory `/var/www/miq/vmdb/bin/bin': Permission denied
====================================================

The file under /etc/profile.d called evm.sh:

[test@test_01 profile.d]$ cat evm.sh
[[ -s "/etc/default/evm" ]] && source "/etc/default/evm"

# Aliases:
alias vmdb='cd /var/www/miq/vmdb'


Under /etc/default/evm there are three scripts 
====================================================
[test@test_01 default]$ ls -lrth
total 8.0K
-rw-------. 1 root root  119 Mar 27  2015 useradd
-rw-r--r--. 1 root root 1.8K Aug 26 06:07 nss
lrwxrwxrwx. 1 root root   40 Oct 29 18:00 evm -> /var/www/miq/system/LINK/etc/default/evm
lrwxrwxrwx. 1 root root   55 Oct 29 18:00 evm_productization -> /var/www/miq/system/LINK/etc/default/evm_productization
lrwxrwxrwx. 1 root root   48 Oct 29 18:00 evm_bundler -> /var/www/miq/system/LINK/etc/default/evm_bundler
====================================================

When digging deeper and sourcing /etc/default/evm_productization it appears that sourcing /opt/rh/cfme-gemset/enable is the culprit (shown below)
====================================================
[test@dhcp181-37 default]$ cat evm_productization 
[[ -s /opt/rh/ruby200/enable ]] && source /opt/rh/ruby200/enable
[[ -s /opt/rh/v8314/enable ]] && source /opt/rh/v8314/enable
[[ -s /opt/rh/cfme-gemset/enable ]] && source /opt/rh/cfme-gemset/enable
====================================================

It seems that this file should not be sourced and should not be run on every user login as this could cause issues. Also, why is this being run while logging in as a non-root user?


Version-Release number of selected component (if applicable):
5.4

How reproducible:
100%
Comment 2 Jason Frey 2015-11-05 10:51:22 EST
Jared,

What is the use case for logging in as a non-root user?
Comment 3 Jared Deubel 2015-11-06 16:20:04 EST
Root logins are disabled on there systems, users log in and issue commands via sudo.
Comment 4 Jason Frey 2015-11-17 17:31:02 EST
Related to BZ1278076

Fixed in our cfme-gemset RPM spec by separating the parts of the enable script that are really for one-time setup into a setup script, and calling the setup script from the kickstart.

http://pkgs.devel.redhat.com/cgit/rpms/cfme-gemset/commit/?h=cfme-rh-ruby22-5.5-rhel-7&id=1786f29bfbd65ad2306a993b6c9d2fb467fb9cf8
http://pkgs.devel.redhat.com/cgit/rpms/cfme-appliance/commit/?h=cfme-5.5-rhel-7&id=68780064a4dd1259a35d3794a16cd05ac0a32111
Comment 5 Milan Falešník 2015-11-19 11:29:02 EST
Verified in 5.5.0.11
Comment 7 errata-xmlrpc 2015-12-08 08:44:19 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:2551

Note You need to log in before you can comment on or make changes to this bug.