Description of problem: Since path is usually set to /usr/bin, before /usr/sbin, when facter gathers facts about the RH certificate, userhelper is called in the background, resulting in (these) unnecessary calls + unnecessary log entries. Version-Release number of selected component (if applicable): puppet-foreman_scap_client-0.3.19-1.el7sat.noarch How reproducible: Always Steps to Reproduce: 1. sudo PATH=/bin:/usr/bin:/usr/sbin:/sbin facter -p rh_certificate_consumer_host_cert 2. Check /var/log/secure; You should be able to see something like this: Oct 18 11:56:34 xx-xx-xxxx sudo: xxx : TTY=pts/0 ; PWD=/root ; USER=root ; ENV=PATH=/bin:/usr/bin:/usr/sbin:/sbin ; COMMAND=/usr/bin/facter -p rh_certificate_consumer_host_cert Oct 18 11:56:35 xx-xx-xxxx userhelper[21020]: pam_timestamp(subscription-manager:session): updated timestamp file `/var/run/sudo/root/unknown' Oct 18 11:56:35 xx-xx-xxxx userhelper[21021]: running '/usr/sbin/subscription-manager config' with root privileges on behalf of 'root' Actual results: See step 2 of reproducer. Expected results: No unnecessary calls to userhelper and log entries. Additional info: Simple patch - just call subscription manager with full path: ---------- --- /usr/share/puppet/modules/foreman_scap_client/lib/facter/rh_certificates.rb.191018-1 2016-08-09 08:13:14.000000000 +0000 +++ /usr/share/puppet/modules/foreman_scap_client/lib/facter/rh_certificates.rb 2019-10-18 11:59:26.497804176 +0000 @@ -3,7 +3,7 @@ certificate_end_path = '/cert.pem' private_key_end_path = '/key.pem' rh_default_ca_cert = '/etc/rhsm/ca/redhat-uep.pem' - data = Facter::Util::Resolution.exec('subscription-manager config') + data = Facter::Util::Resolution.exec('/usr/sbin/subscription-manager config') return nil if data.nil? || data.empty? data = data.gsub("\n", "").gsub(/[\[\]]/, "") data_array = data.scan(/(\S+)\s*=\s* ([^ ]+)/) Linking customer case. This is also very similar to what we have seen in RHBZ#1690529: https://bugzilla.redhat.com/1690529
This is fixed in 6.7 with Puppet 5, running 'facter -p rh_certificate_consumer_host_cert' or 'subscription-manager config' does not produce any logs in /var/log/secure. Could QE verify?
If 'subscription-manager config' did not produce the userhelper then the reproducer environment is missing the PATH setting Please try the following commands as root: export PATH=/bin:/usr/bin:/usr/sbin:/sbin; subscription-manager config ; tail -n20 /var/log/secure | grep subscription-manager export PATH=/bin:/usr/bin:/usr/sbin:/sbin; facter -p rh_certificate_consumer_host_cert ; tail -n20 /var/log/secure | grep subscription-manager
Created redmine issue https://projects.theforeman.org/issues/28358 from this bug
I can reproduce now, thank you for clarification. Cloning upstream.
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/28358 has been resolved.
Verified: Verified with: - Satellite 6.8.0 snap 9 - puppet-foreman_scap_client-0.4.0-1.el7sat.noarch Test step: - export PATH=/bin:/usr/bin:/usr/sbin:/sbin; subscription-manager config ; tail -n20 /var/log/secure | grep subscription-manager Observation: - No unnecessary calls to userhelper and log entries.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Satellite 6.8 release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:4366