Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1965456

Summary: cloud-user has NOPASSWD permissions in sudoers file after deployment of Hosted Engine.
Product: [oVirt] ovirt-ansible-collection Reporter: Lynn Dixon <ldixon>
Component: hosted-engine-setupAssignee: Asaf Rachmani <arachman>
Status: CLOSED CURRENTRELEASE QA Contact: Nikolai Sednev <nsednev>
Severity: high Docs Contact:
Priority: unspecified    
Version: 1.4.2CC: bugs, mavital, michal.skrivanek, sbonazzo
Target Milestone: ovirt-4.4.7Keywords: Triaged, ZStream
Target Release: 1.5.1Flags: sbonazzo: ovirt-4.4+
mavital: testing_plan_complete-
sbonazzo: devel_ack?
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: ovirt-ansible-collection-1.5.1 Doc Type: Bug Fix
Doc Text:
Cause: After hosted-engine deployment cloud-user has NOPASSWD in the /etc/sudoers file Consequence: cloud-user can use sudo without entering a password Fix: Remove cloud-init configuration Result: cloud-user removed
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-06 07:28:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Node RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lynn Dixon 2021-05-27 18:06:07 UTC 
Description of problem:
A customer brought to my attention that the cloud-user has NOPASSWD in the /etc/sudoers file on their newly deployed RHV Hosted Engine.  This is a quite large security vulnerability and one that can easily be mitigated by simply removing the cloud-user once the Hosted Engine has been fully deployed.


Version-Release number of selected component (if applicable):
rhvm-4.4.5.11-0.1.el8ev.noarch

How reproducible:
Deploy an instance of the RHEV-M Hosted Engine, and check the /etc/sudoers file for the presence of:
cloud-user	ALL=(ALL)	NOPASSWD: ALL



Actual results:
cloud-user has NOPASSWD for sudoer permissions


Expected results:
cloud-user needs to be removed once an HE is deployed.


Additional info:
We noticed this in a newly upgraded RHV 4.3 to 4.4.5 upgrade, and I also confirmed it exists in my own lab.  I don't think we would need the cloud-user once the HE is deployed, since we won't be doing any cloud-init tasks.  Can we please remove this user from the sudoers file upon a successful deployment to reduce the security / vulnerability footprint?
Comment 1 Michal Skrivanek 2021-05-28 07:19:51 UTC 
we should probably disable creation of default cloud-user altogether
perhaps just add "users:" key without anything?
Comment 2 Sandro Bonazzola 2021-05-31 08:02:32 UTC 
Just wanted to note that cloud-user has sudo nopasswd everywhere, from RHEL (event RHEL 6 and RHEL 7) appliances to previous RHV appliances and RHGS appliances.
I disagree this being a severity high issue.
Comment 3 Sandro Bonazzola 2021-05-31 08:23:33 UTC 
Let's remove the user as last step.
Comment 4 Lynn Dixon 2021-06-01 15:48:06 UTC 
Sandro, I think removing the user as a last step is a good idea.
Comment 5 Sandro Bonazzola 2021-06-30 08:53:05 UTC 
 git tag --contains c71f54032ca3ed3e8b75777b21704b53533e920d
1.5.1-1
1.5.2-1
1.5.3-1
Comment 6 Nikolai Sednev 2021-07-05 05:30:20 UTC 
cloud-user has been removed from /etc/sudoers.
ovirt-hosted-engine-ha-2.4.7-1.el8ev.noarch
ovirt-hosted-engine-setup-2.5.1-1.el8ev.noarch
ovirt-ansible-collection-1.5.1-1.el8ev.noarch
Comment 7 Nikolai Sednev 2021-07-05 10:51:11 UTC 
Also during deployment or restore it appears as:
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Clean cloud-init configuration]
[ INFO  ] ok: [localhost]
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Remove cloud-user user]
[ INFO  ] changed: [localhost -> 192.168.222.167]
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Remove cloud-init file from /etc/sudoers.d]
[ INFO  ] changed: [localhost -> 192.168.222.167]
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Remove cloud-user from /etc/sudoers file]
[ INFO  ] changed: [localhost -> 192.168.222.167]
[ INFO  ] TASK [ovirt.ovirt.hosted_engine_setup : Remove cloud-init package]
Comment 8 Sandro Bonazzola 2021-07-06 07:28:08 UTC 
This bugzilla is included in oVirt 4.4.7 release, published on July 6th 2021.

Since the problem described in this bug report should be resolved in oVirt 4.4.7 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.