What is the minimal amount of privileges granted to sudo user for Remote Execution feature in Satellite6?

Solution Verified - Updated

Environment

Red Hat Satellite 6

Issue

We want to delegate all Remote Execution jobs in Satellite to be executed via sudo to a specific user that will have as minimal privileges as possible. What is the minimal configuration under /etc/sudoers.d to allow as few specific programs for sudo as possible?

Resolution

This solution covers very specific use case of sudo user for REX jobs. For more generic solution, see How to setup Remote Execution using non-root user on RHEL systems connected to Red Hat Satellite 6?

Assuming the user name for REX is rexuser, the minimal configuration for a REX job is /etc/sudoers.d/rexuser file:

rexuser ALL = NOPASSWD: /var/tmp/foreman-ssh-cmd*/script, /bin/true

Some specific REX job types might use some other command to execute - if unsure, let run a testing REX job of desired type with specific sudo logs enabled:

  1. On a Host, modify /etc/sudoers access rights to edit it:
chmod u+w /etc/sudoers
  1. Add there logging any input:
Defaults        log_input

  1. Run journalctl -f on the Host and meantime invoke a REX job to this Host.

  2. Check logs like:

Dec 14 17:17:26 my-satellite sudo[18570]:  rexuser : TTY=pts/2 ; PWD=/home/rexuser ; USER=root ; TSID=000005 ; COMMAND=/bin/true
Dec 14 17:17:27 my-satellite sudo[18631]:  rexuser : TTY=pts/2 ; PWD=/home/rexuser ; USER=root ; TSID=000006 ; COMMAND=/var/tmp/foreman-ssh-cmd-dae9d145-22c4-462a-bf6a-0a8b818ef381/script

that will print commands used.

  1. Ensure all those commands are granted by /etc/sudoers.d/rexuser configuration.

  2. Remove the extra sudo logging and revert back the permissions:

chmod a-w /etc/sudoers

 

NOTE: This behavior is being further improved via This content is not included.Bugzilla 2222816 which should remove the need to use /bin/true within the sudoers configuration.

For more KB articles/solutions related to Red Hat Satellite 6.x Remote Execution Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Remote Execution Issues

Root Cause

Refer to the This content is not included.Bugzilla 2222816 to understand more about this behavior and why /bin/true is needed.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.