Bug 711761 - Internal error while removing sudorule option without "--sudooption".
Summary: Internal error while removing sudorule option without "--sudooption".
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-08 12:27 UTC by Gowrishankar Rajaiyan
Modified: 2015-01-04 23:49 UTC (History)
3 users (show)

Fixed In Version: ipa-2.1.0-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: Removing a sudorule option fails on the server. Consequence: It isn't possible to remove a sudorule option. Fix: The code to remove sudorule options was not robust so if input didn't exactly match what was stored it failed. Result: Removing options is much more robust errors are handled such that the whole command does not fail.
Clone Of:
Environment:
Last Closed: 2011-12-06 18:33:29 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Gowrishankar Rajaiyan 2011-06-08 12:27:06 UTC
Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.0.0-25.el6.x86_64
ipa-admintools-2.0.0-25.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. "ipa sudorule-add-option sudorule3" 
and you are prompted for "Sudo Option:"

2. "ipa sudorule-remove-option sudorule3"

  
Actual results:
# ipa sudorule-remove-option sudorule3
ipa: ERROR: an internal error has occurred

Expected results:
Should prompt for "Sudo Option:" to be removed.

Additional info:
# ipa -d sudorule-remove-option sudorule3
ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/entitle.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: args=klist -V
ipa: DEBUG: stdout=Kerberos 5 version 1.9

ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
ipa: INFO: trying https://bumblebee.lab.eng.pnq.redhat.com/ipa/xml
ipa: DEBUG: Created connection context.xmlclient
ipa: DEBUG: raw: sudorule_remove_option(u'sudorule3')
ipa: DEBUG: sudorule_remove_option(u'sudorule3')
ipa: INFO: Forwarding 'sudorule_remove_option' to server u'https://bumblebee.lab.eng.pnq.redhat.com/ipa/xml'
ipa: DEBUG: NSSConnection init bumblebee.lab.eng.pnq.redhat.com
ipa: DEBUG: connect_socket_family: host=bumblebee.lab.eng.pnq.redhat.com port=443 family=PR_AF_INET
ipa: DEBUG: connecting: 10.65.201.64:443
ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
    Data:
        Version: 3 (0x2)
        Serial Number: 10 (0xa)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: CN=Certificate Authority,O=LAB.ENG.PNQ.REDHAT.COM
        Validity:
            Not Before: Tue Jun 07 07:12:45 2011 UTC
            Not After : Sun Dec 04 07:12:45 2011 UTC
        Subject: CN=bumblebee.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
                RSA Public Key:
                    Modulus:
                        b6:eb:3c:2a:51:47:b6:9a:54:63:10:e4:1b:4a:c9:b6:
                        e7:1b:2b:9d:b7:cb:7a:bd:ce:c9:b5:c6:56:b7:99:11:
                        00:ce:59:61:ae:a6:a7:e6:4e:4f:36:a7:4a:d7:86:dc:
                        62:5a:cc:85:ac:d4:f3:ba:4e:12:e3:e1:90:e2:da:2e:
                        0d:18:ec:62:70:7a:22:4b:7d:9e:aa:9f:68:2b:20:9e:
                        de:33:42:60:aa:2f:66:9a:38:b2:cc:26:4b:ee:74:ae:
                        cc:58:42:e1:c2:71:ff:0d:f5:8a:08:d4:8e:7c:ea:d9:
                        d5:e8:b0:d0:e6:c3:94:b1:70:31:3f:f2:5f:62:2f:5d:
                        1b:4a:4e:57:a2:66:68:82:06:a5:2c:60:00:91:f0:1e:
                        a8:31:33:31:cd:e5:32:17:d5:73:22:17:4f:36:5c:1e:
                        84:10:ed:e7:25:a2:cf:0c:90:5f:93:19:6a:06:5e:d1:
                        a6:d5:b8:3a:9b:3b:88:3c:1e:58:b7:bf:b3:38:08:fd:
                        9b:06:20:11:26:93:99:30:ad:e8:ac:d1:89:64:8c:2b:
                        06:6d:7b:45:c7:0a:ec:03:a8:f8:88:ec:83:25:fe:d3:
                        72:65:75:57:4b:9d:48:6f:fc:dd:39:b2:ed:11:e2:45:
                        3f:fa:0d:9c:06:3e:66:5b:a0:99:c1:95:49:d6:3d:8d
                    Exponent: 65537 (0x10001)
    Signed Extensions: (4)
        Name: Certificate Authority Key Identifier
        Critical: False
        Key ID:
            89:b2:59:0b:1d:49:99:8e:4e:00:0e:97:14:ea:a2:bf:
            54:5e:a4:be
        Serial Number: None
        General Names: [0 total]

        Name: Authority Information Access
        Critical: False

        Name: Certificate Key Usage
        Critical: True
        Usages:
            Digital Signature
            Non-Repudiation
            Key Encipherment
            Data Encipherment

        Name: Extended Key Usage
        Critical: False
        Usages:
            TLS Web Server Authentication Certificate

