Description of problem: Run remote command works even when run is disabled on the client Version-Release number of selected component (if applicable): Satellite-5.3.0-RHEL5-re20090625.0-i386-embedded-oracle.iso How reproducible: Steps to Reproduce: 1.create a ks-profile with config & run remote command enabled 2.kickstart a client with the above profile 3. do a rhn-actions-control --report 4.schedule a remote command say ls -l from sdc->remote command 5. run rhn_check 6. rhn-actions-control --disable-all 7. schedule another remote command 8. rhn_check Actual results: remote command runs even when the run is disabled. result from step 3 [root@rlx-0-14 ~]# rhn-actions-control --report deploy is enabled diff is enabled upload is enabled mtime_upload is enabled run is disabled result from step 6 [root@rlx-0-14 ~]# rhn-actions-control --report deploy is disabled diff is disabled upload is disabled mtime_upload is disabled run is disabled Expected results: remote command should not be running when run is disabled Additional info:
So it looks like that option in the kickstart simply runs: touch /etc/sysconfig/rhn/allowed-actions/script/all But it seems that: rhn-actions-control isn't aware of this file at all. So if you run '--report' it will say remote command is disabled, when it's not. Also if you run '--disable-all' it won't remove this file. So two things to fix: 1. rhn-actions-control --report should report enabled if ./script/all is present 2. rhn-actions-control --disable-all should remove ./script/all if it is present 3. rhn-actions-control --disable-run should remove ./script/all if it is present
Prad - if we can do this as an easy fix, low risk, please do, otherwise consider punting. Looks like client code for rhn-actions-control needs updating. Cliff
This looks like it's still happening on 5.4. Customer doesn't understand why he can run actions on systems where 'rhn-actions-control --report' says that "run is disabled". Aurelien.
Hello, It seems that issue are related with rhn-actions-control which are not creating an empty file at /etc/sysconfig/rhn/allowed-actions/script/all when passed --enable-all option. Look the tests below: ** Correct # rhn-actions-control --disable-all # tree /etc/sysconfig/rhn/allowed-actions /etc/sysconfig/rhn/allowed-actions |-- configfiles `-- script ** Incorrect # rhn-actions-control --enable-all # tree /etc/sysconfig/rhn/allowed-actions /etc/sysconfig/rhn/allowed-actions |-- configfiles | `-- all `-- script `-- run Now, if the file directory /etc/sysconfig/rhn/allowed-actions/script does not contains the file run or all, the remote execution **is not allowed**, as expected. See below: # tree /etc/sysconfig/rhn/allowed-actions/ /etc/sysconfig/rhn/allowed-actions/ |-- configfiles `-- script Then, going through webUI and scheduling a remote command # ( uname -a ; rpm -qf $(which rhn-actions-control) ) Afterwards, running rhn_check -vv manually: # rhn_check -vv D: check_action {'action': "<?xml version='1.0'?>\n<methodCall>\n<methodName>script.run</methodName>\n<params>\n<param>\n<value><int>16550</int></value>\n</param>\n<param>\n<value><struct>\n<member>\n<name>username</name>\n<value><string>root</string></value>\n</member>\n<member>\n<name>groupname</name>\n<value><string>root</string></value>\n</member>\n<member>\n<name>now</name>\n<value><string>2011-06-02 15:31:28</string></value>\n</member>\n<member>\n<name>timeout</name>\n<value><int>600</int></value>\n</member>\n<member>\n<name>script</name>\n<value><string>#!/bin/sh\n( uname -a ; rpm -qf $(which rhn-actions-control) )\n</string></value>\n</member>\n</struct></value>\n</param>\n</params>\n</methodCall>\n", 'version': 2, 'id': 16550} updateLoginInfo() login info [SNIP] D: do_call script.run (16550, {'username': 'root', 'groupname': 'root', 'now': '2011-06-02 15:31:28', 'timeout': 600, 'script': '#!/bin/sh\n( uname -a ; rpm -qf $(which rhn-actions-control) )\n'}) {'cache_only': None} D: Sending back response (42, 'Local permission not set for action type script.run', {}) D: do_call packages.checkNeedUpdate ('rhnsd=1',) {} Loaded plugins: rhnplugin D: local action status: (0, 'rpm database not modified since last update (or package list recently updated)', {}) Now, if a empty file named "run" or "all" are created at /etc/sysconfig/rhn/allowed-actions/script directory, the remote command works as expected # rhn-actions-control --enable-run # tree /etc/sysconfig/rhn/allowed-actions/ /etc/sysconfig/rhn/allowed-actions/ |-- configfiles `-- script `-- run Then, going through webUI and scheduling a remote command # ( uname -a ; rpm -qf $(which rhn-actions-control) ) Afterwards, running rhn_check -vv manually: # rhn_check -vv D: check_action {'action': "<?xml version='1.0'?