2222816 – Preflight tests require that sudo allow the remote_execution_ssh_user to run "/usr/bin/true" for REX to work

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2222816 - Preflight tests require that sudo allow the remote_execution_ssh_user to run "/usr/bin/true" for REX to work

Summary: Preflight tests require that sudo allow the remote_execution_ssh_user to run ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Remote Execution
Sub Component:
Version:	6.12.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	6.15.0
Assignee:	Adam Ruzicka
QA Contact:	Lukáš Hellebrandt
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-13 20:40 UTC by Joniel Pasqualetto
Modified:	2024-06-11 11:49 UTC (History)
CC List:	9 users (show)
Fixed In Version:	rubygem-smart_proxy_remote_execution_ssh-0.10.3
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-04-23 17:11:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Hotfix RPM for Satellite 6.13.7 (49.68 KB, application/x-rpm) 2024-05-15 19:08 UTC, Ian Ballou	no flags	Details
Hotfix RPM for Satellite 6.14.4 (49.68 KB, application/x-rpm) 2024-05-15 19:27 UTC, Ian Ballou	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	36647	Normal	New	Preflight tests require that sudo allow the remote_execution_ssh_user to run "/usr/bin/true" for REX to work	2023-08-07 15:16:19 UTC
Red Hat Issue Tracker	SAT-19024	None	None	None	2023-07-18 13:41:02 UTC
Red Hat Knowledge Base (Solution)	6990443	None	None	None	2023-12-05 13:53:12 UTC
Red Hat Product Errata	RHSA-2024:2010	None	None	None	2024-04-23 17:11:42 UTC

Description Joniel Pasqualetto 2023-07-13 20:40:05 UTC

Description of problem:
When using remote_execution_ssh_user different than root and allowing the user to run only specific commands (via sudoers configuration), it is required to add /usr/bin/true on the list of allowed commands for REX to work

Version-Release number of selected component (if applicable):
6.12

How reproducible:
Always

Steps to Reproduce:
1. Configure remote_execution_ssh_user to be a non-root user
2. Configure sudoers like below:

Cmnd_Alias      SATCMNDS=/var/tmp/foreman-ssh-cmd-*/script,!/var/tmp/foreman-ssh-cmd-*\ *,!/var/tmp/foreman-ssh-cmd-*..*
SATUSER         ALL=NOPASSWD:SATCMNDS

3. Run any REX job

Actual results:

On the task, got this error:

~~~
   1:
Error initializing command: RuntimeError - Failed to change to effective user, exit code: 1
   2:
Exit status: EXCEPTION
~~~

On the target host, on /var/log/secure:

~~~
Jul 13 20:33:54 josh-medling sshd[2984]: Postponed publickey for rexuser from 192.168.100.100 port 59356 ssh2 [preauth]
Jul 13 20:33:54 josh-medling sshd[2984]: Accepted publickey for rexuser from 192.168.100.100 port 59356 ssh2: RSA SHA256:fngWpLD7nmwGryQgzeHvvU1NtOL/26NXrrCRzD6SWxM
Jul 13 20:33:54 josh-medling sshd[2984]: pam_unix(sshd:session): session opened for user rexuser by (uid=0)
Jul 13 20:33:55 josh-medling unix_chkpwd[3129]: password check failed for user (rexuser)
Jul 13 20:33:55 josh-medling sudo[3104]: pam_unix(sudo:auth): authentication failure; logname=rexuser uid=1000 euid=0 tty=/dev/pts/1 ruser=rexuser rhost=  user=rexuser
Jul 13 20:33:56 josh-medling unix_chkpwd[3131]: password check failed for user (rexuser)
Jul 13 20:33:58 josh-medling unix_chkpwd[3133]: password check failed for user (rexuser)
Jul 13 20:34:00 josh-medling sudo[3104]: rexuser : command not allowed ; TTY=pts/1 ; PWD=/home/rexuser ; USER=root ; COMMAND=/bin/true
~~~

Expected results:
Not any special sudo permissions required. 

Additional info:

These preflight tests were introduced on solve this issue[1] and only landed on Satellite 6.12. Customers that have restrictions on commands that rex users can run with sudo will hit it when they'll get to 6.12.


