Bug 484717 - /usr/bin/rhn-ssl-dbstore not needed in /etc/sudoers
Summary: /usr/bin/rhn-ssl-dbstore not needed in /etc/sudoers
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server
Version: 530
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Jan Pazdziora (Red Hat)
QA Contact: wes hayutin
URL:
Whiteboard:
Depends On:
Blocks: 457079
TreeView+ depends on / blocked
 
Reported: 2009-02-09 16:39 UTC by Jan Pazdziora (Red Hat)
Modified: 2009-09-10 19:11 UTC (History)
1 user (show)

Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-10 19:11:49 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Jan Pazdziora (Red Hat) 2009-02-09 16:39:50 UTC
Description of problem:

The default installation of Satellite 5.3.0 adds /usr/bin/rhn-ssl-dbstore to alias INSTALL_RHN in /etc/sudoers.

I've grepped Spacewalk source and /usr/bin/rhn-ssl-dbstore appears to be called in two places -- in spacewalk/setup/bin/spacewalk-setup, and in web/modules/rhn/RHN/SatInstall.pm. That spacewalk-setup is being used by root, so no sudo is needed (and called) there. That RHN::SatInstall calls

sub store_ssl_cert {
  my $class = shift;
  my %params = validate(@_, { ssl_dir => 1,
                              ca_cert => { default => DEFAULT_CA_CERT_NAME },
                            });


  my $cert_path = File::Spec->catfile($params{ssl_dir}, $params{ca_cert});
  my @opts = ("--ca-cert=${cert_path}");

  my $ret = system('/usr/bin/sudo', '/usr/bin/rhn-ssl-dbstore', @opts);

  my %retcodes = (
                  10 => 'CA certificate not found',
                  11 => 'DB initialization failure',
                  12 => 'No Organization ID',
                  13 => 'Could not insert the certificate',
                 );

  if ($ret) {
    my $exit_code = $? >> 8;

    throw "(satinstall:ssl_cert_import_failed) $retcodes{$exit_code}" if exists $retcodes{$exit_code};

    throw "There was a problem validating the satellite certificate: $exit_code";
  }

  return;
}

But the function store_ssl_cert is not used in the whole Spacewalk codebase except that bin/spacewalk-setup, and that script defines its own function. Therefore I assume it is dead code which can be removed, and so can /usr/bin/rhn-ssl-dbstore from /etc/sudoers.

Note: I did this scan through our code to figure out if there are some commands that need additional SELinux treatment.

Version-Release number of selected component (if applicable):

Satellite-5.3.0-RHEL5-re20090206.1

How reproducible:

Deterministic.

Steps to Reproduce:
1. Install Satellite 5.3.0.
2. Look into /etc/sudoers.
  
Actual results:

/usr/bin/rhn-ssl-dbstore is there.

Expected results:

/usr/bin/rhn-ssl-dbstore is not there and Satellite continues to work OK.

Additional info:

This bug was modeled based on bug 484705.

Comment 1 Jan Pazdziora (Red Hat) 2009-02-11 07:26:04 UTC
Reassigning to myself as the bugzillas are not tracked against the SELinux feature.

Comment 2 Jan Pazdziora (Red Hat) 2009-02-17 10:23:09 UTC
Committed to Spacewalk repo, 647cc1291f3229d32f942de09b3941b95f7c7730 and 1acf1f74c91ded06629bdcc8b31ab4ea7f0fc87a.

Comment 3 Jan Pazdziora (Red Hat) 2009-02-24 12:30:58 UTC
With compose Satellite-5.3.0-RHEL5-re20090220.1 available, moving ON_QA.

Comment 4 wes hayutin 2009-02-25 21:17:16 UTC
[root@grandprix ~]# cat /etc/sudoers | grep rhn-ssl-dbstore
[root@grandprix ~]#

Comment 5 Miroslav Suchý 2009-08-26 09:22:19 UTC
[root@xen5 ~]# grep rhn-ssl-dbstore /etc/sudoers
[root@xen5 ~]#
satellite works fine

verified in stage on xen5

Comment 6 Brandon Perkins 2009-09-10 19:11:49 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html


Note You need to log in before you can comment on or make changes to this bug.