1895015 – Bad permissions in /etc/sudoers.d drop-in files

Bug 1895015 - Bad permissions in /etc/sudoers.d drop-in files

Summary: Bad permissions in /etc/sudoers.d drop-in files

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	vdsm
Sub Component:
Version:	4.3.11
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	ovirt-4.4.4
Target Release:	4.4.4
Assignee:	Marcin Sobczyk
QA Contact:	Yaning Wang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-11-05 15:07 UTC by Juan Orti
Modified:	2022-07-20 07:30 UTC (History)
CC List:	5 users (show)
Fixed In Version:	vdsm-4.40.38
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-02-02 13:59:36 UTC
oVirt Team:	Infra
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	5548261	None	None	None	2020-11-05 15:15:22 UTC
Red Hat Product Errata	RHBA-2021:0382	None	None	None	2021-02-02 13:59:55 UTC
oVirt gerrit	112132	master	MERGED	spec: Fix sudoers drop-in config permissions	2021-02-08 12:24:20 UTC
oVirt gerrit	112152	master	MERGED	spec: Fix sudoers drop-in config permissions	2021-02-08 12:24:20 UTC

Description Juan Orti 2020-11-05 15:07:16 UTC

Description of problem:
The sudoers configuration files are expected to have 0440 permissions, but these two files are 0644:

# visudo -cs
/etc/sudoers: parsed OK
/etc/sudoers.d/50_vdsm: bad permissions, should be mode 0440
/etc/sudoers.d/50_vdsm_hook_openstacknet: parsed OK
/etc/sudoers.d/50_vdsm_hook_ovirt_provider_ovn_hook: bad permissions, should be mode 0440
/etc/sudoers.d/50_vdsm_hook_vhostmd: parsed OK
/etc/sudoers.d/60_ovirt-ha: parsed OK

# rpm -qlv ovirt-provider-ovn-driver |grep sudoers
-rw-r--r--    1 root    root                      564 dic 17  2019 /etc/sudoers.d/50_vdsm_hook_ovirt_provider_ovn_hook

# rpm -qlv vdsm |grep sudoers
-rw-r--r--    1 root    root                      581 jul  9 13:16 /etc/sudoers.d/50_vdsm


Version-Release number of selected component (if applicable):
vdsm-4.30.50-1.el7ev.x86_64
ovirt-provider-ovn-driver-1.2.29-1.el7ev.noarch

How reproducible:
Always

Steps to Reproduce:
1. In a RHVH 4.3.11 host:
# ls -la /etc/sudoers.d/

Actual results:
Some files with 0644 permissions.

Expected results:
Sudoers drop-in configuration files are expected to have 0440 permissions.

Additional info:
Also seen in latest RHV 4.4:

vdsm-4.40.26.3-1.el8ev.x86_64
ovirt-provider-ovn-driver-1.2.30-1.el8ev.noarch

Comment 8 errata-xmlrpc 2021-02-02 13:59:36 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (RHV RHEL Host (ovirt-host) 4.4.z [ovirt-4.4.4]), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0382

Comment 9 meital avital 2022-07-20 07:30:32 UTC

Due to QE capacity we are not going to cover this issue in our automation

Note You need to log in before you can comment on or make changes to this bug.