Bug 491896 - Sudoers commands called from tomcat should be split off those called from apache
Summary: Sudoers commands called from tomcat should be split off those called from apache
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server
Version: 530
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Jan Pazdziora
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: 462714
TreeView+ depends on / blocked
 
Reported: 2009-03-24 15:14 UTC by Jan Pazdziora
Modified: 2014-05-09 10:37 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-05-09 10:37:12 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Jan Pazdziora 2009-03-24 15:14:49 UTC 
Description of problem:

As of Satellite-5.3.0-RHEL5-re20090323.0, the Satellite-specific part of /etc/sudoers after installation is

## RHN specifics ##
Cmnd_Alias CONFIG_RHN = /usr/sbin/rhn-sat-restart-silent,\
                        /usr/bin/rhn-config-satellite.pl,\
                        /usr/bin/rhn-satellite-activate,\
                        /usr/bin/rhn-bootstrap,\
                        /usr/bin/rhn-load-ssl-cert.pl,\
                        /usr/bin/rhn-ssl-tool,\
                        /etc/rc.d/np.d/step Monitoring install,\
                        /etc/rc.d/np.d/step MonitoringScout install,\
                        /etc/rc.d/np.d/step Monitoring uninstall,\
                        /etc/rc.d/np.d/step MonitoringScout uninstall,\
                        /sbin/service Monitoring restart,\
                        /sbin/service MonitoringScout restart,\
                        /sbin/service taskomatic restart

# The CONFIG_RHN commands are required for reconfiguration of a
# running RHN Satellite.  They should be enabled for proper operation
# of the RHN Satellite.
apache  ALL=(root)      NOPASSWD: CONFIG_RHN
tomcat  ALL=(root)      NOPASSWD: CONFIG_RHN

# These two directives allow tomcat and apache to invoke CONFIG_RHN
# commands via sudo even without a real tty
Defaults:tomcat !requiretty
Defaults:apache !requiretty

Thus, the same set of commands (CONFIG_RHN) is allowed to be called both from apache and from tomcat. This does not seem to be correct -- so far (thanks to SELinux catching the problem for us, bug 491687) I only know of one case when mod_perl (and thus apache user) is calling rhn-ssl-tool. The rest of the invocation paths seems to have been moved to Java code and thus is called from tomcat.

We should decide if we want to harden the sudoers even more, for 5.3.0.

Version-Release number of selected component (if applicable):

Satellite-5.3.0-RHEL5-re20090323.0

How reproducible:

Deterministic.

Steps to Reproduce:
1. Look at /etc/sudoers after installing Satellite.
  
Actual results:

There is one, CONFIG_RHN, section, and

apache  ALL=(root)      NOPASSWD: CONFIG_RHN
tomcat  ALL=(root)      NOPASSWD: CONFIG_RHN

lines giving access to whole CONFIG_RHN to both tomcat and apache users.

Expected results:

The file /etc/sudoers should have that CONFIG_RHN split to two parts, one for apache and one for tomcat, with possible small overlap. And Satellite should continue functioning.

Additional info:

Please, cast your preference of when to address this, by either aligning to 5.3.0 or to later version.
Comment 3 Clifford Perry 2009-05-22 16:17:11 UTC 
Punting as requested.
Comment 4 Clifford Perry 2014-05-09 10:37:12 UTC 
We have not addressed this specific bug in over 5 years years. This does not seem to have an active customer case with the bug report either. Closing out as wontfix to clear from backlog. 

Please re-open if you disagree and wish further review.

Cliff
Note You need to log in before you can comment on or make changes to this bug.