Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
As part of hardening best practices and also SCAP checks our /etc/sudoers contains 'Defaults requiretty'.
The server runs a pmlogger farm with remote loggers.
This is using pmlogctl process that uses sudo. This triggers for every server and error in the syslog:
~~~
[Azure] root@test@li-lc-2635 ~
$ sudo grep pmlogctl /var/log/messages
May 16 15:38:29 li-lc-2635 pmlogctl[1371821]: sudo: sorry, you must have a tty to run sudo
May 16 15:38:29 li-lc-2635 pmlogctl[1371821]: sudo: sorry, you must have a tty to run sudo
May 16 15:39:09 li-lc-2635 pmlogctl[1371821]: sudo: sorry, you must have a tty to run sudo
May 16 15:39:52 li-lc-2635 pmlogctl[1371821]: sudo: sorry, you must have a tty to run sudo
May 16 15:41:38 li-lc-2635 pmlogctl[1371821]: Warning: pmlogger failed to start for host li-lc-1437.hag.hilti.com and directory /var/log/pcp/pmlogger/remote/li-lc-1437.hag.hilti.com
May 16 15:41:38 li-lc-2635 pmlogctl[1371821]: sudo: sorry, you must have a tty to run sudo
May 16 15:43:22 li-lc-2635 pmlogctl[1371821]: Warning: pmlogger failed to start for host li-lc-1636.sc.hilti.com and directory /var/log/pcp/pmlogger/remote/li-lc-1636.sc.hilti.com
May 16 15:43:22 li-lc-2635 pmlogctl[1371821]: sudo: sorry, you must have a tty to run sudo
May 16 15:45:08 li-lc-2635 pmlogctl[1371821]: Warning: pmlogger failed to start for host li-lc-1637.sc.hilti.com and directory /var/log/pcp/pmlogger/remote/li-lc-1637.sc.hilti.com
May 16 15:45:08 li-lc-2635 pmlogctl[1371821]: sudo: sorry, you must have a tty to run sudo
May 16 15:46:51 li-lc-2635 pmlogctl[1371821]: Warning: pmlogger failed to start for host li-lc-1667.hag.hilti.com and directory /var/log/pcp/pmlogger/remote/li-lc-1667.hag.hilti.com
May 16 15:46:51 li-lc-2635 pmlogctl[1371821]: sudo: sorry, you must have a tty to run sudo
May 16 15:48:23 li-lc-2635 pmlogctl[1371821]: Warning: pmlogger failed to start for host li-lc-1679.hag.hilti.com and directory /var/log/pcp/pmlogger/remote/li-lc-1679.hag.hilti.com
May 16 15:48:23 li-lc-2635 pmlogctl[1371821]: sudo: sorry, you must have a tty to run sudo
May 16 15:49:55 li-lc-2635 pmlogctl[1371821]: Warning: pmlogger failed to start for host li-lc-1680.hag.hilti.com and directory /var/log/pcp/pmlogger/remote/li-lc-1680.hag.hilti.com
May 16 15:49:55 li-lc-2635 pmlogctl[1371821]: sudo: sorry, you must have a tty to run sudo
May 16 15:51:28 li-lc-2635 pmlogctl[1371821]: Warning: pmlogger failed to start for host li-lc-1681.hag.hilti.com and directory /var/log/pcp/pmlogger/remote/li-lc-1681.hag.hilti.com
May 16 15:51:28 li-lc-2635 pmlogctl[1371821]: sudo: sorry, you must have a tty to run sudo
May 16 15:52:20 li-lc-2635 pmlogctl[7412]: sudo: sorry, you must have a tty to run sudo
May 16 15:52:21 li-lc-2635 pmlogctl[7625]: sudo: sorry, you must have a tty to run sudo
May 16 15:53:03 li-lc-2635 pmlogctl[23845]: sudo: sorry, you must have a tty to run sudo
May 16 15:54:13 li-lc-2635 pmlogctl[55595]: sudo: sorry, you must have a tty to run sudo
May 16 15:55:47 li-lc-2635 pmlogctl[7348]: Warning: pmlogger failed to start for host li-lc-1437.hag.hilti.com and directory /var/log/pcp/pmlogger/remote/li-lc-1437.hag.hilti.com
May 16 15:55:47 li-lc-2635 pmlogctl[84140]: sudo: sorry, you must have a tty to run sudo
