|
 |
538a70 |
commit 55e8c83ee5920ab30644f54f7a525255b1de4b84
|
|
|
538a70 |
Author: Nathan Scott <nathans@redhat.com>
|
|
|
538a70 |
Date: Mon Aug 29 14:25:03 2022 +1000
|
|
|
538a70 |
|
|
|
538a70 |
docs: describe working sudoers configuration with requiretty
|
|
|
538a70 |
|
|
|
538a70 |
When /etc/sudoers is configured with 'Defaults requiretty',
|
|
|
538a70 |
pmlogctl cannot invoke pmlogger_check in the normal fashion.
|
|
|
538a70 |
Symptoms of the problem are the following system log message:
|
|
|
538a70 |
|
|
|
538a70 |
pmlogctl[PID]: sudo: sorry, you must have a tty to run sudo
|
|
|
538a70 |
|
|
|
538a70 |
pmiectl and pmie_check are similarly affected. The simplest
|
|
|
538a70 |
solution is to add an additional configuration line excluding
|
|
|
538a70 |
these commands from requiring a tty; this is the approach now
|
|
|
538a70 |
documented.
|
|
|
538a70 |
|
|
|
538a70 |
Note these PCP commands are not interactive (require no tty)
|
|
|
538a70 |
and the unprivileged 'pcp' account uses nologin(8) as a shell
|
|
|
538a70 |
anyway, so requiretty offers no advantages here. Note also
|
|
|
538a70 |
there's debate about whether requiretty is a useful security
|
|
|
538a70 |
measure in general as it can be trivially bypassed; further
|
|
|
538a70 |
details: https://bugzilla.redhat.com/show_bug.cgi?id=1020147
|
|
|
538a70 |
|
|
|
538a70 |
Resolves Red Hat BZ #2093751
|
|
|
538a70 |
|
|
|
538a70 |
diff -Naurp pcp-5.3.7.orig/man/man1/pmie_check.1 pcp-5.3.7/man/man1/pmie_check.1
|
|
|
538a70 |
--- pcp-5.3.7.orig/man/man1/pmie_check.1 2021-11-04 08:26:15.000000000 +1100
|
|
|
538a70 |
+++ pcp-5.3.7/man/man1/pmie_check.1 2022-08-31 11:17:52.362276530 +1000
|
|
|
538a70 |
@@ -406,6 +406,42 @@ no
|
|
|
538a70 |
entries are needed as the timer mechanism provided by
|
|
|
538a70 |
.B systemd
|
|
|
538a70 |
is used instead.
|
|
|
538a70 |
+.PP
|
|
|
538a70 |
+The
|
|
|
538a70 |
+.BR pmiectl (1)
|
|
|
538a70 |
+utility may invoke
|
|
|
538a70 |
+.B pmie_check
|
|
|
538a70 |
+using the
|
|
|
538a70 |
+.BR sudo (1)
|
|
|
538a70 |
+command to run it under the $PCP_USER ``pcp'' account.
|
|
|
538a70 |
+If
|
|
|
538a70 |
+.B sudo
|
|
|
538a70 |
+is configured with the non-default
|
|
|
538a70 |
+.I requiretty
|
|
|
538a70 |
+option (see below),
|
|
|
538a70 |
+.B pmie_check
|
|
|
538a70 |
+may fail to run due to not having a tty configured.
|
|
|
538a70 |
+This issue can be resolved by adding a second line
|
|
|
538a70 |
+(expand $PCP_BINADM_DIR according to your platform)
|
|
|
538a70 |
+to the
|
|
|
538a70 |
+.I /etc/sudoers
|
|
|
538a70 |
+configuration file as follows:
|
|
|
538a70 |
+.P
|
|
|
538a70 |
+.ft CW
|
|
|
538a70 |
+.nf
|
|
|
538a70 |
+.in +0.5i
|
|
|
538a70 |
+Defaults requiretty
|
|
|
538a70 |
+Defaults!$PCP_BINADM_DIR/pmie_check !requiretty
|
|
|
538a70 |
+.in
|
|
|
538a70 |
+.fi
|
|
|
538a70 |
+.ft 1
|
|
|
538a70 |
+.P
|
|
|
538a70 |
+Note that the unprivileged PCP account under which these
|
|
|
538a70 |
+commands run uses
|
|
|
538a70 |
+.I /sbin/nologin
|
|
|
538a70 |
+as the shell, so the
|
|
|
538a70 |
+.I requiretty
|
|
|
538a70 |
+option is ineffective here and safe to disable in this way.
