Red Hat Bugzilla – Bug 484713
/usr/sbin/rhn-satellite restart not needed in /etc/sudoers
Last modified: 2009-09-10 15:11:48 EDT
Description of problem:
The default installation of Satellite 5.3.0 adds /usr/sbin/rhn-satellite restart to alias INSTALL_RHN in /etc/sudoers.
I've grepped Spacewalk source and /usr/sbin/rhn-satellite appears to be called in three places -- in spacewalk/setup/bin/spacewalk-setup, in spacewalk/setup/lib/Spacewalk/Setup.pm, and in spacewalk/admin/rhn-sat-restart-silent. That spacewalk-setup is being used by root, so no sudo is needed (and called) there. The same for Spacewalk::Setup. The spacewalk/admin/rhn-sat-restart-silent is in sudoers already by itself.
Therefore I assume /usr/sbin/rhn-satellite restart can be removed from /etc/sudoers.
Note: I did this scan through our code to figure out if there are some commands that need additional SELinux treatment.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install Satellite 5.3.0.
2. Look into /etc/sudoers.
/usr/sbin/rhn-satellite restart is there.
/usr/sbin/rhn-satellite restart is not there and Satellite continues to work OK.
This bug was modeled based on bug 484705.
The proposed change is to remove the INSTALL_RHN section and merge whatever needs to be there to CONFIG_RHN. The proposed sudoers.rhn is below. I've tested that with this, the Satellite/Spacewalk works and runs external commands fine.
## RHN specifics ##
Cmnd_Alias CONFIG_RHN = /usr/sbin/rhn-sat-restart-silent,\
/etc/rc.d/np.d/step Monitoring install,\
/etc/rc.d/np.d/step MonitoringScout install,\
/etc/rc.d/np.d/step Monitoring uninstall,\
/etc/rc.d/np.d/step MonitoringScout uninstall,\
/sbin/service Monitoring restart,\
/sbin/service MonitoringScout restart,\
/sbin/service taskomatic restart
# The CONFIG_RHN commands are required for reconfiguration of a
# running RHN Satellite. They should be enabled for proper operation
# of the RHN Satellite.
apache ALL=(root) NOPASSWD: CONFIG_RHN
tomcat ALL=(root) NOPASSWD: CONFIG_RHN
# These two directives allow tomcat and apache to invoke CONFIG_RHN
# commands via sudo even without a real tty
Agreed. The only thing we should be calling from the application is /usr/sbin/rhn-sat-restart-silent. But we need to make sure Satellite Restart from the WebUI works.
Reassigning to myself as the bugzillas are not tracked against the SELinux feature.
The previous comment should have been "are *now*".
I will take this BZ:
I changed the calling from
so I'm pretty sure we can safely remove it.
Mass moving ON_QA
items removed from /etc/sudoers
sat restart from webui works..
[root@grandprix ~]# cat /etc/sudoers | grep "satellite restart"
[root@grandprix ~]# cat /etc/sudoers | grep "satellite"
[root@sun-x4200-01 ~]# cat /etc/sudoers | grep "satellite restart"
[root@sun-x4200-01 ~]# cat /etc/sudoers | grep "satellite"
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.