Bug 491896 - Sudoers commands called from tomcat should be split off those called from apache
Sudoers commands called from tomcat should be split off those called from apache
Status: CLOSED WONTFIX
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
530
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
Red Hat Satellite QA List
:
Depends On:
Blocks: 462714
  Show dependency treegraph
 
Reported: 2009-03-24 11:14 EDT by Jan Pazdziora
Modified: 2014-05-09 06:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-05-09 06:37:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Pazdziora 2009-03-24 11:14:49 EDT
Description of problem:

As of Satellite-5.3.0-RHEL5-re20090323.0, the Satellite-specific part of /etc/sudoers after installation is

## RHN specifics ##
Cmnd_Alias CONFIG_RHN = /usr/sbin/rhn-sat-restart-silent,\
                        /usr/bin/rhn-config-satellite.pl,\
                        /usr/bin/rhn-satellite-activate,\
                        /usr/bin/rhn-bootstrap,\
                        /usr/bin/rhn-load-ssl-cert.pl,\
                        /usr/bin/rhn-ssl-tool,\
                        /etc/rc.d/np.d/step Monitoring install,\
                        /etc/rc.d/np.d/step MonitoringScout install,\
                        /etc/rc.d/np.d/step Monitoring uninstall,\
                        /etc/rc.d/np.d/step MonitoringScout uninstall,\
                        /sbin/service Monitoring restart,\
                        /sbin/service MonitoringScout restart,\
                        /sbin/service taskomatic restart

# The CONFIG_RHN commands are required for reconfiguration of a
# running RHN Satellite.  They should be enabled for proper operation
# of the RHN Satellite.
apache  ALL=(root)      NOPASSWD: CONFIG_RHN
tomcat  ALL=(root)      NOPASSWD: CONFIG_RHN

# These two directives allow tomcat and apache to invoke CONFIG_RHN
# commands via sudo even without a real tty
Defaults:tomcat !requiretty
Defaults:apache !requiretty

Thus, the same set of commands (CONFIG_RHN) is allowed to be called both from apache and from tomcat. This does not seem to be correct -- so far (thanks to SELinux catching the problem for us, bug 491687) I only know of one case when mod_perl (and thus apache user) is calling rhn-ssl-tool. The rest of the invocation paths seems to have been moved to Java code and thus is called from tomcat.

We should decide if we want to harden the sudoers even more, for 5.3.0.

Version-Release number of selected component (if applicable):

Satellite-5.3.0-RHEL5-re20090323.0

How reproducible:

Deterministic.

Steps to Reproduce:
1. Look at /etc/sudoers after installing Satellite.
  
Actual results:

There is one, CONFIG_RHN, section, and

apache  ALL=(root)      NOPASSWD: CONFIG_RHN
tomcat  ALL=(root)      NOPASSWD: CONFIG_RHN

lines giving access to whole CONFIG_RHN to both tomcat and apache users.

Expected results:

The file /etc/sudoers should have that CONFIG_RHN split to two parts, one for apache and one for tomcat, with possible small overlap. And Satellite should continue functioning.

Additional info:

Please, cast your preference of when to address this, by either aligning to 5.3.0 or to later version.
Comment 3 Clifford Perry 2009-05-22 12:17:11 EDT
Punting as requested.
Comment 4 Clifford Perry 2014-05-09 06:37:12 EDT
We have not addressed this specific bug in over 5 years years. This does not seem to have an active customer case with the bug report either. Closing out as wontfix to clear from backlog. 

Please re-open if you disagree and wish further review.

Cliff

Note You need to log in before you can comment on or make changes to this bug.