|
|
|
538a70 |
.SH FILES
|
|
|
538a70 |
.TP 5
|
|
|
538a70 |
.I $PCP_PMIECONTROL_PATH
|
|
|
538a70 |
diff -Naurp pcp-5.3.7.orig/man/man1/pmlogger_check.1 pcp-5.3.7/man/man1/pmlogger_check.1
|
|
|
538a70 |
--- pcp-5.3.7.orig/man/man1/pmlogger_check.1 2022-04-05 09:05:43.000000000 +1000
|
|
|
538a70 |
+++ pcp-5.3.7/man/man1/pmlogger_check.1 2022-08-31 11:20:52.470086724 +1000
|
|
|
538a70 |
@@ -830,6 +830,42 @@ no
|
|
|
538a70 |
entries are needed as the timer mechanism provided by
|
|
|
538a70 |
.B systemd
|
|
|
538a70 |
is used instead.
|
|
|
538a70 |
+.PP
|
|
|
538a70 |
+The
|
|
|
538a70 |
+.BR pmlogctl (1)
|
|
|
538a70 |
+utility may invoke
|
|
|
538a70 |
+.B pmlogger_check
|
|
|
538a70 |
+using the
|
|
|
538a70 |
+.BR sudo (1)
|
|
|
538a70 |
+command to run it under the $PCP_USER ``pcp'' account.
|
|
|
538a70 |
+If
|
|
|
538a70 |
+.B sudo
|
|
|
538a70 |
+is configured with the non-default
|
|
|
538a70 |
+.I requiretty
|
|
|
538a70 |
+option (see below),
|
|
|
538a70 |
+.B pmlogger_check
|
|
|
538a70 |
+may fail to run due to not having a tty configured.
|
|
|
538a70 |
+This issue can be resolved by adding a second line
|
|
|
538a70 |
+(expand $PCP_BINADM_DIR according to your platform)
|
|
|
538a70 |
+to the
|
|
|
538a70 |
+.I /etc/sudoers
|
|
|
538a70 |
+configuration file as follows:
|
|
|
538a70 |
+.P
|
|
|
538a70 |
+.ft CW
|
|
|
538a70 |
+.nf
|
|
|
538a70 |
+.in +0.5i
|
|
|
538a70 |
+Defaults requiretty
|
|
|
538a70 |
+Defaults!$PCP_BINADM_DIR/pmlogger_check !requiretty
|
|
|
538a70 |
+.in
|
|
|
538a70 |
+.fi
|
|
|
538a70 |
+.ft 1
|
|
|
538a70 |
+.P
|
|
|
538a70 |
+Note that the unprivileged PCP account under which these
|
|
|
538a70 |
+commands run uses
|
|
|
538a70 |
+.I /sbin/nologin
|
|
|
538a70 |
+as the shell, so the
|
|
|
538a70 |
+.I requiretty
|
|
|
538a70 |
+option is ineffective here and safe to disable in this way.
|
|
|
538a70 |
.SH FILES
|
|
|
538a70 |
.TP 5
|
|
|
538a70 |
.I $PCP_PMLOGGERCONTROL_PATH
|
|
|
538a70 |
@@ -926,7 +962,7 @@ instances for
|
|
|
538a70 |
.I hostname
|
|
|
538a70 |
have been launched in the interim.
|
|
|
538a70 |
Because the cron-driven PCP archive management scripts run under
|
|
|
538a70 |
-the uid of the user ``pcp'',
|
|
|
538a70 |
+the $PCP_USER account ``pcp'',
|
|
|
538a70 |
.BI $PCP_ARCHIVE_DIR/ hostname /SaveLogs
|
|
|
538a70 |
typically needs to be owned by the user ``pcp''.
|
|
|
538a70 |
.TP
|
|
|
538a70 |
@@ -994,6 +1030,7 @@ platforms.
|
|
|
538a70 |
.BR pmlogmv (1),
|
|
|
538a70 |
.BR pmlogrewrite (1),
|
|
|
538a70 |
.BR pmsocks (1),
|
|
|
538a70 |
+.BR sudo (1),
|
|
|
538a70 |
.BR systemd (1),
|
|
|
538a70 |
.BR xz (1)
|
|
|
538a70 |
and
|