Bug 1285358
| Summary: | Lago sudo setup can get overridden | ||
|---|---|---|---|
| Product: | [Community] ovirt-system-tests | Reporter: | Barak Korren <bkorren> |
| Component: | Core | Assignee: | David Caro <dcaroest> |
| Status: | CLOSED DEFERRED | QA Contact: | Pavel Stehlik <pstehlik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 0.4 | CC: | bugs, eedri |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-01-27 19:05:27 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Barak, this is what I have now: [root@ykaul ~]# cd /etc/sudoers.d/ [root@ykaul sudoers.d]# ls lago [root@ykaul sudoers.d]# cat lago %lago ALL = (qemu) NOPASSWD: /usr/bin/chmod %lago ALL = NOPASSWD: /usr/sbin/brctl addbr * %lago ALL = NOPASSWD: /usr/sbin/brctl delbr * %lago ALL = NOPASSWD: /usr/sbin/brctl show * %lago ALL = NOPASSWD: /usr/sbin/brctl stp * %lago ALL = NOPASSWD: /usr/sbin/ip link set dev * %lago ALL = NOPASSWD: /usr/sbin/ip link set dev * If we need, we can add more commands, but I'm not thrilled by ALL... Yaniv, This 'ALL' is located in the the host pattern part of the rule not the command pattern... Or are you talking about what I specified to put in the 'rago' file to reproduce the bug? You don't need that.... If Lago is prompting you for 'sudo' password, it means the rules you see in '/etc/sudoers.d/lago' are actually overridden and are not applied to your system. You can apply the work-around specified above (copy the file to a lexicographically bigger name like '/etc/sudoers.d/z_lago') . |
Description of problem: Lago uses sudo by placing a file called 'lago' in '/etc/sudoers.d' That file allows users that belong to the 'lago' group to invoke various commands with root permissions without entering a password. A file placed in '/etc/sudoers.d' which is lexicographically bigger then 'lago' can override the Lago sudo settings, effectively making lago fail or stop and ask the user for a sudo password. This happens for example on RHEL7 CSB where the file 'redhat-internal-user-sudo' is placed in '/etc/sudoers.d' to grand the user full root access with a password. Steps to Reproduce: 1. Install Lago 2. place the file '/etc/sudoers.d/rago' with the following content: %lago ALL=(ALL) ALL Actual results: Lago stops and tries to ask for a sudo password (occasionally it is impossible to enter because Lago blocks TTY access for the commands it runs internally) Expected results: Laog should just run Additional info: As a temporary work-around the 'lago' file was copied to 'z_lago'. Long-term Lago should not rely on 'sudo' and instead have its own privileged helper accessed via PolicyKit.