Project

General

Profile

Bug #9347

sudo management isn't update-safe

Added by Florian Heigl about 1 year ago. Updated 2 months ago.

Status:
Released
Priority:
N/A
Category:
Techniques
Target version:
Target version (plugin):
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
User visibility:
Getting started - demo | first install | level 1 Techniques
Effort required:
Medium
Priority:
65

Description

If you extend the list of allowed sudo commands, rudder will add another line with the second permission set.

also, it adds it's own entries in the last line, after the #include statement. that's not proper, can you make it so it adds its stuff before #include since that is the last line by convention (no technical need, just style)


Related issues

Related to ncf - User story #11145: Add bundle in library to edit section, and enforce its content, as well as deleteing line matching regexp in all file Released

Associated revisions

Revision 7ccfd21b
Added by Nicolas CHARLES 4 months ago

Refs #9347: Creation of sudoParameters version 3.1 from 3.0

Revision 30280bea
Added by Nicolas CHARLES 4 months ago

Fixes #9347: sudo management isn't update-safe

History

#1 Updated by Benoît PECCATTE 12 months ago

Yes, this is due to a limitation in how we write techniques and how cfengine convergence works.

To make sure a technique is update-safe, we are thinking at how to solve this but it needs long term changes.

To work around the limitations, the best thing is to use templates.

#2 Updated by François ARMAND 8 months ago

  • Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
  • User visibility set to Getting started - demo | first install | level 1 Techniques
  • Priority set to 72

#3 Updated by François ARMAND 8 months ago

We should have an edit zone for rudder, and cleanly managed everything in that zone.

#4 Updated by Nicolas CHARLES 7 months ago

  • Effort required set to Medium
  • Priority changed from 72 to 70
Ok, there are two parts in this:
  1. editing within a Rudder zone - striclty enforcing content there (but what about lines not in this zone, should they be moved within the zone when commands are managed ?). Question is: how do we know which Directives will trigger a change if several directives are editing this zone ?
  2. extending list of commands: we need to be able that we are extending a line (so partial match?); or strictly enforce the content (see previous point)

Feedback is welcome on the expected behaviour
Estimated effort is more than a day (something in between checkGenericFileContent + ensure_key_value_parameters)

#5 Updated by Benoît PECCATTE 6 months ago

  • Assignee set to Nicolas CHARLES
  • Priority changed from 70 to 69

#6 Updated by Nicolas CHARLES 5 months ago

  • Target version set to 3.1.21

We should use file_ensure_block_in_section to create and edit section

#7 Updated by Nicolas CHARLES 5 months ago

Nicolas CHARLES wrote:

We should use file_ensure_block_in_section to create and edit section

Actually, this would prevent detecting which command has been edited
So we could either create a new generic method that would have name of section as class parameter, or find another solution :/

#8 Updated by Nicolas CHARLES 5 months ago

To have a correct fix with generic method, we need to have composite keys for reporting, and this is quite a big change (it could only be in master for ncf), even if located only in ncf
So to have a suitable fix in Rudder 3.1, we'll create an ad-hoc code, like a generic method, in sudo technique, to edit section with proper reporting

#9 Updated by Vincent MEMBRÉ 5 months ago

  • Target version changed from 3.1.21 to 3.1.22
  • Priority changed from 69 to 68

#10 Updated by Nicolas CHARLES 5 months ago

  • Status changed from New to In progress

#11 Updated by Nicolas CHARLES 5 months ago

there a huge question mark here.
We are moving from managing file like

# User privilege specification
root    ALL=(ALL:ALL) ALL

%admin ALL=(ALL) ALL

%sudo    ALL=(ALL:ALL) ALL

to

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Configuration name Name 1
%admin ALL=(ALL) ALL
# End Configuration name Name 1

# Configuration name Name 2
%sudo    ALL=(ALL:ALL) ALL
# End Configuration name Name 2

without having duplicate lines
an idea would be to create a globally managed section
#Managed by Rudder

#End of section Managed by Rudder

and work in this section, and purge all duplicated line in and out this section; but resulting code gets pretty complex
(but it's doable)

#14 Updated by Nicolas CHARLES 5 months ago

Decided solution:
we check if expected line is there - if it is, but not in the section (and the section doesn't exist somewhere else), we wrap it around the section.
Otherwise, if section is there, we edit it
otherwise, we add the section

#15 Updated by Nicolas CHARLES 4 months ago

  • Status changed from In progress to Pending technical review
  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/1176
  • Priority changed from 68 to 67

#16 Updated by Nicolas CHARLES 4 months ago

  • Status changed from Pending technical review to In progress
  • Pull Request deleted (https://github.com/Normation/rudder-techniques/pull/1176)

it's still in progress (i did a rudder-dev wip, don't know why it created a PR)

#17 Updated by Nicolas CHARLES 4 months ago

  • Related to User story #11145: Add bundle in library to edit section, and enforce its content, as well as deleteing line matching regexp in all file added

#18 Updated by Nicolas CHARLES 4 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Nicolas CHARLES to Benoît PECCATTE
  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/1178

#19 Updated by Vincent MEMBRÉ 3 months ago

  • Target version changed from 3.1.22 to 3.1.23
  • Priority changed from 67 to 66

#20 Updated by Nicolas CHARLES 3 months ago

  • Status changed from Pending technical review to Pending release

#21 Updated by Vincent MEMBRÉ 2 months ago

  • Status changed from Pending release to Released
  • Priority changed from 66 to 65

This bug has been fixed in Rudder 3.1.23, 4.1.7 and 4.2.0~rc1 which were released today.

Also available in: Atom PDF