[1]: https://projects.theforeman.org/issues/34363

Comment 1 Adam Ruzicka 2023-07-17 08:46:57 UTC

Any suggestions how to pull this off without losing the fix for https://projects.theforeman.org/issues/34363 ?

Comment 2 Joniel Pasqualetto 2023-07-18 13:02:28 UTC

Deal with the "test" and ¨effective-user-test" scripts the same way we deal with the actual REX script.

Put the commands you want to run (on this case, just "true") inside them and use the script-wrapper to run it. 

This way, we'll simulate exactly (except for the content of the script) what the REX will be doing.

Comment 3 Adam Ruzicka 2023-08-07 15:16:17 UTC

Created redmine issue https://projects.theforeman.org/issues/36647 from this bug

Comment 4 Brad Buckingham 2023-10-30 11:29:29 UTC

Bulk setting Target Milestone = 6.15.0 where sat-6.15.0+ is set.

Comment 5 Bryan Kearney 2023-11-10 20:02:31 UTC

Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/36647 has been resolved.

Comment 6 Lukáš Hellebrandt 2023-12-11 12:52:35 UTC

Verified with Sat 6.15 snap 1.0

1)
On the host:
# useradd SATUSER
# passwd SATUSER
# visudo
# grep SATCMNDS /etc/sudoers 
Cmnd_Alias      SATCMNDS=/var/tmp/foreman-ssh-cmd-*/script,!/var/tmp/foreman-ssh-cmd-*\ *,!/var/tmp/foreman-ssh-cmd-*..*
SATUSER         ALL=NOPASSWD:SATCMNDS

2)
In WebUI:
Administer -> Settings
Search for "remote_execution_ssh_user"
Set it to SATUSER

3)
Run the REX job against the host:
Template: Script default
Command: echo $(whoami),$(date) >> /tmp/test
Effective user: root

4)
# cat /tmp/test
root,Mon Dec 11 07:45:04 EST 2023

5)
On Satellite, empty output:
# grep "command not allowed" /var/log/foreman/production.log


QED

6)
To verify that the user was indeed used:
# userdel SATUSER

7)
Do 3) again, the job should fail:
```
Error initializing command: RuntimeError - Could not establish connection to remote host using any available authentication method, tried publickey
Exit status: EXCEPTION
StandardError: Job execution failed

```

Comment 9 errata-xmlrpc 2024-04-23 17:11:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.15.0 release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2024:2010

Comment 12 Ian Ballou 2024-05-15 19:08:00 UTC

Created attachment 2033427 [details]
Hotfix RPM for Satellite 6.13.7

A hotfix RPM is available for this BZ for Satellite 6.13.7 on RHEL 8

INSTALL INSTRUCTIONS:

1. Take a complete backup or snapshot of Satellite 6.13.7 server

2. Download the hotfix RPM from this attachment

3. # dnf install ./rubygem-smart_proxy_remote_execution_ssh-0.10.3-1.HOTFIXRHBZ2222816.el8sat.noarch.rpm --disableplugin=foreman-protector

4. # satellite-maintain service restart

Comment 13 Ian Ballou 2024-05-15 19:27:13 UTC

Created attachment 2033428 [details]
Hotfix RPM for Satellite 6.14.4

A hotfix RPM is available for this BZ for Satellite 6.14.4 on RHEL 8

This hotfix RPM is the same as for Satellite 6.13.7

INSTALL INSTRUCTIONS:

1. Take a complete backup or snapshot of Satellite 6.14.4 server

2. Download the hotfix RPM from this attachment

3. # dnf install ./rubygem-smart_proxy_remote_execution_ssh-0.10.3-1.HOTFIXRHBZ2222816.el8sat.noarch.rpm --disableplugin=foreman-protector

4. # satellite-maintain service restart

Comment 14 Sudhir Mallamprabhakara 2024-05-16 14:58:44 UTC

Jayant,

Can you check with the customer if the provided hotfix helped?

-Sudhir

Note You need to log in before you can comment on or make changes to this bug.