Description of problem: The /etc/sudoers has the following content: ## RHN specifics ## Cmnd_Alias INSTALL_RHN = /sbin/service rhn-satellite restart,\ /sbin/rhn-sat-restart-silent,\ /usr/bin/rhn-config-tnsnames.pl,\ /usr/bin/rhn-config-schema.pl,\ /usr/bin/rhn-populate-database.pl,\ /usr/bin/rhn-install-ssl-cert.pl,\ /usr/bin/rhn-deploy-ca-cert.pl,\ /usr/bin/rhn-generate-pem.pl,\ /usr/bin/satcon-build-dictionary.pl,\ /usr/bin/satcon-deploy-tree.pl,\ /usr/bin/rhn-config-satellite.pl,\ /usr/bin/rhn-satellite-activate,\ /usr/bin/satellite-sync,\ /usr/bin/rhn-ssl-tool,\ /usr/bin/rhn-ssl-dbstore,\ /usr/bin/rhn-bootstrap,\ /usr/sbin/rhnreg_ks,\ /etc/rc.d/np.d/step Monitoring install,\ /etc/rc.d/np.d/step MonitoringScout install,\ /bin/ln -s /opt/notification/cron/notification /etc/cron.d/notification Cmnd_Alias CONFIG_RHN = /sbin/service rhn-satellite restart,\ /sbin/service Monitoring restart,\ /sbin/service MonitoringScout restart,\ /sbin/service taskomatic restart,\ /usr/bin/satcon-deploy-tree.pl,\ /usr/bin/rhn-config-satellite.pl,\ /etc/rc.d/np.d/step Monitoring install,\ /etc/rc.d/np.d/step MonitoringScout install,\ /etc/rc.d/np.d/step Monitoring uninstall,\ /etc/rc.d/np.d/step MonitoringScout uninstall,\ /bin/ln -s /opt/notification/cron/notification /etc/cron.d/notification,\ /bin/rm /etc/cron.d/notification,\ /usr/bin/rhn-load-ssl-cert.pl # The INSTALL_RHN commands are required for RHN Satellite # installation. They can be disabled post-install. apache ALL=(root) NOPASSWD: INSTALL_RHN tomcat ALL=(root) NOPASSWD: INSTALL_RHN # The CONFIG_RHN commands are required for reconfiguration of a # running RHN Satellite. They should be enabled for proper operation # of the RHN Satellite. apache ALL=(root) NOPASSWD: CONFIG_RHN tomcat ALL=(root) NOPASSWD: CONFIG_RHN # These two directives allow tomcat and apache to invoke CONFIG_RHN # and INSTALL_RHN commands via sudo even without a real tty Defaults:tomcat !requiretty Defaults:apache !requiretty So I followed the INSTALL_RHN documentation and commented the INSTALL_RHN lines out using visudo: ### apache ALL=(root) NOPASSWD: INSTALL_RHN ### tomcat ALL=(root) NOPASSWD: INSTALL_RHN Then I went to https://vmware135.englab.brq.redhat.com/rhn/admin/config/Restart.do and hit Restart. The restart did not finish. Version-Release number of selected component (if applicable): Spacewalk 0.3. How reproducible: Deterministic. Steps to Reproduce: 1. Comment out the INSTALL_RHN lines in sudoers, try to restart Spacewalk from WebUI. Actual results: It will not restart. Expected results: It should restart. Additional info: root 20594 0.0 0.2 5968 1464 ? S 16:58 0:00 /usr/bin/sudo /sbin/rhn-sat-restart-silent # strace -p 20594 Process 20594 attached - interrupt to quit read(0, 0xbf9d14ef, 1) = ? ERESTARTSYS (To be restarted) --- SIGALRM (Alarm clock) @ 0 (0) --- sigreturn() = ? (mask now [QUIT]) alarm(0) = 0 write(2, "\n", 1) = 1 [...] If rhn-sat-restart-silent is not permitted in sudoers, it will wait for password on stdin or something.
I also notice that both INSTALL_RHN and CONFIG_RHN aliases have /sbin/service rhn-satellite restart in them even if # ls -la /etc/init.d/rhn-satellite ls: /etc/init.d/rhn-satellite: No such file or directory I'm also not sure if other records in sudoers (monitoring-related, for example) are still needed.
Why would you expect it to restart if you comment out INSTALL_RHN? It is INSTALL_RHN that defines /sbin/rhn-sat-restart-silent which presumably is needed to restart the satellite. Why are you commenting out INSTALL_RHN?
Because the information in /etc/sudoers right above the INSTALL_RHN alias says # The INSTALL_RHN commands are required for RHN Satellite # installation. They can be disabled post-install. So that's what I did -- I disabled it post-install because the documentation said it is possible to do so. It is exactly my point, that /sbin/rhn-sat-restart-silent needs to be in CONFIG_RHN, and probably does not need to be in INSTALL_RHN at all because the installer is run as root.
Moving this to space05.
The proposed change is to remove the INSTALL_RHN section and merge whatever needs to be there to CONFIG_RHN. The proposed sudoers.rhn is below. I've tested that with this, the Satellite/Spacewalk works and runs external commands fine. ## RHN specifics ## Cmnd_Alias CONFIG_RHN = /usr/sbin/rhn-sat-restart-silent,\ /usr/bin/rhn-config-satellite.pl,\ /usr/bin/rhn-satellite-activate,\ /usr/bin/rhn-bootstrap,\ /usr/bin/rhn-ssl-tool,\ /usr/bin/rhn-ssl-dbstore,\ /usr/bin/rhn-load-ssl-cert.pl,\ /etc/rc.d/np.d/step Monitoring install,\ /etc/rc.d/np.d/step MonitoringScout install,\ /etc/rc.d/np.d/step Monitoring uninstall,\ /etc/rc.d/np.d/step MonitoringScout uninstall,\ /sbin/service Monitoring restart,\ /sbin/service MonitoringScout restart,\ /sbin/service taskomatic restart # The CONFIG_RHN commands are required for reconfiguration of a # running RHN Satellite. They should be enabled for proper operation # of the RHN Satellite. apache ALL=(root) NOPASSWD: CONFIG_RHN tomcat ALL=(root) NOPASSWD: CONFIG_RHN # These two directives allow tomcat and apache to invoke CONFIG_RHN # commands via sudo even without a real tty Defaults:tomcat !requiretty Defaults:apache !requiretty
Reassigning to myself as the other bugzillas that deal with sudoers(.rhn) are now on my plate.
Committed to Spacewalk repo, b7754ad62b51cd687f8ba347ec1f32eceecd67c6. We still need to do similar changes in the installer.
Typo fix 973fa63e13c69ff4b8f24a1494a173fde7e98021. And spacewalk-setup changes that should also support upgrades properly in 300214e36b078fd5efdc7a7cbec0b06ba4612ccd.
The changes made it to Spacewalk 0.5. Resetting blocker to space05, and moving ON_QA.
Spacewalk 0.5 released.
Spacewalk 0.5 has been released for long time ago.