commit 55e8c83ee5920ab30644f54f7a525255b1de4b84

Author: Nathan Scott <nathans@redhat.com>

Date:   Mon Aug 29 14:25:03 2022 +1000

    docs: describe working sudoers configuration with requiretty

    When /etc/sudoers is configured with 'Defaults requiretty',

    pmlogctl cannot invoke pmlogger_check in the normal fashion.

    Symptoms of the problem are the following system log message:

    pmlogctl[PID]: sudo: sorry, you must have a tty to run sudo

    pmiectl and pmie_check are similarly affected.  The simplest

    solution is to add an additional configuration line excluding

    these commands from requiring a tty; this is the approach now

    documented.

    Note these PCP commands are not interactive (require no tty)

    and the unprivileged 'pcp' account uses nologin(8) as a shell

    anyway, so requiretty offers no advantages here.  Note also

    there's debate about whether requiretty is a useful security

    measure in general as it can be trivially bypassed; further

    details: https://bugzilla.redhat.com/show_bug.cgi?id=1020147

    Resolves Red Hat BZ #2093751

diff -Naurp pcp-5.3.7.orig/man/man1/pmie_check.1 pcp-5.3.7/man/man1/pmie_check.1

--- pcp-5.3.7.orig/man/man1/pmie_check.1	2021-11-04 08:26:15.000000000 +1100

+++ pcp-5.3.7/man/man1/pmie_check.1	2022-08-31 11:17:52.362276530 +1000

@@ -406,6 +406,42 @@ no

 entries are needed as the timer mechanism provided by

 .B systemd

 is used instead.

+.PP

+The

+.BR pmiectl (1)

+utility may invoke

+.B pmie_check

+using the

+.BR sudo (1)

+command to run it under the $PCP_USER ``pcp'' account.

+If

+.B sudo

+is configured with the non-default

+.I requiretty

+option (see below),

+.B pmie_check

+may fail to run due to not having a tty configured.

+This issue can be resolved by adding a second line

+(expand $PCP_BINADM_DIR according to your platform)

+to the

+.I /etc/sudoers

+configuration file as follows:

+.P

+.ft CW

+.nf

+.in +0.5i

+Defaults requiretty

+Defaults!$PCP_BINADM_DIR/pmie_check !requiretty

+.in

+.fi

+.ft 1

+.P

+Note that the unprivileged PCP account under which these

+commands run uses

+.I /sbin/nologin

+as the shell, so the

+.I requiretty

+option is ineffective here and safe to disable in this way.

 .SH FILES

 .TP 5

 .I $PCP_PMIECONTROL_PATH

diff -Naurp pcp-5.3.7.orig/man/man1/pmlogger_check.1 pcp-5.3.7/man/man1/pmlogger_check.1

--- pcp-5.3.7.orig/man/man1/pmlogger_check.1	2022-04-05 09:05:43.000000000 +1000

+++ pcp-5.3.7/man/man1/pmlogger_check.1	2022-08-31 11:20:52.470086724 +1000

@@ -830,6 +830,42 @@ no

 entries are needed as the timer mechanism provided by

 .B systemd

 is used instead.

+.PP

+The

+.BR pmlogctl (1)

+utility may invoke

+.B pmlogger_check

+using the

+.BR sudo (1)

+command to run it under the $PCP_USER ``pcp'' account.

+If

+.B sudo

+is configured with the non-default

+.I requiretty

+option (see below),

+.B pmlogger_check

+may fail to run due to not having a tty configured.

+This issue can be resolved by adding a second line

+(expand $PCP_BINADM_DIR according to your platform)

+to the

+.I /etc/sudoers

+configuration file as follows:

+.P

+.ft CW

+.nf

+.in +0.5i

+Defaults requiretty

+Defaults!$PCP_BINADM_DIR/pmlogger_check !requiretty

+.in

+.fi

+.ft 1

+.P

+Note that the unprivileged PCP account under which these

+commands run uses

+.I /sbin/nologin

+as the shell, so the

+.I requiretty 

+option is ineffective here and safe to disable in this way.

 .SH FILES

 .TP 5

 .I $PCP_PMLOGGERCONTROL_PATH

@@ -926,7 +962,7 @@ instances for

 .I hostname

 have been launched in the interim.

 Because the cron-driven PCP archive management scripts run under

-the uid of the user ``pcp'',

+the $PCP_USER account ``pcp'',

 .BI $PCP_ARCHIVE_DIR/ hostname /SaveLogs

 typically needs to be owned by the user ``pcp''.

 .TP

@@ -994,6 +1030,7 @@ platforms.

 .BR pmlogmv (1),

 .BR pmlogrewrite (1),

 .BR pmsocks (1),

+.BR sudo (1),

 .BR systemd (1),

 .BR xz (1)

 and