1763178 – [RFE] Unnecessary call to userhelp and therefore log entries

Bug 1763178 - [RFE] Unnecessary call to userhelp and therefore log entries

Summary: [RFE] Unnecessary call to userhelp and therefore log entries

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	SCAP Plugin
Sub Component:
Version:	6.5.0
Hardware:	All
OS:	All
Priority:	high
Severity:	high
Target Milestone:	6.8.0
Assignee:	Ondřej Pražák
QA Contact:	Jameer Pathan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1122832
TreeView+	depends on / blocked

Reported:	2019-10-18 12:18 UTC by Oliver Falk
Modified:	2023-12-15 16:51 UTC (History)
CC List:	6 users (show)
Fixed In Version:	puppet-foreman_scap_client-0.3.23
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-27 12:59:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	28358	Normal	Closed	Unnecessary call to userhelp and therefore log entries	2020-12-09 11:43:19 UTC
Red Hat Bugzilla	1690529	unspecified	CLOSED	insights client runs userhelper (sudo), although insights-client is running as root	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHSA-2020:4366	None	None	None	2020-10-27 12:59:21 UTC

Description Oliver Falk 2019-10-18 12:18:11 UTC

Description of problem:
Since path is usually set to /usr/bin, before /usr/sbin, when facter gathers facts about the RH certificate, userhelper is called in the background, resulting in (these) unnecessary calls + unnecessary log entries.

Version-Release number of selected component (if applicable): puppet-foreman_scap_client-0.3.19-1.el7sat.noarch


How reproducible: Always


Steps to Reproduce:
1. sudo PATH=/bin:/usr/bin:/usr/sbin:/sbin facter -p rh_certificate_consumer_host_cert
2. Check /var/log/secure; You should be able to see something like this:
    Oct 18 11:56:34 xx-xx-xxxx sudo: xxx : TTY=pts/0 ; PWD=/root ; USER=root ; ENV=PATH=/bin:/usr/bin:/usr/sbin:/sbin ; COMMAND=/usr/bin/facter -p rh_certificate_consumer_host_cert
    Oct 18 11:56:35 xx-xx-xxxx userhelper[21020]: pam_timestamp(subscription-manager:session): updated timestamp file `/var/run/sudo/root/unknown'
    Oct 18 11:56:35 xx-xx-xxxx userhelper[21021]: running '/usr/sbin/subscription-manager config' with root privileges on behalf of 'root'

Actual results:
See step 2 of reproducer.


Expected results:
No unnecessary calls to userhelper and log entries.


Additional info:
Simple patch - just call subscription manager with full path:

----------
--- /usr/share/puppet/modules/foreman_scap_client/lib/facter/rh_certificates.rb.191018-1        2016-08-09 08:13:14.000000000 +0000
+++ /usr/share/puppet/modules/foreman_scap_client/lib/facter/rh_certificates.rb 2019-10-18 11:59:26.497804176 +0000
@@ -3,7 +3,7 @@
   certificate_end_path = '/cert.pem'
   private_key_end_path = '/key.pem'
   rh_default_ca_cert = '/etc/rhsm/ca/redhat-uep.pem'
-  data = Facter::Util::Resolution.exec('subscription-manager config')
+  data = Facter::Util::Resolution.exec('/usr/sbin/subscription-manager config')
   return nil if data.nil? || data.empty?
   data = data.gsub("\n", "").gsub(/[\[\]]/, "")
   data_array = data.scan(/(\S+)\s*=\s* ([^ ]+)/)



Linking customer case.
This is also very similar to what we have seen in RHBZ#1690529: https://bugzilla.redhat.com/1690529

Comment 5 Ondřej Pražák 2019-11-19 13:54:13 UTC

This is fixed in 6.7 with Puppet 5, running 'facter -p rh_certificate_consumer_host_cert' or 'subscription-manager config' does not produce any logs in /var/log/secure. Could QE verify?

Comment 6 Peter Vreman 2019-11-19 14:50:40 UTC

If 'subscription-manager config' did not produce the userhelper then the reproducer environment is missing the PATH setting


Please try the following commands as root:

export PATH=/bin:/usr/bin:/usr/sbin:/sbin; subscription-manager config ; tail -n20 /var/log/secure | grep subscription-manager
export PATH=/bin:/usr/bin:/usr/sbin:/sbin; facter -p rh_certificate_consumer_host_cert ; tail -n20 /var/log/secure | grep subscription-manager

Comment 7 Ondřej Pražák 2019-11-26 11:08:29 UTC

Created redmine issue https://projects.theforeman.org/issues/28358 from this bug

Comment 8 Ondřej Pražák 2019-11-26 11:09:34 UTC

I can reproduce now, thank you for clarification. Cloning upstream.

Comment 10 Bryan Kearney 2019-11-26 17:01:52 UTC

Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/28358 has been resolved.

Comment 11 Jameer Pathan 2020-07-27 12:40:01 UTC

Verified:

Verified with:
- Satellite 6.8.0 snap 9
- puppet-foreman_scap_client-0.4.0-1.el7sat.noarch

Test step:
- export PATH=/bin:/usr/bin:/usr/sbin:/sbin; subscription-manager config ; tail -n20 /var/log/secure | grep subscription-manager

Observation:
- No unnecessary calls to userhelper and log entries.

Comment 14 errata-xmlrpc 2020-10-27 12:59:02 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.8 release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4366

Note You need to log in before you can comment on or make changes to this bug.