Bug 1304385 - [RFE] sosreport should provide a sudoers.d file example for user that do not what to use root.
[RFE] sosreport should provide a sudoers.d file example for user that do not ...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sos (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity medium
: rc
: ---
Assigned To: Pavel Moravec
BaseOS QE - Apps
: FutureFeature, Improvement, Reopened
Depends On:
Blocks: 995735
  Show dependency treegraph
 
Reported: 2016-02-03 08:11 EST by Yaniv Lavi (Dary)
Modified: 2016-02-22 04:37 EST (History)
18 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-03 10:15:52 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Integration
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Yaniv Lavi (Dary) 2016-02-03 08:11:44 EST
Sosreport currently requires root user to run. Privilege escalation to root should only absolutely required. Please add support for sudo (probably via sudoers.d.
Comment 2 Bryn M. Reeves 2016-02-03 08:42:20 EST
If this is for RHEV's use it would need to be dropped in by one of the RHEV-specific configuration packages - sudoers.d is for the site administrator's use: we cannot make this sort of change in RHEL packages as we cannot force this kind of policy decision onto end users.
Comment 3 Yaniv Lavi (Dary) 2016-02-03 09:12:33 EST
(In reply to Bryn M. Reeves from comment #2)
> If this is for RHEV's use it would need to be dropped in by one of the
> RHEV-specific configuration packages - sudoers.d is for the site
> administrator's use: we cannot make this sort of change in RHEL packages as
> we cannot force this kind of policy decision onto end users.

Can you provide a example of what is needed in the sudoers file to not fail without needing to reverse engineer this?
It's not a RHEV requirement to not use root for sosreport, this is coming from many customers.
Comment 4 Yaniv Lavi (Dary) 2016-02-03 09:22:31 EST
I'll rephrase the RFE.
Comment 5 Bryn M. Reeves 2016-02-03 09:27:45 EST
> Can you provide a example of what is needed in the sudoers file to not fail 
> without needing to reverse engineer this?

Not really: you nuked the entire bug template so I don't actually know what problem you are having. If you can explain what is failing for you and what changes you have made we might be able to help - as far as I know sudoers.d uses the syntax described in sudoers(5).

The sosreport command "supports" sudo in the same way as any other program requiring root privileges - you just prefix it with 'sudo' - I am not aware of any need or requirement for applications to configure themselves for sudo use via sudoers.d. I use sos via sudo all the time without modifying this directory.
Comment 6 Yaniv Lavi (Dary) 2016-02-03 09:35:24 EST
(In reply to Bryn M. Reeves from comment #5)
> > Can you provide a example of what is needed in the sudoers file to not fail 
> > without needing to reverse engineer this?
> 
> Not really: you nuked the entire bug template so I don't actually know what
> problem you are having. If you can explain what is failing for you and what
> changes you have made we might be able to help - as far as I know sudoers.d
> uses the syntax described in sudoers(5).
> 
> The sosreport command "supports" sudo in the same way as any other program
> requiring root privileges - you just prefix it with 'sudo' - I am not aware
> of any need or requirement for applications to configure themselves for sudo
> use via sudoers.d. I use sos via sudo all the time without modifying this
> directory.

The goal is to allow using the tool without root and only specifying some commands  in root context. See bug #995735 and #1085907.
Comment 7 Bryn M. Reeves 2016-02-03 10:15:52 EST
Just configure and use sudo as required for RHEV's needs. This is a confiuration problem - it does not need any changes in sos.
Comment 8 Yaniv Lavi (Dary) 2016-02-21 06:58:58 EST
(In reply to Bryn M. Reeves from comment #7)
> Just configure and use sudo as required for RHEV's needs. This is a
> confiuration problem - it does not need any changes in sos.

It does need changes if you don't want to give unlimited root access to the user.
Can you provide this for the default plugins based on tools those plugin require?
Comment 9 Bryn M. Reeves 2016-02-22 04:37:12 EST
Please provide some actual examples of what you are requesting, or the missing template sections.

Configuring sudo is the responsibility of the system administrator. If you want to provide a pre-configured set up in certain products that is fine but sos will not be including this.

We have a long term plan to add authenticated access via Dbus and polkit - if you want to help you are more than welcome to contribute to that upstream so that we can see the results sooner in Red Hat products.

Otherwise I am going to close this bug again as it seems it's just a request to move your team's problem to another group.

Note You need to log in before you can comment on or make changes to this bug.