Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-19024

Preflight tests require that sudo allow the remote_execution_ssh_user to run "/usr/bin/true" for REX to work

XMLWordPrintable

    • 0
    • False
    • rubygem-smart_proxy_remote_execution_ssh-0.10.3
    • Moderate
    • None
    • None
    • None
    • None

      Description of problem:
      When using remote_execution_ssh_user different than root and allowing the user to run only specific commands (via sudoers configuration), it is required to add /usr/bin/true on the list of allowed commands for REX to work

      Version-Release number of selected component (if applicable):
      6.12

      How reproducible:
      Always

      Steps to Reproduce:
      1. Configure remote_execution_ssh_user to be a non-root user
      2. Configure sudoers like below:

      Cmnd_Alias SATCMNDS=/var/tmp/foreman-ssh-cmd-/script,Unable to render embedded object: File (/var/tmp/foreman-ssh-cmd-*\ *,) not found./var/tmp/foreman-ssh-cmd-..*
      SATUSER ALL=NOPASSWD:SATCMNDS

      3. Run any REX job

      Actual results:

      On the task, got this error:

      ~~~
      1:
      Error initializing command: RuntimeError - Failed to change to effective user, exit code: 1
      2:
      Exit status: EXCEPTION
      ~~~

      On the target host, on /var/log/secure:

      ~~~
      Jul 13 20:33:54 josh-medling sshd[2984]: Postponed publickey for rexuser from 192.168.100.100 port 59356 ssh2 [preauth]
      Jul 13 20:33:54 josh-medling sshd[2984]: Accepted publickey for rexuser from 192.168.100.100 port 59356 ssh2: RSA SHA256:fngWpLD7nmwGryQgzeHvvU1NtOL/26NXrrCRzD6SWxM
      Jul 13 20:33:54 josh-medling sshd[2984]: pam_unix(sshd:session): session opened for user rexuser by (uid=0)
      Jul 13 20:33:55 josh-medling unix_chkpwd[3129]: password check failed for user (rexuser)
      Jul 13 20:33:55 josh-medling sudo[3104]: pam_unix(sudo:auth): authentication failure; logname=rexuser uid=1000 euid=0 tty=/dev/pts/1 ruser=rexuser rhost= user=rexuser
      Jul 13 20:33:56 josh-medling unix_chkpwd[3131]: password check failed for user (rexuser)
      Jul 13 20:33:58 josh-medling unix_chkpwd[3133]: password check failed for user (rexuser)
      Jul 13 20:34:00 josh-medling sudo[3104]: rexuser : command not allowed ; TTY=pts/1 ; PWD=/home/rexuser ; USER=root ; COMMAND=/bin/true
      ~~~

      Expected results:
      Not any special sudo permissions required.

      Additional info:

      These preflight tests were introduced on solve this issue[1] and only landed on Satellite 6.12. Customers that have restrictions on commands that rex users can run with sudo will hit it when they'll get to 6.12.

      [1]: https://projects.theforeman.org/issues/34363

          1.
          		 [DEV] Preflight tests require that sudo allow the remote_execution_ssh_user to run "/usr/bin/true" for REX to work Sub-task Closed Undefined Adam Ruzicka

              aruzicka@redhat.com Adam Ruzicka
              jira-bugzilla-migration RH Bugzilla Integration
              Lukas Hellebrandt Lukas Hellebrandt
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: