Bug 508936 - Run remote command works even when run is disabled on the client
Run remote command works even when run is disabled on the client
Status: CLOSED ERRATA
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Provisioning (Show other bugs)
540
All Linux
high Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
Dimitar Yordanov
: Patch
: 682995 (view as bug list)
Depends On:
Blocks: sat54-blockers
  Show dependency treegraph
 
Reported: 2009-06-30 11:25 EDT by Preethi Thomas
Modified: 2012-03-15 11:06 EDT (History)
10 users (show)

See Also:
Fixed In Version: rhncfg-5.9.27-18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-09-16 12:06:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch proposed (1.86 KB, patch)
2011-06-02 18:26 EDT, Marcelo Moreira de Mello
no flags Details | Diff
Patch proposed (2.05 KB, patch)
2011-06-03 11:22 EDT, Marcelo Moreira de Mello
no flags Details | Diff
Patch proposed (3.76 KB, patch)
2011-06-25 01:26 EDT, Marcelo Moreira de Mello
no flags Details | Diff
Patch proposted (2.55 KB, patch)
2011-07-14 12:54 EDT, Marcelo Moreira de Mello
no flags Details | Diff
Patch proposed (5.72 KB, patch)
2011-07-21 16:29 EDT, Marcelo Moreira de Mello
no flags Details | Diff

  None (edit)
Description Preethi Thomas 2009-06-30 11:25:04 EDT
Description of problem:

Run remote command works even when run is disabled on the client
Version-Release number of selected component (if applicable):

Satellite-5.3.0-RHEL5-re20090625.0-i386-embedded-oracle.iso
How reproducible:


Steps to Reproduce:
1.create a ks-profile with config & run remote command enabled
2.kickstart a client with the above profile
3. do a rhn-actions-control --report
4.schedule a remote command  say ls -l from sdc->remote command
5. run rhn_check
6. rhn-actions-control --disable-all
7. schedule another remote command
8. rhn_check
  
Actual results:
remote command runs even when the run is disabled.
result from step 3
[root@rlx-0-14 ~]# rhn-actions-control --report
deploy is enabled
diff is enabled
upload is enabled
mtime_upload is enabled
run is disabled


result from step 6

[root@rlx-0-14 ~]# rhn-actions-control --report
deploy is disabled
diff is disabled
upload is disabled
mtime_upload is disabled
run is disabled



Expected results:
remote command should not be running when run is disabled

Additional info:
Comment 1 Justin Sherrill 2009-06-30 12:16:20 EDT
So it looks like that option in the kickstart simply runs:

touch /etc/sysconfig/rhn/allowed-actions/script/all


But it seems that:

rhn-actions-control isn't aware of this file at all.  So if you run '--report' it will say remote command is disabled, when it's not.  Also if you run '--disable-all' it won't remove this file.  


So two things to fix:

1.  rhn-actions-control --report     should report enabled if ./script/all is present
2.  rhn-actions-control --disable-all should remove ./script/all if it is present
3.  rhn-actions-control --disable-run should remove ./script/all if it is present
Comment 2 Clifford Perry 2009-06-30 12:31:40 EDT
Prad - if we can do this as an easy fix, low risk, please do, otherwise consider punting. Looks like client code for rhn-actions-control needs updating. 

Cliff
Comment 4 Aurelien Gouny 2011-02-23 21:43:27 EST
This looks like it's still happening on 5.4.
Customer doesn't understand why he can run actions on systems where 'rhn-actions-control --report' says that "run is disabled".

Aurelien.
Comment 6 Marcelo Moreira de Mello 2011-06-02 14:45:06 EDT
Hello, 

 It seems that issue are related with rhn-actions-control which are not creating an empty file at /etc/sysconfig/rhn/allowed-actions/script/all when passed --enable-all option.  Look the tests below: 

** Correct
# rhn-actions-control --disable-all
# tree /etc/sysconfig/rhn/allowed-actions
/etc/sysconfig/rhn/allowed-actions
|-- configfiles
`-- script

** Incorrect
# rhn-actions-control --enable-all
# tree /etc/sysconfig/rhn/allowed-actions
/etc/sysconfig/rhn/allowed-actions
|-- configfiles
|   `-- all
`-- script
    `-- run
 
 Now, if the file directory /etc/sysconfig/rhn/allowed-actions/script does not contains the file run or all, the remote execution **is not allowed**, as expected. See below: 
 
# tree /etc/sysconfig/rhn/allowed-actions/
/etc/sysconfig/rhn/allowed-actions/
|-- configfiles
`-- script

  Then, going through webUI and scheduling a remote command
     # ( uname -a ; rpm -qf $(which rhn-actions-control) )
     
