Red Hat Bugzilla – Bug 484717
/usr/bin/rhn-ssl-dbstore not needed in /etc/sudoers
Last modified: 2009-09-10 15:11:49 EDT
Description of problem: The default installation of Satellite 5.3.0 adds /usr/bin/rhn-ssl-dbstore to alias INSTALL_RHN in /etc/sudoers. I've grepped Spacewalk source and /usr/bin/rhn-ssl-dbstore appears to be called in two places -- in spacewalk/setup/bin/spacewalk-setup, and in web/modules/rhn/RHN/SatInstall.pm. That spacewalk-setup is being used by root, so no sudo is needed (and called) there. That RHN::SatInstall calls sub store_ssl_cert { my $class = shift; my %params = validate(@_, { ssl_dir => 1, ca_cert => { default => DEFAULT_CA_CERT_NAME }, }); my $cert_path = File::Spec->catfile($params{ssl_dir}, $params{ca_cert}); my @opts = ("--ca-cert=${cert_path}"); my $ret = system('/usr/bin/sudo', '/usr/bin/rhn-ssl-dbstore', @opts); my %retcodes = ( 10 => 'CA certificate not found', 11 => 'DB initialization failure', 12 => 'No Organization ID', 13 => 'Could not insert the certificate', ); if ($ret) { my $exit_code = $? >> 8; throw "(satinstall:ssl_cert_import_failed) $retcodes{$exit_code}" if exists $retcodes{$exit_code}; throw "There was a problem validating the satellite certificate: $exit_code"; } return; } But the function store_ssl_cert is not used in the whole Spacewalk codebase except that bin/spacewalk-setup, and that script defines its own function. Therefore I assume it is dead code which can be removed, and so can /usr/bin/rhn-ssl-dbstore from /etc/sudoers. Note: I did this scan through our code to figure out if there are some commands that need additional SELinux treatment. Version-Release number of selected component (if applicable): Satellite-5.3.0-RHEL5-re20090206.1 How reproducible: Deterministic. Steps to Reproduce: 1. Install Satellite 5.3.0. 2. Look into /etc/sudoers. Actual results: /usr/bin/rhn-ssl-dbstore is there. Expected results: /usr/bin/rhn-ssl-dbstore is not there and Satellite continues to work OK. Additional info: This bug was modeled based on bug 484705.
Reassigning to myself as the bugzillas are not tracked against the SELinux feature.
Committed to Spacewalk repo, 647cc1291f3229d32f942de09b3941b95f7c7730 and 1acf1f74c91ded06629bdcc8b31ab4ea7f0fc87a.
With compose Satellite-5.3.0-RHEL5-re20090220.1 available, moving ON_QA.
[root@grandprix ~]# cat /etc/sudoers | grep rhn-ssl-dbstore [root@grandprix ~]#
[root@xen5 ~]# grep rhn-ssl-dbstore /etc/sudoers [root@xen5 ~]# satellite works fine verified in stage on xen5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1434.html