May 16 15:57:25 li-lc-2635 pmlogctl[7348]: Warning: pmlogger failed to start for host li-lc-1636.sc.hilti.com and directory /var/log/pcp/pmlogger/remote/li-lc-1636.sc.hilti.com
May 16 15:57:25 li-lc-2635 pmlogctl[126918]: sudo: sorry, you must have a tty to run sudo
May 16 15:58:35 li-lc-2635 pmlogctl[166506]: sudo: sorry, you must have a tty to run sudo
~~~
Version-Release number of selected component (if applicable):
pcp-5.3.5-8.el8.x86_64.rpm
Additional info:
The following patch to use runuser instead of sudo prevents relying on user customizable configuration:
~~~
$ sudo diff -u /usr/bin/pmlogctl.220516-1 /usr/bin/pmlogctl
--- /usr/bin/pmlogctl.220516-1 2022-02-01 23:53:00.000000000 +0000
+++ /usr/bin/pmlogctl 2022-05-16 16:27:47.403630900 +0000
@@ -1647,7 +1647,7 @@
SHOWME=false
CP=cp
RM=rm
-CHECK="sudo -u $PCP_USER -g $PCP_GROUP $PCP_BINADM_DIR/${IAM}_check"
+CHECK="runuser --user $PCP_USER -- $PCP_BINADM_DIR/${IAM}_check"
KILL="$PCP_BINADM_DIR/pmsignal -s"
MIGRATE=false
VERBOSE=false
~~~
I've spent further time on this now, eventually reaching the changes in the attached patch. This resolves the platform-independence issue (runuser is a Linux-specific command but PCP is cross-platform), but issues remain.
Although I've been able to get many of the regression tests to pass, tests 1204 and 12458 still fail in non-obvious ways that give me concerns about using runuser. It seems it's not a drop-in replacement, and the attached patch is not ideal already. I've forwarded these details to the upstream PCP developer who wrote pmlogconf for his thoughts.
If he chooses to continue this effort, or someone else is interested in continuing this work upstream, that's great. I cannot justify spending further time on this however, given our levels of resourcing and other customer needs - so I'm marking this BZ as WONTFIX for now. If it gets traction upstream, we can re-open this in due course and perhaps back-port, depending on how complex the final solution ends up.
Since Red Hat has recommended that the "requiretty" be removed in <https://access.redhat.com/solutions/15794>, I'm reopening this PCP bug. We'll add this bug to our backlog.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (pcp bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2023:2745
Description of problem: As part of hardening best practices and also SCAP checks our /etc/sudoers contains 'Defaults requiretty'. The server runs a pmlogger farm with remote loggers. This is using pmlogctl process that uses sudo. This triggers for every server and error in the syslog: ~~~ [Azure] root@test@li-lc-2635 ~ $ sudo grep pmlogctl /var/log/messages May 16 15:38:29 li-lc-2635 pmlogctl[1371821]: sudo: sorry, you must have a tty to run sudo May 16 15:38:29 li-lc-2635 pmlogctl[1371821]: sudo: sorry, you must have a tty to run sudo May 16 15:39:09 li-lc-2635 pmlogctl[1371821]: sudo: sorry, you must have a tty to run sudo May 16 15:39:52 li-lc-2635 pmlogctl[1371821]: sudo: sorry, you must have a tty to run sudo May 16 15:41:38 li-lc-2635 pmlogctl[1371821]: Warning: pmlogger failed to start for host li-lc-1437.hag.hilti.com and directory /var/log/pcp/pmlogger/remote/li-lc-1437.hag.hilti.com May 16 15:41:38 li-lc-2635 pmlogctl[1371821]: sudo: sorry, you must have a tty