Description of problem: The default installation of Satellite 5.3.0 adds /usr/bin/satcon-deploy-tree.pl to alias INSTALL_RHN in /etc/sudoers. I've grepped Spacewalk source and satcon-deploy-tree.pl appears to be called in two places -- in spacewalk/setup/bin/spacewalk-setup, and in web/modules/rhn/RHN/SatInstall.pm. That spacewalk-setup is being used by root, so no sudo is needed (and called) there. That RHN::SatInstall calls sub satcon_deploy { my $class = shift; my %params = validate(@_, { conf_file => { default => DEFAULT_SATCON_DICT }, tree => { default => DEFAULT_RHN_SATCON_TREE }, dest => { default => '/etc' }, }); my @opts = ("--source=" . $params{tree}, "--dest=" . $params{dest}, "--conf=" . $params{conf_file}); my $ret = system("/usr/bin/sudo", "/usr/bin/satcon-deploy-tree.pl", @opts); if ($ret) { throw 'There was a problem deploying the satellite configuration. ' . 'See the webserver error log for details.'; } return; } But the function satcon_deploy is not used in the whole Spacewalk codebase except that bin/spacewalk-setup, and that script defines its own function. Therefore I assume it is dead code which can be removed, and so can /usr/bin/satcon-deploy-tree.pl from /etc/sudoers. Note: I did this scan through our code to figure out if there are some commands that need additional SELinux treatment. Version-Release number of selected component (if applicable): Satellite-5.3.0-RHEL5-re20090206.1 How reproducible: Deterministic. Steps to Reproduce: 1. Install Satellite 5.3.0. 2. Look into /etc/sudoers. Actual results: /usr/bin/satcon-deploy-tree.pl is there. Expected results: /usr/bin/satcon-deploy-tree.pl is not there and Satellite continues to work OK. Additional info: This bug was modeled based on bug 484703.
The proposed change is to remove the INSTALL_RHN section and merge whatever needs to be there to CONFIG_RHN. The proposed sudoers.rhn is below. I've tested that with this, the Satellite/Spacewalk works and runs external commands fine. ## RHN specifics ## Cmnd_Alias CONFIG_RHN = /usr/sbin/rhn-sat-restart-silent,\ /usr/bin/rhn-config-satellite.pl,\ /usr/bin/rhn-satellite-activate,\ /usr/bin/rhn-bootstrap,\ /usr/bin/rhn-ssl-tool,\ /usr/bin/rhn-ssl-dbstore,\ /usr/bin/rhn-load-ssl-cert.pl,\ /etc/rc.d/np.d/step Monitoring install,\ /etc/rc.d/np.d/step MonitoringScout install,\ /etc/rc.d/np.d/step Monitoring uninstall,\ /etc/rc.d/np.d/step MonitoringScout uninstall,\ /sbin/service Monitoring restart,\ /sbin/service MonitoringScout restart,\ /sbin/service taskomatic restart # The CONFIG_RHN commands are required for reconfiguration of a # running RHN Satellite. They should be enabled for proper operation # of the RHN Satellite. apache ALL=(root) NOPASSWD: CONFIG_RHN tomcat ALL=(root) NOPASSWD: CONFIG_RHN # These two directives allow tomcat and apache to invoke CONFIG_RHN # commands via sudo even without a real tty Defaults:tomcat !requiretty Defaults:apache !requiretty
This is a throw back from the old Installer - where we had command line install laid down packages. The WebUI then went through configuration/installation of Satellite to get it running, with many many steps, unlike the new WebUI portion that just asks for Username/password to be created for Sat Admin account. Also - the sat-conf deploy was used when within UI under Satellite Tools you wanted to edit the config option. We edited the file in prep and then redeployed the rhn.conf file with new values. Within Sat 5.x time frame Mike McCune changed this so that the WebUI Satellite Tools > Confiuration screens edited the rhn.conf file directly. we only used the tree stuff for initial deployments. This should be safe to delete from sudoers now. Cliff.
Reassigning to myself as the bugzillas are not tracked against the SELinux feature.
The previous comment should have been "are *now*".
Committed to Spacewalk repo, 1dcd8b39e345d331e005d3aa15b42f71599e2595 and 2d680d9b12843b624c6fedfc70a366023a8911bd.
With compose Satellite-5.3.0-RHEL5-re20090220.1 available, moving ON_QA.
[root@grandprix ~]# cat /etc/sudoers | grep /usr/bin/satcon-deploy-tree.pl [root@grandprix ~]# Satellite-5.3.0-RHEL5-re20090220.1-i386-embedded-oracle.iso verified
[root@xen5 ~]# grep satcon-deploy-tree /etc/sudoers [root@xen5 ~]# Satellite works fine. Verified in stage on xen5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1434.html