Bug 484717 - /usr/bin/rhn-ssl-dbstore not needed in /etc/sudoers
/usr/bin/rhn-ssl-dbstore not needed in /etc/sudoers
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
530
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
wes hayutin
:
Depends On:
Blocks: 457079
  Show dependency treegraph
 
Reported: 2009-02-09 11:39 EST by Jan Pazdziora
Modified: 2009-09-10 15:11 EDT (History)
1 user (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-10 15:11:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Pazdziora 2009-02-09 11:39:50 EST
Description of problem:

The default installation of Satellite 5.3.0 adds /usr/bin/rhn-ssl-dbstore to alias INSTALL_RHN in /etc/sudoers.

I've grepped Spacewalk source and /usr/bin/rhn-ssl-dbstore appears to be called in two places -- in spacewalk/setup/bin/spacewalk-setup, and in web/modules/rhn/RHN/SatInstall.pm. That spacewalk-setup is being used by root, so no sudo is needed (and called) there. That RHN::SatInstall calls

sub store_ssl_cert {
  my $class = shift;
  my %params = validate(@_, { ssl_dir => 1,
                              ca_cert => { default => DEFAULT_CA_CERT_NAME },
                            });


  my $cert_path = File::Spec->catfile($params{ssl_dir}, $params{ca_cert});
  my @opts = ("--ca-cert=${cert_path}");

  my $ret = system('/usr/bin/sudo', '/usr/bin/rhn-ssl-dbstore', @opts);

  my %retcodes = (
                  10 => 'CA certificate not found',
                  11 => 'DB initialization failure',
                  12 => 'No Organization ID',
                  13 => 'Could not insert the certificate',
                 );

  if ($ret) {
    my $exit_code = $? >> 8;

    throw "(satinstall:ssl_cert_import_failed) $retcodes{$exit_code}" if exists $retcodes{$exit_code};

    throw "There was a problem validating the satellite certificate: $exit_code";
  }

  return;
}

But the function store_ssl_cert is not used in the whole Spacewalk codebase except that bin/spacewalk-setup, and that script defines its own function. Therefore I assume it is dead code which can be removed, and so can /usr/bin/rhn-ssl-dbstore from /etc/sudoers.

Note: I did this scan through our code to figure out if there are some commands that need additional SELinux treatment.

Version-Release number of selected component (if applicable):

Satellite-5.3.0-RHEL5-re20090206.1

How reproducible:

Deterministic.

Steps to Reproduce:
1. Install Satellite 5.3.0.
2. Look into /etc/sudoers.
  
Actual results:

/usr/bin/rhn-ssl-dbstore is there.

Expected results:

/usr/bin/rhn-ssl-dbstore is not there and Satellite continues to work OK.

Additional info:

This bug was modeled based on bug 484705.
Comment 1 Jan Pazdziora 2009-02-11 02:26:04 EST
Reassigning to myself as the bugzillas are not tracked against the SELinux feature.
Comment 2 Jan Pazdziora 2009-02-17 05:23:09 EST
Committed to Spacewalk repo, 647cc1291f3229d32f942de09b3941b95f7c7730 and 1acf1f74c91ded06629bdcc8b31ab4ea7f0fc87a.
Comment 3 Jan Pazdziora 2009-02-24 07:30:58 EST
With compose Satellite-5.3.0-RHEL5-re20090220.1 available, moving ON_QA.
Comment 4 wes hayutin 2009-02-25 16:17:16 EST
[root@grandprix ~]# cat /etc/sudoers | grep rhn-ssl-dbstore
[root@grandprix ~]#
Comment 5 Miroslav Suchý 2009-08-26 05:22:19 EDT
[root@xen5 ~]# grep rhn-ssl-dbstore /etc/sudoers
[root@xen5 ~]#
satellite works fine

verified in stage on xen5
Comment 6 Brandon Perkins 2009-09-10 15:11:49 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html

Note You need to log in before you can comment on or make changes to this bug.