  Afterwards, running rhn_check -vv manually: 
  
# rhn_check  -vv
D: check_action {'action': "<?xml version='1.0'?>\n<methodCall>\n<methodName>script.run</methodName>\n<params>\n<param>\n<value><int>16550</int></value>\n</param>\n<param>\n<value><struct>\n<member>\n<name>username</name>\n<value><string>root</string></value>\n</member>\n<member>\n<name>groupname</name>\n<value><string>root</string></value>\n</member>\n<member>\n<name>now</name>\n<value><string>2011-06-02 15:31:28</string></value>\n</member>\n<member>\n<name>timeout</name>\n<value><int>600</int></value>\n</member>\n<member>\n<name>script</name>\n<value><string>#!/bin/sh\n( uname -a ; rpm -qf $(which rhn-actions-control) )\n</string></value>\n</member>\n</struct></value>\n</param>\n</params>\n</methodCall>\n", 'version': 2, 'id': 16550}
updateLoginInfo() login info
  [SNIP]
D: do_call script.run (16550, {'username': 'root', 'groupname': 'root', 'now': '2011-06-02 15:31:28', 'timeout': 600, 'script': '#!/bin/sh\n( uname -a ; rpm -qf $(which rhn-actions-control) )\n'}) {'cache_only': None}
D: Sending back response (42, 'Local permission not set for action type script.run', {})
D: do_call packages.checkNeedUpdate ('rhnsd=1',) {}
Loaded plugins: rhnplugin
D: local action status:  (0, 'rpm database not modified since last update (or package list recently updated)', {})

  Now, if a empty file named "run" or "all" are created at /etc/sysconfig/rhn/allowed-actions/script directory, the remote command works as expected
  

# rhn-actions-control --enable-run
# tree /etc/sysconfig/rhn/allowed-actions/
/etc/sysconfig/rhn/allowed-actions/
|-- configfiles
`-- script
    `-- run

  Then, going through webUI and scheduling a remote command
     # ( uname -a ; rpm -qf $(which rhn-actions-control) )
     
  Afterwards, running rhn_check -vv manually: 
  
 # rhn_check  -vv
D: check_action {'action': "<?xml version='1.0'?>\n<methodCall>\n<methodName>script.run</methodName>\n<params>\n<param>\n<value><int>16551</int></value>\n</param>\n<param>\n<value><struct>\n<member>\n<name>username</name>\n<value><string>root</string></value>\n</member>\n<member>\n<name>groupname</name>\n<value><string>root</string></value>\n</member>\n<member>\n<name>now</name>\n<value><string>2011-06-02 15:35:52</string></value>\n</member>\n<member>\n<name>timeout</name>\n<value><int>600</int></value>\n</member>\n<member>\n<name>script</name>\n<value><string>#!/bin/sh\n( uname -a ; rpm -qf $(which rhn-actions-control) )</string></value>\n</member>\n</struct></value>\n</param>\n</params>\n</methodCall>\n", 'version': 2, 'id': 16551}

 [SNIP]

D: handle_action actionid = 16551, version = 2
D: do_call script.run (16551, {'username': 'root', 'groupname': 'root', 'now': '2011-06-02 15:35:52', 'timeout': 600, 'script': '#!/bin/sh\n( uname -a ; rpm -qf $(which rhn-actions-control) )'}) {'cache_only': None}
D: Sending back response (0, 'Script executed', {'output': 'TGludX {xxxxSNIPxxxx} sNQo=\n', 'base64enc': 1, 'process_end': '2011-06-02 15:35:52', 'return_code': 0, 'process_start': '2011-06-02 15:35:52'})
D: do_call packages.checkNeedUpdate ('rhnsd=1',) {}
Loaded plugins: rhnplugin
D: local action status:  (0, 'rpm database not modified since last update (or package list recently updated)', {})

  Decoding the base64 text: 
  
  Linux XXXXXXX.redhat.com 2.6.18-238.9.1.el5 #1 SMP Fri Mar 18 12:42:39 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
  rhncfg-actions-5.9.27-15.el5
   
   
   To finish, I agree with Justin notes at comment#1 https://bugzilla.redhat.com/show_bug.cgi?id=508936#c1. rhn-actions-control isn't aware of this file at all and it probably was created during the kickstart installation. See below: 
   

  kickstart file
------------------------
mkdir -p /etc/sysconfig/rhn/allowed-actions/script
touch /etc/sysconfig/rhn/allowed-actions/script/all
mkdir -p /etc/sysconfig/rhn/allowed-actions/configfiles
touch /etc/sysconfig/rhn/allowed-actions/configfiles/all