to run sudo May 16 15:43:22 li-lc-2635 pmlogctl[1371821]: Warning: pmlogger failed to start for host li-lc-1636.sc.hilti.com and directory /var/log/pcp/pmlogger/remote/li-lc-1636.sc.hilti.com May 16 15:43:22 li-lc-2635 pmlogctl[1371821]: sudo: sorry, you must have a tty to run sudo May 16 15:45:08 li-lc-2635 pmlogctl[1371821]: Warning: pmlogger failed to start for host li-lc-1637.sc.hilti.com and directory /var/log/pcp/pmlogger/remote/li-lc-1637.sc.hilti.com May 16 15:45:08 li-lc-2635 pmlogctl[1371821]: sudo: sorry, you must have a tty to run sudo May 16 15:46:51 li-lc-2635 pmlogctl[1371821]: Warning: pmlogger failed to start for host li-lc-1667.hag.hilti.com and directory /var/log/pcp/pmlogger/remote/li-lc-1667.hag.hilti.com May 16 15:46:51 li-lc-2635 pmlogctl[1371821]: sudo: sorry, you must have a tty to run sudo May 16 15:48:23 li-lc-2635 pmlogctl[1371821]: Warning: pmlogger failed to start for host li-lc-1679.hag.hilti.com and directory /var/log/pcp/pmlogger/remote/li-lc-1679.hag.hilti.com May 16 15:48:23 li-lc-2635 pmlogctl[1371821]: sudo: sorry, you must have a tty to run sudo May 16 15:49:55 li-lc-2635 pmlogctl[1371821]: Warning: pmlogger failed to start for host li-lc-1680.hag.hilti.com and directory /var/log/pcp/pmlogger/remote/li-lc-1680.hag.hilti.com May 16 15:49:55 li-lc-2635 pmlogctl[1371821]: sudo: sorry, you must have a tty to run sudo May 16 15:51:28 li-lc-2635 pmlogctl[1371821]: Warning: pmlogger failed to start for host li-lc-1681.hag.hilti.com and directory /var/log/pcp/pmlogger/remote/li-lc-1681.hag.hilti.com May 16 15:51:28 li-lc-2635 pmlogctl[1371821]: sudo: sorry, you must have a tty to run sudo May 16 15:52:20 li-lc-2635 pmlogctl[7412]: sudo: sorry, you must have a tty to run sudo May 16 15:52:21 li-lc-2635 pmlogctl[7625]: sudo: sorry, you must have a tty to run sudo May 16 15:53:03 li-lc-2635 pmlogctl[23845]: sudo: sorry, you must have a tty to run sudo May 16 15:54:13 li-lc-2635 pmlogctl[55595]: sudo: sorry, you must have a tty to run sudo May 16 15:55:47 li-lc-2635 pmlogctl[7348]: Warning: pmlogger failed to start for host li-lc-1437.hag.hilti.com and directory /var/log/pcp/pmlogger/remote/li-lc-1437.hag.hilti.com May 16 15:55:47 li-lc-2635 pmlogctl[84140]: sudo: sorry, you must have a tty to run sudo May 16 15:57:25 li-lc-2635 pmlogctl[7348]: Warning: pmlogger failed to start for host li-lc-1636.sc.hilti.com and directory /var/log/pcp/pmlogger/remote/li-lc-1636.sc.hilti.com May 16 15:57:25 li-lc-2635 pmlogctl[126918]: sudo: sorry, you must have a tty to run sudo May 16 15:58:35 li-lc-2635 pmlogctl[166506]: sudo: sorry, you must have a tty to run sudo ~~~ Version-Release number of selected component (if applicable): pcp-5.3.5-8.el8.x86_64.rpm Additional info: The following patch to use runuser instead of sudo prevents relying on user customizable configuration: ~~~ $ sudo diff -u /usr/bin/pmlogctl.220516-1 /usr/bin/pmlogctl --- /usr/bin/pmlogctl.220516-1 2022-02-01 23:53:00.000000000 +0000 +++ /usr/bin/pmlogctl 2022-05-16 16:27:47.403630900 +0000 @@ -1647,7 +1647,7 @@ SHOWME=false CP=cp RM=rm -CHECK="sudo -u $PCP_USER -g $PCP_GROUP $PCP_BINADM_DIR/${IAM}_check" +CHECK="runuser --user $PCP_USER -- $PCP_BINADM_DIR/${IAM}_check" KILL="$PCP_BINADM_DIR/pmsignal -s" MIGRATE=false VERBOSE=false ~~~