Bug 484709 - /usr/bin/satellite-sync not needed in /etc/sudoers
/usr/bin/satellite-sync not needed in /etc/sudoers
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
530
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
wes hayutin
:
Depends On:
Blocks: 457079
  Show dependency treegraph
 
Reported: 2009-02-09 11:26 EST by Jan Pazdziora
Modified: 2009-09-10 15:11 EDT (History)
2 users (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-10 15:11:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Pazdziora 2009-02-09 11:26:02 EST
Description of problem:

The default installation of Satellite 5.3.0 adds /usr/bin/satellite-sync to alias INSTALL_RHN in /etc/sudoers.

I've grepped Spacewalk source and /usr/bin/satellite-sync appears to be called in two places -- in backend/satellite_tools/rhn_satellite_activate.py, and in web/modules/rhn/RHN/SatInstall.pm. That rhn_satellite_activate.py is being used by root, so no sudo is needed (and called) there. That RHN::SatInstall calls

sub sat_sync {
  my $class = shift;
  my %params = validate(@_, { ca_cert_file => 1,
                              dsn => 1,
                              step => 1,
                            });

  my %args = ('--step' => $params{step},
              '--db' => $params{dsn},
              '--ca-cert' => $params{ca_cert_file},
             );

  my $ret = system('/usr/bin/sudo', '/usr/bin/satellite-sync',
                   %args);

  if ($ret) {
    throw 'There was a problem running satellite-sync.  '
      . 'See the webserver error log for details.';
  }

  return $ret;
}

But the function sat_sync is not used in the whole Spacewalk codebase. Therefore I assume it is dead code which can be removed, and so can /usr/bin/satellite-sync from /etc/sudoers.

Note: I did this scan through our code to figure out if there are some commands that need additional SELinux treatment.

Version-Release number of selected component (if applicable):

Satellite-5.3.0-RHEL5-re20090206.1

How reproducible:

Deterministic.

Steps to Reproduce:
1. Install Satellite 5.3.0.
2. Look into /etc/sudoers.
  
Actual results:

/usr/bin/satellite-sync is there.

Expected results:

/usr/bin/satellite-sync is not there and Satellite continues to work OK.

Additional info:

This bug was modeled based on bug 484705.
Comment 1 Jan Pazdziora 2009-02-10 07:25:27 EST
The proposed change is to remove the INSTALL_RHN section and merge whatever needs to be there to CONFIG_RHN. The proposed sudoers.rhn is below. I've tested that with this, the Satellite/Spacewalk works and runs external commands fine.

## RHN specifics ##
Cmnd_Alias CONFIG_RHN = /usr/sbin/rhn-sat-restart-silent,\
                        /usr/bin/rhn-config-satellite.pl,\
                        /usr/bin/rhn-satellite-activate,\
                        /usr/bin/rhn-bootstrap,\
                        /usr/bin/rhn-ssl-tool,\
                        /usr/bin/rhn-ssl-dbstore,\
                        /usr/bin/rhn-load-ssl-cert.pl,\
                        /etc/rc.d/np.d/step Monitoring install,\
                        /etc/rc.d/np.d/step MonitoringScout install,\
                        /etc/rc.d/np.d/step Monitoring uninstall,\
                        /etc/rc.d/np.d/step MonitoringScout uninstall,\
                        /sbin/service Monitoring restart,\
                        /sbin/service MonitoringScout restart,\
                        /sbin/service taskomatic restart

# The CONFIG_RHN commands are required for reconfiguration of a
# running RHN Satellite.  They should be enabled for proper operation
# of the RHN Satellite.
apache  ALL=(root)      NOPASSWD: CONFIG_RHN
tomcat  ALL=(root)      NOPASSWD: CONFIG_RHN

# These two directives allow tomcat and apache to invoke CONFIG_RHN
# commands via sudo even without a real tty
Defaults:tomcat !requiretty
Defaults:apache !requiretty
Comment 2 Clifford Perry 2009-02-10 11:52:18 EST
This is a throw back from the old Installer - where we had command line install laid down packages. The WebUI then went through configuration/installation of Satellite to get it running, with many many steps, unlike the new WebUI portion that just asks for Username/password to be created for Sat Admin account. 

Cliff.
Comment 3 Jan Pazdziora 2009-02-11 02:26:02 EST
Reassigning to myself as the bugzillas are not tracked against the SELinux feature.
Comment 4 Jan Pazdziora 2009-02-11 02:28:08 EST
The previous comment should have been "are *now*".
Comment 5 Jan Pazdziora 2009-02-17 05:22:14 EST
Committed to Spacewalk repo, 3e21ae53d5febf5a81ff80c3791a6c622d1b8e47 and 52a8d4246e6f022bdd35d5934d87d345ed022bef.
Comment 6 Jan Pazdziora 2009-02-24 07:30:56 EST
With compose Satellite-5.3.0-RHEL5-re20090220.1 available, moving ON_QA.
Comment 7 wes hayutin 2009-02-25 14:12:53 EST
[root@grandprix ~]# cat /etc/sudoers | grep  /usr/bin/satellite-sync
[root@grandprix ~]# 
Satellite-5.3.0-RHEL5-re20090220.1-i386-embedded-oracle.iso

verified
Comment 8 Miroslav Suchý 2009-08-25 11:33:19 EDT
[root@xen5 ~]# grep satellite-sync /etc/sudoers
[root@xen5 ~]#
satellite-sync works

verified in stage on xen5
Comment 9 Brandon Perkins 2009-09-10 15:11:46 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html

Note You need to log in before you can comment on or make changes to this bug.