Bug 484717 - /usr/bin/rhn-ssl-dbstore not needed in /etc/sudoers
/usr/bin/rhn-ssl-dbstore not needed in /etc/sudoers
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
wes hayutin
Depends On:
Blocks: 457079
  Show dependency treegraph
Reported: 2009-02-09 11:39 EST by Jan Pazdziora
Modified: 2009-09-10 15:11 EDT (History)
1 user (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-09-10 15:11:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Pazdziora 2009-02-09 11:39:50 EST
Description of problem:

The default installation of Satellite 5.3.0 adds /usr/bin/rhn-ssl-dbstore to alias INSTALL_RHN in /etc/sudoers.

I've grepped Spacewalk source and /usr/bin/rhn-ssl-dbstore appears to be called in two places -- in spacewalk/setup/bin/spacewalk-setup, and in web/modules/rhn/RHN/SatInstall.pm. That spacewalk-setup is being used by root, so no sudo is needed (and called) there. That RHN::SatInstall calls

sub store_ssl_cert {
  my $class = shift;
  my %params = validate(@_, { ssl_dir => 1,
                              ca_cert => { default => DEFAULT_CA_CERT_NAME },

  my $cert_path = File::Spec->catfile($params{ssl_dir}, $params{ca_cert});
  my @opts = ("--ca-cert=${cert_path}");

  my $ret = system('/usr/bin/sudo', '/usr/bin/rhn-ssl-dbstore', @opts);

  my %retcodes = (
                  10 => 'CA certificate not found',
                  11 => 'DB initialization failure',
                  12 => 'No Organization ID',
                  13 => 'Could not insert the certificate',

  if ($ret) {
    my $exit_code = $? >> 8;

    throw "(satinstall:ssl_cert_import_failed) $retcodes{$exit_code}" if exists $retcodes{$exit_code};

    throw "There was a problem validating the satellite certificate: $exit_code";


But the function store_ssl_cert is not used in the whole Spacewalk codebase except that bin/spacewalk-setup, and that script defines its own function. Therefore I assume it is dead code which can be removed, and so can /usr/bin/rhn-ssl-dbstore from /etc/sudoers.

Note: I did this scan through our code to figure out if there are some commands that need additional SELinux treatment.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Install Satellite 5.3.0.
2. Look into /etc/sudoers.
Actual results:

/usr/bin/rhn-ssl-dbstore is there.

Expected results:

/usr/bin/rhn-ssl-dbstore is not there and Satellite continues to work OK.

Additional info:

This bug was modeled based on bug 484705.
Comment 1 Jan Pazdziora 2009-02-11 02:26:04 EST
Reassigning to myself as the bugzillas are not tracked against the SELinux feature.
Comment 2 Jan Pazdziora 2009-02-17 05:23:09 EST
Committed to Spacewalk repo, 647cc1291f3229d32f942de09b3941b95f7c7730 and 1acf1f74c91ded06629bdcc8b31ab4ea7f0fc87a.
Comment 3 Jan Pazdziora 2009-02-24 07:30:58 EST
With compose Satellite-5.3.0-RHEL5-re20090220.1 available, moving ON_QA.
Comment 4 wes hayutin 2009-02-25 16:17:16 EST
[root@grandprix ~]# cat /etc/sudoers | grep rhn-ssl-dbstore
[root@grandprix ~]#
Comment 5 Miroslav Suchý 2009-08-26 05:22:19 EDT
[root@xen5 ~]# grep rhn-ssl-dbstore /etc/sudoers
[root@xen5 ~]#
satellite works fine

verified in stage on xen5
Comment 6 Brandon Perkins 2009-09-10 15:11:49 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.