Cheers, 
Marcelo Moreira de Mello
Comment 7 Marcelo Moreira de Mello 2011-06-02 18:26:04 EDT
Created attachment 502668 [details]
Patch proposed

Hello, 

   Per my previous update, we looked into the code and we found the function which allows a remote command be executed when exists the both files: run and all into /etc/sysconfig/rhn/allowed-actions/scripts directory. 
 
client/tools/rhncfg/actions/configfiles.py
----------------------------------------------------------
 _permission_root_dir = '/etc/sysconfig/rhn/allowed-actions'
def _local_permission_check(action_type):
    # action_type ala configfiles.deploy
    atype_structure = split(action_type, '.')

    for i in range(len(atype_structure)):
        all_structure = atype_structure[:i]
        all_structure.append('all')
                             ^^^^^^---> check if allowed-actions/scripts/all exists, execute command
        
        potential_all_path = apply(os.path.join, all_structure)
        if os.path.exists(os.path.join(_permission_root_dir, potential_all_path)):
            return 1
    
    action_path = apply(os.path.join, atype_structure)
    return os.path.exists(os.path.join(_permission_root_dir, action_path))

def _perm_error(action_type):
    return (42, "Local permission not set for action type %s" % action_type, {}) 
    
  
 At RHN Satellite/Spacewalk documentation, to be able to execute remote commands, it must exists a file named "run" into /etc/sysconfig/rhn/allowed-actions/scripts directory. 
    
 So, we patched the code in order to remote commands only be executed if the file "run" exists into allowed-actions/scripts directory. All the other files will be ignored.  
 
 To it consistent, we also fixed KickstartFormatter.java, which now appends into kickstart the 'run' instead 'all' into /etc/sysconfig/rhn/allowed-actions directory when rendering the kickstart file. 
 
 After patched, --report option works as expected  (ignoring all the other files created manually) and remote commands will be only executed when a file "run" exists at allowed-action/scripts directory. 
 
# rhn-actions-control --enable-all ; tree /etc/sysconfig/rhn/allowed-actions
|-- configfiles
|   `-- all
`-- script
    `-- run

2 directories, 2 files

# rhn-actions-control --report
deploy is enabled
diff is enabled
upload is enabled
mtime_upload is enabled
run is enabled

# rhn-actions-control --disable-all ; tree /etc/sysconfig/rhn/allowed-actions/
/etc/sysconfig/rhn/allowed-actions/
|-- configfiles
`-- script

2 directories, 0 files

# rhn-actions-control --report
deploy is disabled
diff is disabled
upload is disabled
mtime_upload is disabled
run is disabled


 ** Even forcing the file, it will be ignored
# touch /etc/sysconfig/rhn/allowed-actions/script/all
# rhn-actions-control --report
deploy is disabled
diff is disabled
upload is disabled
mtime_upload is disabled
run is disabled

 The patch were sent to spacewalk-devel maillist. 
 
Kind Regards, 
Marcelo Moreira de Mello
Comment 8 Marcelo Moreira de Mello 2011-06-02 18:33:42 EDT
Hello, 

  Mail Thread: https://www.redhat.com/archives/spacewalk-devel/2011-June/msg00003.html

Cheers, 
-- mmello
Comment 9 Marcelo Moreira de Mello 2011-06-03 11:22:47 EDT
Created attachment 502836 [details]
Patch proposed

Hello, 

 Follow a better patch which check if action_type is configfiles or script. 

Cheers, 
Marcelo Moreira de Mello
Comment 11 Marcelo Moreira de Mello 2011-06-13 10:46:11 EDT
(In reply to comment #10)
> Hello, 
> 
>   Patch applied at Spacewalk master 2838959597c4660c63c061eaf7435d8fad55f9e6
> 
>  Cheers, 
> Marcelo Moreira de Mello

Hello, 

  Please the patch above is referent to BZ#709365. Ignore comment#10. 

 Thank you
Comment 12 Jan Pazdziora 2011-06-16 10:40:36 EDT
(In reply to comment #7)
> 
> client/tools/rhncfg/actions/configfiles.py
> ----------------------------------------------------------
>  _permission_root_dir = '/etc/sysconfig/rhn/allowed-actions'
> def _local_permission_check(action_type):
>     # action_type ala configfiles.deploy
>     atype_structure = split(action_type, '.')
> 
>     for i in range(len(atype_structure)):
>         all_structure = atype_structure[:i]
>         all_structure.append('all')
>                              ^^^^^^---> check if allowed-actions/scripts/all
> exists, execute command

Could you explain in deeper detail what in the code makes both 'all' and 'run' to be taken as True for the script.run action?
Comment 13 Jan Pazdziora 2011-06-16 10:43:04 EDT
(In reply to comment #9)
> Created attachment 502836 [details]
> Patch proposed
> 
> Hello, 
> 
>  Follow a better patch which check if action_type is configfiles or script. 

