Bug 1285358 - Lago sudo setup can get overridden
Lago sudo setup can get overridden
Status: CLOSED DEFERRED
Product: ovirt-system-tests
Classification: Community
Component: Core (Show other bugs)
0.4
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: David Caro
Pavel Stehlik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-25 08:00 EST by Barak Korren
Modified: 2016-06-26 19:51 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-27 14:05:27 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Barak Korren 2015-11-25 08:00:23 EST
Description of problem:
Lago uses sudo by placing a file called 'lago' in '/etc/sudoers.d'
That file allows users that belong to the 'lago' group to invoke various commands with root permissions without entering a password.

A file placed in '/etc/sudoers.d' which is lexicographically bigger then 'lago' can override the Lago sudo settings, effectively making lago fail or stop and ask the user for a sudo password.

This happens for example on RHEL7 CSB where the file 'redhat-internal-user-sudo' is placed in '/etc/sudoers.d' to grand the user full root access with a password.

Steps to Reproduce:
1. Install Lago
2. place the file '/etc/sudoers.d/rago' with the following content: 
     %lago    ALL=(ALL)   ALL

Actual results:
Lago stops and tries to ask for a sudo password (occasionally it is impossible to enter because Lago blocks TTY access for the commands it runs internally)

Expected results:
Laog should just run

Additional info:
As a temporary work-around the 'lago' file was copied to 'z_lago'. 
Long-term Lago should not rely on 'sudo' and instead have its own privileged helper accessed via PolicyKit.
Comment 1 Yaniv Kaul 2015-12-21 05:01:01 EST
Barak, this is what I have now:
[root@ykaul ~]# cd /etc/sudoers.d/
[root@ykaul sudoers.d]# ls
lago
[root@ykaul sudoers.d]# cat lago 
%lago ALL = (qemu) NOPASSWD: /usr/bin/chmod
%lago ALL = NOPASSWD: /usr/sbin/brctl addbr *
%lago ALL = NOPASSWD: /usr/sbin/brctl delbr *
%lago ALL = NOPASSWD: /usr/sbin/brctl show *
%lago ALL = NOPASSWD: /usr/sbin/brctl stp *
%lago ALL = NOPASSWD: /usr/sbin/ip link set dev *
%lago ALL = NOPASSWD: /usr/sbin/ip link set dev *



If we need, we can add more commands, but I'm not thrilled by ALL...
Comment 2 Barak Korren 2015-12-21 05:25:37 EST
Yaniv,

This 'ALL' is located in the the host pattern part of the rule not the command pattern...

Or are you talking about what I specified to put in the 'rago' file to reproduce the bug? You don't need that....

If Lago is prompting you for 'sudo' password, it means the rules you see in '/etc/sudoers.d/lago' are actually overridden and are not applied to your system. You can apply the work-around specified above (copy the file to a lexicographically bigger name like '/etc/sudoers.d/z_lago') .
Comment 3 David Caro 2016-01-27 14:05:27 EST
Moved to https://github.com/lago-project/lago/issues/48

Note You need to log in before you can comment on or make changes to this bug.