    Fingerprint (MD5):
        b3:78:e4:45:07:c2:b3:3f:08:1d:15:96:6a:ea:38:52
    Fingerprint (SHA1):
        74:3b:e9:8c:a7:70:a4:96:72:cc:c8:73:af:05:a9:a3:
        76:e1:57:0c
    Signature:
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Signature Data:
            37:bf:1a:2f:aa:94:de:d7:f3:de:ff:ee:65:31:78:c3:
            ea:aa:21:ba:2f:08:f2:cb:f2:29:cf:41:6c:3b:c1:a3:
            5d:b2:27:30:82:18:26:5a:73:b6:1e:69:5e:35:11:57:
            66:c4:02:75:e4:0a:47:16:d2:c4:0c:8f:12:0a:7d:de:
            bb:42:95:2e:9d:33:69:19:00:9e:7b:1d:d8:1c:69:2e:
            b7:d0:a2:76:b9:5e:bc:e6:9e:14:98:5a:bb:5c:3a:86:
            29:6c:f6:cd:1c:2c:93:f4:19:2f:32:59:05:58:39:14:
            1a:f6:54:5a:43:45:2a:73:d4:dd:4d:d6:ed:39:64:36:
            26:24:18:15:2e:1b:57:c6:64:71:70:9a:a1:8f:50:e1:
            b9:0a:c1:a1:a1:df:d2:b6:1d:10:f9:91:af:77:7e:d5:
            48:48:c0:2b:71:a9:77:3d:b4:56:f3:03:98:18:29:ff:
            03:84:b5:b0:ed:b3:f8:df:df:28:06:0d:3b:ab:26:15:
            2c:10:45:0d:a2:68:00:e5:94:02:ac:da:07:f3:67:5d:
            78:f5:3a:7e:43:67:07:22:74:d0:c7:73:a4:eb:28:05:
            f9:56:5b:7e:19:0a:2a:75:e8:4b:e5:ea:7f:c2:4e:5e:
            ba:ab:95:4e:fd:fc:58:30:04:89:59:1e:b1:67:ad:7b
ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=bumblebee.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM"
ipa: DEBUG: handshake complete, peer = 10.65.201.64:443
ipa: DEBUG: Caught fault 903 from server https://bumblebee.lab.eng.pnq.redhat.com/ipa/xml: an internal error has occurred
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: an internal error has occurred



/var/log/httpd/error_log:
[Wed Jun 08 08:23:16 2011] [error] ipa: ERROR: non-public: KeyError: 'ipasudoopt'
[Wed Jun 08 08:23:16 2011] [error] Traceback (most recent call last):
[Wed Jun 08 08:23:16 2011] [error]   File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 217, in wsgi_execute
[Wed Jun 08 08:23:16 2011] [error]     result = self.Command[name](*args, **options)
[Wed Jun 08 08:23:16 2011] [error]   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 422, in __call__
[Wed Jun 08 08:23:16 2011] [error]     ret = self.run(*args, **options)
[Wed Jun 08 08:23:16 2011] [error]   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 728, in run
[Wed Jun 08 08:23:16 2011] [error]     return self.execute(*args, **options)
[Wed Jun 08 08:23:16 2011] [error]   File "/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py", line 653, in execute
[Wed Jun 08 08:23:16 2011] [error]     options['ipasudoopt']
[Wed Jun 08 08:23:16 2011] [error] KeyError: 'ipasudoopt'
[Wed Jun 08 08:23:16 2011] [error] ipa: INFO: admin@LAB.ENG.PNQ.REDHAT.COM: sudorule_remove_option(u'sudorule3'): KeyError

Comment 2 Rob Crittenden 2011-06-08 13:46:36 UTC
https://fedorahosted.org/freeipa/ticket/1308

Comment 3 Rob Crittenden 2011-08-01 20:26:44 UTC
master: 44cdf8ef54ff761a5e38919b8cdce5128928985a

Comment 5 Rob Crittenden 2011-10-31 19:47:55 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Removing a sudorule option fails on the server.
Consequence: It isn't possible to remove a sudorule option.
Fix: The code to remove sudorule options was not robust so if input didn't exactly match what was stored it failed.
Result: Removing options is much more robust errors are handled such that the whole command does not fail.

Comment 6 Gowrishankar Rajaiyan 2011-11-02 06:34:30 UTC
[root@jetfire ~]# ipa sudorule-add-option shanks-rule1 
Sudo Option: "logfile=/var/log/sudolog"
---------------------------------------------------------------------
Added option ""logfile=/var/log/sudolog"" to Sudo Rule "shanks-rule1"
---------------------------------------------------------------------
  Rule name: shanks-rule1
  Enabled: TRUE
  Sudo Option: "logfile=/var/log/sudolog"
[root@jetfire ~]# 
[root@jetfire ~]# 
[root@jetfire ~]# 
[root@jetfire ~]# ipa sudorule-remove-option shanks-rule1 
Sudo Option: "logfile=/var/log/sudolog"
-------------------------------------------------------------------------
Removed option ""logfile=/var/log/sudolog"" from Sudo Rule "shanks-rule1"
-------------------------------------------------------------------------
  Rule name: shanks-rule1
  Enabled: TRUE
[root@jetfire ~]# 


Verified. Version: ipa-server-2.1.3-7.el6.x86_64

Comment 7 errata-xmlrpc 2011-12-06 18:33:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html


Note You need to log in before you can comment on or make changes to this bug.