I've raised concerns about this patch, namely the way it will work with existing installed system (the rhncfg part) and with existing kickstart that won't have the new RHN Tools (the Java part) at

  http://www.redhat.com/archives/spacewalk-devel/2011-June/msg00029.html
Comment 14 Jan Pazdziora 2011-06-16 10:43:25 EDT
Taking, BTW.
Comment 15 Marcelo Moreira de Mello 2011-06-25 01:26:33 EDT
Created attachment 509876 [details]
Patch proposed

Hello, 

 Follow a new patch which follow the guidelines raise by Jan.  This
patch makes rhn-actions-control --disable-all to remove both files and
--report check if all or run file exists. 

# rhn-actions-control --disable-all ;
tree /etc/sysconfig/rhn/allowed-actions
/etc/sysconfig/rhn/allowed-actions
|-- configfiles
`-- script

# rhn-actions-control --report ; tree /etc/sysconfig/rhn/allowed-actions
deploy is disabled
diff is disabled
upload is disabled
mtime_upload is disabled
run is disabled
/etc/sysconfig/rhn/allowed-actions
|-- configfiles
`-- script

2 directories, 0 files
# rhn-actions-control --enable-all ;
tree /etc/sysconfig/rhn/allowed-actions
/etc/sysconfig/rhn/allowed-actions
|-- configfiles
|   `-- all
`-- script
    `-- all

# rhn-actions-control --report ; tree /etc/sysconfig/rhn/allowed-actions
deploy is enabled
diff is enabled
upload is enabled
mtime_upload is enabled
run is enabled
/etc/sysconfig/rhn/allowed-actions
|-- configfiles
|   `-- all
`-- script
    `-- all

# rhn-actions-control --disable-all ;
tree /etc/sysconfig/rhn/allowed-actions
/etc/sysconfig/rhn/allowed-actions
|-- configfiles
`-- script

# rhn-actions-control --enable-run  ;
tree /etc/sysconfig/rhn/allowed-actions ; rhn-actions-control --report
/etc/sysconfig/rhn/allowed-actions
|-- configfiles
`-- script
    `-- run

deploy is disabled
diff is disabled
upload is disabled
mtime_upload is disabled
run is enabled

# rhn-actions-control --disable-run  ;
tree /etc/sysconfig/rhn/allowed-actions ; rhn-actions-control --report
/etc/sysconfig/rhn/allowed-actions
|-- configfiles
`-- script

deploy is disabled
diff is disabled
upload is disabled
mtime_upload is disabled
run is disabled

Thank you!

Cheers, 
mmello
Comment 16 Marcelo Moreira de Mello 2011-07-14 12:54:44 EDT
Created attachment 513221 [details]
Patch proposted

Hello,

  Follow a new patch which include 3 modifications:

     1) Change KickstartFormatter.java to create the "run" file instead
of "all";

     2) Adds a %post script to move any existing "all" to "run", making
it consistent with the documentation and with the new kickstart

     3) Disable any actions based on the
/etc/sysconfig/rhn/allowed-actions/script/all and make it only use the
"run" file.
 

 This patch already were submitted to spacewalk-devel maillist.

  Thank you!

Cheers,
Marcelo Moreira de Mello
Comment 17 Marcelo Moreira de Mello 2011-07-21 16:29:27 EDT
Created attachment 514572 [details]
Patch proposed

Hello, 

  Here is a new patch which honor the script/run file for remote commands. 

  If a script/all file were found, the options --report, --disable-all, --disable-run, --enable-run will take care and rename the file script/all to script/run which is expected and consistent with the documentation. 

  Also, if the file script/all were found when executing a remote command, the patch will check the file and rename the script/all to script/run at runtime, then customers can use old Satellite/Spacewalk versions and newer rhncfg* package. 

 All the tests regarding this patch worked as expected. 

 This patch already were sent to spacewalk-devel for approval. 