>\n<methodCall>\n<methodName>script.run</methodName>\n<params>\n<param>\n<value><int>16551</int></value>\n</param>\n<param>\n<value><struct>\n<member>\n<name>username</name>\n<value><string>root</string></value>\n</member>\n<member>\n<name>groupname</name>\n<value><string>root</string></value>\n</member>\n<member>\n<name>now</name>\n<value><string>2011-06-02 15:35:52</string></value>\n</member>\n<member>\n<name>timeout</name>\n<value><int>600</int></value>\n</member>\n<member>\n<name>script</name>\n<value><string>#!/bin/sh\n( uname -a ; rpm -qf $(which rhn-actions-control) )</string></value>\n</member>\n</struct></value>\n</param>\n</params>\n</methodCall>\n", 'version': 2, 'id': 16551} [SNIP] D: handle_action actionid = 16551, version = 2 D: do_call script.run (16551, {'username': 'root', 'groupname': 'root', 'now': '2011-06-02 15:35:52', 'timeout': 600, 'script': '#!/bin/sh\n( uname -a ; rpm -qf $(which rhn-actions-control) )'}) {'cache_only': None} D: Sending back response (0, 'Script executed', {'output': 'TGludX {xxxxSNIPxxxx} sNQo=\n', 'base64enc': 1, 'process_end': '2011-06-02 15:35:52', 'return_code': 0, 'process_start': '2011-06-02 15:35:52'}) D: do_call packages.checkNeedUpdate ('rhnsd=1',) {} Loaded plugins: rhnplugin D: local action status: (0, 'rpm database not modified since last update (or package list recently updated)', {}) Decoding the base64 text: Linux XXXXXXX.redhat.com 2.6.18-238.9.1.el5 #1 SMP Fri Mar 18 12:42:39 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux rhncfg-actions-5.9.27-15.el5 To finish, I agree with Justin notes at comment#1 https://bugzilla.redhat.com/show_bug.cgi?id=508936#c1. rhn-actions-control isn't aware of this file at all and it probably was created during the kickstart installation. See below: kickstart file ------------------------ mkdir -p /etc/sysconfig/rhn/allowed-actions/script touch /etc/sysconfig/rhn/allowed-actions/script/all mkdir -p /etc/sysconfig/rhn/allowed-actions/configfiles touch /etc/sysconfig/rhn/allowed-actions/configfiles/all Cheers, Marcelo Moreira de Mello
Created attachment 502668 [details] Patch proposed Hello, Per my previous update, we looked into the code and we found the function which allows a remote command be executed when exists the both files: run and all into /etc/sysconfig/rhn/allowed-actions/scripts directory. client/tools/rhncfg/actions/configfiles.py ---------------------------------------------------------- _permission_root_dir = '/etc/sysconfig/rhn/allowed-actions' def _local_permission_check(action_type): # action_type ala configfiles.deploy atype_structure = split(action_type, '.') for i in range(len(atype_structure)): all_structure = atype_structure[:i] all_structure.append('all') ^^^^^^---> check if allowed-actions/scripts/all exists, execute command potential_all_path = apply(os.path.join, all_structure) if os.path.exists(os.path.join(_permission_root_dir, potential_all_path)): return 1 action_path = apply(os.path.join, atype_structure) return os.path.exists(os.path.join(_permission_root_dir, action_path)) def _perm_error(action_type): return (42, "Local permission not set for action type %s" % action_type, {}) At RHN Satellite/Spacewalk documentation, to be able to execute remote commands, it must exists a file named "run" into /etc/sysconfig/rhn/allowed-actions/scripts directory. So, we patched the code in order to remote commands only be executed if the file "run" exists into allowed-actions/scripts directory. All the other files will be ignored. To it consistent, we also fixed KickstartFormatter.java, which now appends into kickstart the 'run' instead 'all' into /etc/sysconfig/rhn/allowed-actions directory when rendering the kickstart file. After patched, --report option works as expected (ignoring all the other files created manually) and remote commands will be only executed when a file "run" exists at allowed-action/scripts directory. # rhn-actions-control --enable-all ; tree /etc/sysconfig/rhn/allowed-actions |-- configfiles | `-- all `-- script `-- run 2 directories, 2 files # rhn-actions-control --report deploy is enabled diff is enabled upload is enabled mtime_upload is enabled run is enabled # rhn-actions-control --disable-all ; tree /etc/sysconfig/rhn/allowed-actions/ /etc/sysconfig/rhn/allowed-actions/ |-- configfiles `-- script 2 directories, 0 files # rhn-actions-control --report deploy is disabled diff is disabled upload is disabled mtime_upload is disabled run is disabled ** Even forcing the file, it will be ignored # touch /etc/sysconfig/rhn/allowed-actions/script/all # rhn-actions-control --report deploy is disabled diff is disabled upload is disabled mtime_upload is disabled run is disabled The patch were sent to spacewalk-devel maillist. Kind Regards, Marcelo Moreira de Mello
