Description of problem: The default installation of Satellite 5.3.0 adds /bin/ln -s /opt/notification/cron/notification /etc/cron.d/notification to alias INSTALL_RHN in /etc/sudoers. I've grepped Spacewalk source and /bin/ln does not appear to be used anywhere. Moreover, /etc/cron.d/notification is a file, owned by NPalert: # rpm -qf /etc/cron.d/notification NPalert-1.126.1-1.el5sat # ls -dla /etc/cron.d/notification -rw-r--r-- 1 root root 136 Jan 16 12:37 /etc/cron.d/notification # Therefore I assume that /bin/ln thing can be removed from /etc/sudoers. Note: I did this scan through our code to figure out if there are some commands that need additional SELinux treatment. Version-Release number of selected component (if applicable): Satellite-5.3.0-RHEL5-re20090206.1 How reproducible: Deterministic. Steps to Reproduce: 1. Install Satellite 5.3.0. 2. Look into /etc/sudoers. Actual results: /bin/ln is there. Expected results: /bin/ln is not there and Satellite continues to work OK. Additional info: This bug was modeled based on bug 484718.
While we're at it, that /bin/rm /etc/cron.d/notification, should go as well.
The proposed change is to remove the INSTALL_RHN section and merge whatever needs to be there to CONFIG_RHN. The proposed sudoers.rhn is below. I've tested that with this, the Satellite/Spacewalk works and runs external commands fine. ## RHN specifics ## Cmnd_Alias CONFIG_RHN = /usr/sbin/rhn-sat-restart-silent,\ /usr/bin/rhn-config-satellite.pl,\ /usr/bin/rhn-satellite-activate,\ /usr/bin/rhn-bootstrap,\ /usr/bin/rhn-ssl-tool,\ /usr/bin/rhn-ssl-dbstore,\ /usr/bin/rhn-load-ssl-cert.pl,\ /etc/rc.d/np.d/step Monitoring install,\ /etc/rc.d/np.d/step MonitoringScout install,\ /etc/rc.d/np.d/step Monitoring uninstall,\ /etc/rc.d/np.d/step MonitoringScout uninstall,\ /sbin/service Monitoring restart,\ /sbin/service MonitoringScout restart,\ /sbin/service taskomatic restart # The CONFIG_RHN commands are required for reconfiguration of a # running RHN Satellite. They should be enabled for proper operation # of the RHN Satellite. apache ALL=(root) NOPASSWD: CONFIG_RHN tomcat ALL=(root) NOPASSWD: CONFIG_RHN # These two directives allow tomcat and apache to invoke CONFIG_RHN # commands via sudo even without a real tty Defaults:tomcat !requiretty Defaults:apache !requiretty
Need to make sure it is not a shadow file, where we own the file within rpm but do not put it onto disk. Also - how about within WebUI when you enable and disable both monitoring scout and monitoring backend - I assume the file should be removed / added as needed when monitoring is enabled/disabled as a whole on a Satellite. Cliff.
NPalert.spec does: in %install # Install the cron stuff mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/cron.d/ install -p -m 644 cron/notification $RPM_BUILD_ROOT%{_sysconfdir}/cron.d/notification in %files %defattr(-,root,root,-) %{_sysconfdir}/logrotate.d/%{name} %{_sysconfdir}/cron.d/notification So the file looks real. Furthermore, I've grepped the whole Spacewalk source code for /usr/bin/sudo and that cp and rm are nowhere found via sudo in our code anymore. So I assume it's safe to remove. The cron file has */15 * * * * nocpulse if [ -e /etc/NOCpulse.ini ] ; then /usr/bin/monitor-queue ALERTS 50 100 2>&1 > /dev/null; fi in it so it seems that the existence of /etc/NOCpulse.ini rather than existence of /etc/cron.d/notification triggers the action.
Commited as: 951581be2cda4dad7b4bcf5bf99ee8ea0cbc801d
Mass moving ON_QA
[root@grandprix ~]# cat /etc/sudoers | grep -i ln [root@grandprix ~]# [root@grandprix cron.d]# cat notification # Check system load */15 * * * * nocpulse if [ -e /etc/NOCpulse.ini ] ; then /usr/bin/monitor-queue ALERTS 50 100 2>&1 > /dev/null; fi [root@grandprix cron.d]# [root@grandprix cron.d]# cat /etc/sudoers | grep -i rm ## Delegating permissions [root@grandprix cron.d]# cat /etc/sudoers | grep -i notification [root@grandprix cron.d]# verified..
Verified in stage with the same results as stated in the comment above -> RELEASE_PENDING.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1434.html