 Cheers, 
Marcelo Moreira de Mello
Comment 18 Jan Pazdziora 2011-08-04 10:39:26 EDT
Applied to Spacewalk master, d8740eee2c2a60ac385ea2e1d2c26a3c063d14b6.
Comment 21 Michael Mráka 2011-08-24 09:00:16 EDT
Backported to SATELLITE-5.4 as
commit 083195f446261e75cb546c7a09aca912aa449cf0
    508936 - rhn-actions-control honor the allowed-actions/scripts/run for remote comman
Comment 24 Dimitar Yordanov 2011-08-26 10:29:58 EDT
*** Bug 627972 has been marked as a duplicate of this bug. ***
Comment 26 Dimitar Yordanov 2011-09-12 09:54:11 EDT
# rpm -qa | grep rhncfg
rhncfg-actions-5.9.27-18.el6.noarch
rhncfg-client-5.9.27-18.el6.noarch
rhncfg-management-5.9.27-18.el6.noarch
rhncfg-5.9.27-18.el6.noarch


# rhncfg-manager create-channel conf_chann_test_errata
Password: 
Creating config channel conf_chann_test_errata
Config channel conf_chann_test_errata created

#rhncfg-manager list-channels
Available config channels:
  conf_chann_test_errata

#echo 'File-Test_UPDATE' > /tmp/file_test_UPDATE

#cat /tmp/file_test_UPDATE
File-Test_UPDATE

# rhncfg-manager add  -c conf_chann_test_errata  --dest-file=/etc/file_test_UPDATE  /tmp/file_test_UPDATE
Pushing to channel conf_chann_test_errata:
Local file /tmp/file_test_UPDATE -> remote file /etc/file_test_UPDATE

# rhncfg-manager list conf_chann_test_errata
Files in config channel 'conf_chann_test_errata':
  /etc/file_test_UPDATE

#ls -lR /etc/sysconfig/rhn/allowed-actions
/etc/sysconfig/rhn/allowed-actions:
total 8
drwxr-xr-x. 2 root root 4096 Aug 23 06:05 configfiles
drwxr-xr-x. 2 root root 4096 Aug 23 06:05 script

/etc/sysconfig/rhn/allowed-actions/configfiles:
total 0

/etc/sysconfig/rhn/allowed-actions/script:
total 0

# rhn-actions-control --enable-all
# rhn-actions-control --report
deploy is enabled
diff is enabled
upload is enabled
mtime_upload is enabled
run is enabled

# ls -lR /etc/sysconfig/rhn/allowed-actions
/etc/sysconfig/rhn/allowed-actions:
total 8
drwxr-xr-x. 2 root root 4096 Sep 12 08:39 configfiles
drwxr-xr-x. 2 root root 4096 Sep 12 08:39 script

/etc/sysconfig/rhn/allowed-actions/configfiles:
total 0
-rw-r--r--. 1 root root 0 Sep 12 08:39 all

/etc/sysconfig/rhn/allowed-actions/script:
total 0
-rw-r--r--. 1 root root 0 Sep 12 08:39 run

#rhn-actions-control --disable-all
rhn-actions-control --report
deploy is disabled
diff is disabled
upload is disabled
mtime_upload is disabled
run is disabled

# ls -lR /etc/sysconfig/rhn/allowed-actions
/etc/sysconfig/rhn/allowed-actions:
total 8
drwxr-xr-x. 2 root root 4096 Sep 12 08:40 configfiles
drwxr-xr-x. 2 root root 4096 Sep 12 08:40 script

/etc/sysconfig/rhn/allowed-actions/configfiles:
total 0

/etc/sysconfig/rhn/allowed-actions/script:
total 0


# ls -l /etc/file_test_UPDATE
ls: cannot access /etc/file_test_UPDATE: No such file or directory

#### VIA WEBUI Add Provisioning Entitlement and 
#### Configuration channel "conf_chann_test_errata" to the System. 

#rhncfg-client get /etc/file_test_UPDATE
Deploying /etc/file_test_UPDATE

# ls -l /etc/file_test_UPDATE
-rw-r--r--. 1 root root 17 Sep 12 09:13 /etc/file_test_UPDATE

#rhncfg-manager get --channel=conf_chann_test_errata /etc/file_test_UPDATE
Password: 
File-Test_UPDATE
Comment 27 Jan Pazdziora 2011-09-12 09:56:32 EDT
Moving back ON_QA.

This bugzilla is about scheduling run command and then seeing it executed with rhn_check even if run is disabled.

What you test is an explicit get from the client -- different operation (deploy vs. run) and different invocation (rhncfg-* command vs. rhn_check).
Comment 28 Dimitar Yordanov 2011-09-15 04:46:01 EDT
Verified on RHEL[56]
Comment 29 errata-xmlrpc 2011-09-16 12:06:24 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1315.html
Comment 30 Jan Pazdziora 2012-03-15 11:06:46 EDT
*** Bug 682995 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.