Description of problem: Can't execute remote commands when client mounts /tmp with "nosuid" Version-Release number of selected component (if applicable): How reproducible: Every time I schedule a remote command Steps to Reproduce: 1. Configure /tmp to mount with "nosuid" (a common security hardening step) 2. Run a remote command via Spacewalk Actual results: Fail Expected results: Script runs Additional info: Can configure the TEMPDIR parameter to point somewhere else, but I think this is a messy solution.
And I've just realised I've sleep-walked into creating this as a Spacewalk bug. I see the issue on Satellite 5.4.1 and haven't actually tried it on Spacewalk yet - sorry. The scripts fail due to "noexec" and "nosuid" being applied to the /tmp mount as per most of the security lock-down benchmarks available for RHEL. My hints for a solution would be to use a private secure directory (somewhere in /var/spool perhaps) rather than /tmp If this issue doesn't bother Spacewalk, then please forgive my intrusion.
You are right in saying this problem shows in RHEL (the stock RHEL, without any Spacewalk client stuff updated). The thing though has been fixed in spacewalk.git master, commit: be9c7586090e42f56f06fea67512c625883434b3 and released with Spacewalk 1.5. With this change in place, the default temporary directory will be '/var/spool/rhn' and is customizable with 'script_tmp_dir' option in 'rhncfg-client.conf'.
Sounds perfect. Now to get it into Satellite :-)
(In reply to comment #3) > Sounds perfect. Now to get it into Satellite :-) If Satellite is a priority, may I suggest to clone this bug for Satellite and reach out to Red Hat support -- a customer ticket attached to a bug report will make a stronger statement when prioritizing bugs for a future rhncfg errata. Thank you.
Already done Milan. Bug raised, downgraded to an RFE by Red Hat support, linked back to this ticket now that it's already been done in Spacewalk. Many thanks Duncan
Spacewalk 1.6 has been released.