Hello, Mail Thread: https://www.redhat.com/archives/spacewalk-devel/2011-June/msg00003.html Cheers, -- mmello
Created attachment 502836 [details] Patch proposed Hello, Follow a better patch which check if action_type is configfiles or script. Cheers, Marcelo Moreira de Mello
(In reply to comment #10) > Hello, > > Patch applied at Spacewalk master 2838959597c4660c63c061eaf7435d8fad55f9e6 > > Cheers, > Marcelo Moreira de Mello Hello, Please the patch above is referent to BZ#709365. Ignore comment#10. Thank you
(In reply to comment #7) > > client/tools/rhncfg/actions/configfiles.py > ---------------------------------------------------------- > _permission_root_dir = '/etc/sysconfig/rhn/allowed-actions' > def _local_permission_check(action_type): > # action_type ala configfiles.deploy > atype_structure = split(action_type, '.') > > for i in range(len(atype_structure)): > all_structure = atype_structure[:i] > all_structure.append('all') > ^^^^^^---> check if allowed-actions/scripts/all > exists, execute command Could you explain in deeper detail what in the code makes both 'all' and 'run' to be taken as True for the script.run action?
(In reply to comment #9) > Created attachment 502836 [details] > Patch proposed > > Hello, > > Follow a better patch which check if action_type is configfiles or script. I've raised concerns about this patch, namely the way it will work with existing installed system (the rhncfg part) and with existing kickstart that won't have the new RHN Tools (the Java part) at http://www.redhat.com/archives/spacewalk-devel/2011-June/msg00029.html
Taking, BTW.
Created attachment 509876 [details] Patch proposed Hello, Follow a new patch which follow the guidelines raise by Jan. This patch makes rhn-actions-control --disable-all to remove both files and --report check if all or run file exists. # rhn-actions-control --disable-all ; tree /etc/sysconfig/rhn/allowed-actions /etc/sysconfig/rhn/allowed-actions |-- configfiles `-- script # rhn-actions-control --report ; tree /etc/sysconfig/rhn/allowed-actions deploy is disabled diff is disabled upload is disabled mtime_upload is disabled run is disabled /etc/sysconfig/rhn/allowed-actions |-- configfiles `-- script 2 directories, 0 files # rhn-actions-control --enable-all ; tree /etc/sysconfig/rhn/allowed-actions /etc/sysconfig/rhn/allowed-actions |-- configfiles | `-- all `-- script `-- all # rhn-actions-control --report ; tree /etc/sysconfig/rhn/allowed-actions deploy is enabled diff is enabled upload is enabled mtime_upload is enabled run is enabled /etc/sysconfig/rhn/allowed-actions |-- configfiles | `-- all `-- script `-- all # rhn-actions-control --disable-all ; tree /etc/sysconfig/rhn/allowed-actions /etc/sysconfig/rhn/allowed-actions |-- configfiles `-- script # rhn-actions-control --enable-run ; tree /etc/sysconfig/rhn/allowed-actions ; rhn-actions-control --report /etc/sysconfig/rhn/allowed-actions |-- configfiles `-- script `-- run deploy is disabled diff is disabled upload is disabled mtime_upload is disabled run is enabled # rhn-actions-control --disable-run ; tree /etc/sysconfig/rhn/allowed-actions ; rhn-actions-control --report /etc/sysconfig/rhn/allowed-actions |-- configfiles `-- script deploy is disabled diff is disabled upload is disabled mtime_upload is disabled run is disabled Thank you! Cheers, mmello
Created attachment 513221 [details] Patch proposted Hello, Follow a new patch which include 3 modifications: 1) Change KickstartFormatter.java to create the "run" file instead of "all"; 2) Adds a %post script to move any existing "all" to "run", making it consistent with the documentation and with the new kickstart 3) Disable any actions based on the /etc/sysconfig/rhn/allowed-actions/script/all and make it only use the "run" file. This patch already were submitted to spacewalk-devel maillist. Thank you! Cheers, Marcelo Moreira de Mello
Created attachment 514572 [details] Patch proposed Hello, Here is a new patch which honor the script/run file for remote commands. If a script/all file were found, the options --report, --disable-all, --disable-run, --enable-run will take care and rename the file script/all to script/run which is expected and consistent with the documentation. Also, if the file script/all were found when executing a remote command, the patch will check the file and rename the script/all to script/run at runtime, then customers can use old Satellite/Spacewalk versions and newer rhncfg* package. All the tests regarding this patch worked as expected. This patch already were sent to spacewalk-devel for approval. Cheers, Marcelo Moreira de Mello
Applied to Spacewalk master, d8740eee2c2a60ac385ea2e1d2c26a3c063d14b6.
