Hide Forgot
Description of problem: Interactive sudo hangs waiting on fprintd after running the Essential 8 Ansible playbook against RHEL 8.2 hosts Version-Release number of selected component (if applicable): 0.1.48-3 How reproducible: Every time Steps to Reproduce: 1. Perform a new installation of RHEL 8.2 beta, and select "Australian Cyber Security Centre (ACSC) Essential Eight" from the Anaconda security profile selection 2. Once the system has provisioned, install the latest scap-security-guide content from Brew: http://download.eng.bos.redhat.com/brewroot/vol/rhel-8/packages/scap-security-guide/0.1.48/3.el8/noarch/scap-security-guide-0.1.48-3.el8.noarch.rpm 3. Update fapolicyd rules and restart the service: sudo sed -i s/trust=1/''/g /etc/fapolicyd/fapolicyd.rules sudo systemctl restart fapolicyd 4. Install ansible sudo yum module install -y python36 pip install --user ansible 4. Run the e8 playbook against the host: ansible-playbook -i "localhost," -c local --ask-become-pass --become /usr/share/scap-security-guide/ansible/rhel8-playbook-e8.yml 5. Create a new SSH session to the host as a privileged user Actual results: User is permitted to login and 'sudo -i' immediately Expected results: User has to wait approximately 30 seconds for 'sudo -i' to present a password prompt Additional info: Work-around is to disable fprintd with authselect: authselect select $(authselect current --raw) --force authselect disable-feature with-fingerprint
Hello Shane, apologies for the delay, and thank you for the excellent bug report. I was able to reproduce your issue, and to track the issue down to the task for "rpm_verify_permissions". In this task, it finds a few files that don't match the RPM database, and fixes it via "rpm --setperms <name of rpm>" The cause of issue for me was "/run/dbus". After install it has the following permissions: [admin@localhost ~]$ ls -lhd /run/dbus drwxr-xr-x. 2 root root 60 Feb 18 19:06 /run/dbus After remediation, (i.e.: sudo rpm --setperms dbus-daemon): [admin@localhost ~]$ ls -lhd /run/dbus d---------. 2 root root 60 Feb 18 19:06 /run/dbus And the issue with "sudo -i" occurs to me. However, after a reboot the permissions of "/run/dbus" are reset to the same as before remediation, and I don't face the issue anymore. Could you confirm if issue with "/run/dbus" happens with you too? I don't know how your proposed workaround works around the issue though.
Hi Watson, You're correct. After remediation, "/run/dbus" has the following permissions: [root@rhel8 ~]# ls -lhd /run/dbus d---------. 2 root root 60 Feb 19 12:27 /run/dbus >I don't know how your proposed workaround works around the issue though. My understanding is that "sudo -i" is invoking fprintd, but as the daemon cannot access /run/dbus/system_bus_socket after 'rpm --setperms dbus-daemon, the command hangs (I see the following in 'journalctl -f'): Feb 19 13:33:16 rhel8 systemd[1]: fprintd.service: Failed with result 'exit-code'. Feb 19 13:33:16 rhel8 systemd[1]: Failed to start Fingerprint Authentication Daemon. Feb 19 13:33:16 rhel8 sedispatch[848]: Connection Error (Failed to connect to socket /run/dbus/system_bus_socket: Permission denied): AVC Will be dropped Feb 19 13:33:16 rhel8 sedispatch[848]: Connection Error (Failed to connect to socket /run/dbus/system_bus_socket: Permission denied): AVC Will be dropped Hence the workaround effectively allows the prompt. Another option is to simply disable remove fprintd (yum remove fprintd) -> "sudo -i" presents a prompt immediately even though /run/dbus permissions are 'd---------.'
Thanks for the analysis and explanation, Shane. I believe "rpm --setperms dbus-daemon" shouldn't remove all permissions of "/run/dbus". Reassigning bug to dbus.
"rpm --setperms dbus-daemon" removes all permissions of "/run/dbus". Following command works after install: [admin@localhost ~]$ dbus-send --system --dest=org.freedesktop.DBus --type=method_call --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames array [ string "org.freedesktop.DBus" string ":1.92" [...] string ":1.103" string ":1.4" ] After "rpm --setperms" command: [admin@localhost ~]$ dbus-send --system --dest=org.freedesktop.DBus --type=method_call --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames Failed to open connection to "system" message bus: Failed to connect to socket /run/dbus/system_bus_socket: Permission denied Notes: After reboot permissions on "/run/dbus" are "755", so the dbus-send command works again. But whenever SCAP Security Guide remediation is run, it will do "rpm --setperms dbus-daemon", and they will be fighting each other constantly.
Easy to fix, by creating %{buildroot}/run/dbus with default permissions (755) in the install phase.
*** Bug 1811215 has been marked as a duplicate of this bug. ***
I could not reproduce original issue and all tests pass with fixing version of dbus.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (dbus bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4449