Description of problem: A customer brought to my attention that the cloud-user has NOPASSWD in the /etc/sudoers file on their newly deployed RHV Hosted Engine. This is a quite large security vulnerability and one that can easily be mitigated by simply removing the cloud-user once the Hosted Engine has been fully deployed. Version-Release number of selected component (if applicable): rhvm-4.4.5.11-0.1.el8ev.noarch How reproducible: Deploy an instance of the RHEV-M Hosted Engine, and check the /etc/sudoers file for the presence of: cloud-user ALL=(ALL) NOPASSWD: ALL Actual results: cloud-user has NOPASSWD for sudoer permissions Expected results: cloud-user needs to be removed once an HE is deployed. Additional info: We noticed this in a newly upgraded RHV 4.3 to 4.4.5 upgrade, and I also confirmed it exists in my own lab. I don't think we would need the cloud-user once the HE is deployed, since we won't be doing any cloud-init tasks. Can we please remove this user from the sudoers file upon a successful deployment to reduce the security / vulnerability footprint?
we should probably disable creation of default cloud-user altogether perhaps just add "users:" key without anything?
Just wanted to note that cloud-user has sudo nopasswd everywhere, from RHEL (event RHEL 6 and RHEL 7) appliances to previous RHV appliances and RHGS appliances. I disagree this being a severity high issue.
Let's remove the user as last step.
Sandro, I think removing the user as a last step is a good idea.
git tag --contains c71f54032ca3ed3e8b75777b21704b53533e920d 1.5.1-1 1.5.2-1 1.5.3-1
cloud-user has been removed from /etc/sudoers. ovirt-hosted-engine-ha-2.4.7-1.el8ev.noarch ovirt-hosted-engine-setup-2.5.1-1.el8ev.noarch ovirt-ansible-collection-1.5.1-1.el8ev.noarch
Also during deployment or restore it appears as: [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Clean cloud-init configuration] [ INFO ] ok: [localhost] [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Remove cloud-user user] [ INFO ] changed: [localhost -> 192.168.222.167] [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Remove cloud-init file from /etc/sudoers.d] [ INFO ] changed: [localhost -> 192.168.222.167] [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Remove cloud-user from /etc/sudoers file] [ INFO ] changed: [localhost -> 192.168.222.167] [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Remove cloud-init package]
This bugzilla is included in oVirt 4.4.7 release, published on July 6th 2021. Since the problem described in this bug report should be resolved in oVirt 4.4.7 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.