Bug 2222816 - Preflight tests require that sudo allow the remote_execution_ssh_user to run "/usr/bin/true" for REX to work
Summary: Preflight tests require that sudo allow the remote_execution_ssh_user to run ...
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Remote Execution
Version: 6.12.4
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: Unspecified
Assignee: Adam Ruzicka
QA Contact: Satellite QE Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-07-13 20:40 UTC by Joniel Pasqualetto
Modified: 2023-08-07 15:16 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 36647 0 Normal New Preflight tests require that sudo allow the remote_execution_ssh_user to run "/usr/bin/true" for REX to work 2023-08-07 15:16:19 UTC
Red Hat Issue Tracker SAT-19024 0 None None None 2023-07-18 13:41:02 UTC

Description Joniel Pasqualetto 2023-07-13 20:40:05 UTC
Description of problem:
When using remote_execution_ssh_user different than root and allowing the user to run only specific commands (via sudoers configuration), it is required to add /usr/bin/true on the list of allowed commands for REX to work

Version-Release number of selected component (if applicable):
6.12

How reproducible:
Always

Steps to Reproduce:
1. Configure remote_execution_ssh_user to be a non-root user
2. Configure sudoers like below:

Cmnd_Alias      SATCMNDS=/var/tmp/foreman-ssh-cmd-*/script,!/var/tmp/foreman-ssh-cmd-*\ *,!/var/tmp/foreman-ssh-cmd-*..*
SATUSER         ALL=NOPASSWD:SATCMNDS

3. Run any REX job

Actual results:

On the task, got this error:

~~~
   1:
Error initializing command: RuntimeError - Failed to change to effective user, exit code: 1
   2:
Exit status: EXCEPTION
~~~

On the target host, on /var/log/secure:

~~~
Jul 13 20:33:54 josh-medling sshd[2984]: Postponed publickey for rexuser from 192.168.100.100 port 59356 ssh2 [preauth]
Jul 13 20:33:54 josh-medling sshd[2984]: Accepted publickey for rexuser from 192.168.100.100 port 59356 ssh2: RSA SHA256:fngWpLD7nmwGryQgzeHvvU1NtOL/26NXrrCRzD6SWxM
Jul 13 20:33:54 josh-medling sshd[2984]: pam_unix(sshd:session): session opened for user rexuser by (uid=0)
Jul 13 20:33:55 josh-medling unix_chkpwd[3129]: password check failed for user (rexuser)
Jul 13 20:33:55 josh-medling sudo[3104]: pam_unix(sudo:auth): authentication failure; logname=rexuser uid=1000 euid=0 tty=/dev/pts/1 ruser=rexuser rhost=  user=rexuser
Jul 13 20:33:56 josh-medling unix_chkpwd[3131]: password check failed for user (rexuser)
Jul 13 20:33:58 josh-medling unix_chkpwd[3133]: password check failed for user (rexuser)
Jul 13 20:34:00 josh-medling sudo[3104]: rexuser : command not allowed ; TTY=pts/1 ; PWD=/home/rexuser ; USER=root ; COMMAND=/bin/true
~~~

Expected results:
Not any special sudo permissions required. 

Additional info:

These preflight tests were introduced on solve this issue[1] and only landed on Satellite 6.12. Customers that have restrictions on commands that rex users can run with sudo will hit it when they'll get to 6.12.


[1]: https://projects.theforeman.org/issues/34363

Comment 1 Adam Ruzicka 2023-07-17 08:46:57 UTC
Any suggestions how to pull this off without losing the fix for https://projects.theforeman.org/issues/34363 ?

Comment 2 Joniel Pasqualetto 2023-07-18 13:02:28 UTC
Deal with the "test" and ¨effective-user-test" scripts the same way we deal with the actual REX script.

Put the commands you want to run (on this case, just "true") inside them and use the script-wrapper to run it. 

This way, we'll simulate exactly (except for the content of the script) what the REX will be doing.

Comment 3 Adam Ruzicka 2023-08-07 15:16:17 UTC
Created redmine issue https://projects.theforeman.org/issues/36647 from this bug


Note You need to log in before you can comment on or make changes to this bug.