Backported to SATELLITE-5.4 as commit 083195f446261e75cb546c7a09aca912aa449cf0 508936 - rhn-actions-control honor the allowed-actions/scripts/run for remote comman
*** Bug 627972 has been marked as a duplicate of this bug. ***
# rpm -qa | grep rhncfg rhncfg-actions-5.9.27-18.el6.noarch rhncfg-client-5.9.27-18.el6.noarch rhncfg-management-5.9.27-18.el6.noarch rhncfg-5.9.27-18.el6.noarch # rhncfg-manager create-channel conf_chann_test_errata Password: Creating config channel conf_chann_test_errata Config channel conf_chann_test_errata created #rhncfg-manager list-channels Available config channels: conf_chann_test_errata #echo 'File-Test_UPDATE' > /tmp/file_test_UPDATE #cat /tmp/file_test_UPDATE File-Test_UPDATE # rhncfg-manager add -c conf_chann_test_errata --dest-file=/etc/file_test_UPDATE /tmp/file_test_UPDATE Pushing to channel conf_chann_test_errata: Local file /tmp/file_test_UPDATE -> remote file /etc/file_test_UPDATE # rhncfg-manager list conf_chann_test_errata Files in config channel 'conf_chann_test_errata': /etc/file_test_UPDATE #ls -lR /etc/sysconfig/rhn/allowed-actions /etc/sysconfig/rhn/allowed-actions: total 8 drwxr-xr-x. 2 root root 4096 Aug 23 06:05 configfiles drwxr-xr-x. 2 root root 4096 Aug 23 06:05 script /etc/sysconfig/rhn/allowed-actions/configfiles: total 0 /etc/sysconfig/rhn/allowed-actions/script: total 0 # rhn-actions-control --enable-all # rhn-actions-control --report deploy is enabled diff is enabled upload is enabled mtime_upload is enabled run is enabled # ls -lR /etc/sysconfig/rhn/allowed-actions /etc/sysconfig/rhn/allowed-actions: total 8 drwxr-xr-x. 2 root root 4096 Sep 12 08:39 configfiles drwxr-xr-x. 2 root root 4096 Sep 12 08:39 script /etc/sysconfig/rhn/allowed-actions/configfiles: total 0 -rw-r--r--. 1 root root 0 Sep 12 08:39 all /etc/sysconfig/rhn/allowed-actions/script: total 0 -rw-r--r--. 1 root root 0 Sep 12 08:39 run #rhn-actions-control --disable-all rhn-actions-control --report deploy is disabled diff is disabled upload is disabled mtime_upload is disabled run is disabled # ls -lR /etc/sysconfig/rhn/allowed-actions /etc/sysconfig/rhn/allowed-actions: total 8 drwxr-xr-x. 2 root root 4096 Sep 12 08:40 configfiles drwxr-xr-x. 2 root root 4096 Sep 12 08:40 script /etc/sysconfig/rhn/allowed-actions/configfiles: total 0 /etc/sysconfig/rhn/allowed-actions/script: total 0 # ls -l /etc/file_test_UPDATE ls: cannot access /etc/file_test_UPDATE: No such file or directory #### VIA WEBUI Add Provisioning Entitlement and #### Configuration channel "conf_chann_test_errata" to the System. #rhncfg-client get /etc/file_test_UPDATE Deploying /etc/file_test_UPDATE # ls -l /etc/file_test_UPDATE -rw-r--r--. 1 root root 17 Sep 12 09:13 /etc/file_test_UPDATE #rhncfg-manager get --channel=conf_chann_test_errata /etc/file_test_UPDATE Password: File-Test_UPDATE
Moving back ON_QA. This bugzilla is about scheduling run command and then seeing it executed with rhn_check even if run is disabled. What you test is an explicit get from the client -- different operation (deploy vs. run) and different invocation (rhncfg-* command vs. rhn_check).
Verified on RHEL[56]
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1315.html
*** Bug 682995 has been marked as a duplicate of this bug. ***