Description of problem: The sudoers configuration files are expected to have 0440 permissions, but these two files are 0644: # visudo -cs /etc/sudoers: parsed OK /etc/sudoers.d/50_vdsm: bad permissions, should be mode 0440 /etc/sudoers.d/50_vdsm_hook_openstacknet: parsed OK /etc/sudoers.d/50_vdsm_hook_ovirt_provider_ovn_hook: bad permissions, should be mode 0440 /etc/sudoers.d/50_vdsm_hook_vhostmd: parsed OK /etc/sudoers.d/60_ovirt-ha: parsed OK # rpm -qlv ovirt-provider-ovn-driver |grep sudoers -rw-r--r-- 1 root root 564 dic 17 2019 /etc/sudoers.d/50_vdsm_hook_ovirt_provider_ovn_hook # rpm -qlv vdsm |grep sudoers -rw-r--r-- 1 root root 581 jul 9 13:16 /etc/sudoers.d/50_vdsm Version-Release number of selected component (if applicable): vdsm-4.30.50-1.el7ev.x86_64 ovirt-provider-ovn-driver-1.2.29-1.el7ev.noarch How reproducible: Always Steps to Reproduce: 1. In a RHVH 4.3.11 host: # ls -la /etc/sudoers.d/ Actual results: Some files with 0644 permissions. Expected results: Sudoers drop-in configuration files are expected to have 0440 permissions. Additional info: Also seen in latest RHV 4.4: vdsm-4.40.26.3-1.el8ev.x86_64 ovirt-provider-ovn-driver-1.2.30-1.el8ev.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (RHV RHEL Host (ovirt-host) 4.4.z [ovirt-4.4.4]), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:0382
Due to QE capacity we are not going to cover this issue in our automation