Sudoers.d wrong file permissions

[root@server ~]# visudo -c|grep ^OK|sort
/etc/sudoers.d/20_nethserver_openvpn: bad permissions, should be mode 0440
/etc/sudoers.d/20_nethserver_subscription: bad permissions, should be mode 0440
/etc/sudoers.d/20_nethserver_suricata: bad permissions, should be mode 0440
/etc/sudoers.d/samba-audit: bad permissions, should be mode 0440
1 Like

There’s another thread:

I collected the output from some of my servers:

/etc/sudoers.d/20_nethserver_openvpn: bad permissions, should be mode 0440
/etc/sudoers.d/20_nethserver_suricata: bad permissions, should be mode 0440
/etc/sudoers.d/20_nethserver_subscription: bad permissions, should be mode 0440
/etc/sudoers.d/30_nethserver_sambastatus: bad permissions, should be mode 0440
/etc/sudoers.d/50_nsapi_nethserver_awstats: bad permissions, should be mode 0440
/etc/sudoers.d/50_nsapi_nethserver_crontabmanager: bad permissions, should be mode 0440
/etc/sudoers.d/50_nsapi_nethserver_dokuwiki: bad permissions, should be mode 0440
/etc/sudoers.d/50_nsapi_nethserver_phpldapadmin: bad permissions, should be mode 0440
/etc/sudoers.d/50_nsapi_nethserver_phpmyadmin: bad permissions, should be mode 0440
/etc/sudoers.d/50_nsapi_nethserver_phppgadmin: bad permissions, should be mode 0440
/etc/sudoers.d/samba-audit: bad permissions, should be mode 0440

/cc @stephdl

EDIT:

@federico.ballarini I tested your fixed packages and they still throw the permission error, even reinstalling did not work.

[root@testserver]# visudo -c|grep ^OK|sort
/etc/sudoers.d/20_nethserver_openvpn: bad permissions, should be mode 0440
/etc/sudoers.d/20_nethserver_subscription: bad permissions, should be mode 0440
/etc/sudoers.d/20_nethserver_suricata: bad permissions, should be mode 0440

I think this is relevant.

I don’t know how to handle it exactly but maybe just adding another --file param with the correct file may solve it.

%{genfilelist} %{buildroot} --file /etc/sudoers.d/50_nsapi_nethserver_suricata 'attr(0440,root,root)' > %{name}-%{version}-%{release}-filelist`

EDIT2:

Instead of using %attr(0440,root,root) /etc/sudoers.d/20_nethserver_suricata the following worked for me:

%{genfilelist} %{buildroot} \
  --file /etc/sudoers.d/20_nethserver_suricata 'attr(0440,root,root)'
  --file /etc/sudoers.d/50_nsapi_nethserver_suricata 'attr(0440,root,root)' > %{name}-%{version}-%{release}-filelist
2 Likes

I have tried them locally and fix seems to work… I don’t know why now they won’t work.

Probably we have to change them as suggested by Mr Markuz. @davidep @giacomo

1 Like

I don’t know. The fix in my above post worked for me. But maybe same problem that it works locally?

Could you test the following package? I compiled it but unfortunaty messed up my git repo and deleted it.

yum install https://mrmarkuz.goip.de/mirror/devtest/nethserver-suricata-1.3.1-1.2.g43119d8.ns7.noarch.rpm

I’ve tested @federico.ballarini fix on nethserver-suricata: while @mrmarkuz method is the preferred one, also Federico implementation seems to work.

Before update:

[root@demosecurity ~]# rpm -q nethserver-suricata
nethserver-suricata-1.3.1-1.ns7.noarch
[root@demosecurity ~]# visudo  -c 2>&1| grep suricata
/etc/sudoers.d/20_nethserver_suricata: bad permissions, should be mode 0440
/etc/sudoers.d/50_nsapi_nethserver_suricata: parsed OK

After update (package built locally from master):

[root@demosecurity ~]# rpm -q nethserver-suricata
nethserver-suricata-1.3.1-1.1.g5f43f1f.ns7.noarch
[root@demosecurity ~]# visudo  -c 2>&1| grep suricata
/etc/sudoers.d/20_nethserver_suricata: parsed OK
/etc/sudoers.d/50_nsapi_nethserver_suricata: parsed OK

I also quickly verified also other RPMs (built locally), to recap:

  • nethserver-openvpn: ok
  • nethserver-subscription: ko
  • nethserver-suricata: ok
  • nethserver-samba-audit: ko

Since this is the second topic about sudoers permission, would you like to open an issue @dnutan?
It’s of course, highly cosmetic, but we could fix all official packages (and eventually also nethforge ones).

2 Likes

My fault, I thought nethserver-suricata-1.3.1-1 already includes the fix of @federico.ballarini but the fixed package isn’t released.

I confirm that nethserver-suricata-1.3.1-1.1.g5f43f1f.ns7.noarch works as expected. Sorry for the inconvenience…

2 Likes

No problem Markus, two tests are better than one!
And really thank you for you effort! :wink:

3 Likes

will try to fix my rpm this wk…thank a lot

3 Likes

should be good, done

1 Like

@federico.ballarini, I think your fix on nethserver-subscription was OK but maybe in the wrong section (ui instead of core), as the .spec splits files in two packages (nethserver-subscription, nethserver-subscription-ui).

Opened issue:

4 Likes

Travis has failed to build your rpm, we need to wait after the @dev_team

2 Likes

We are experiencing problems with travis cli since few days, we already opened a ticket but no news so far.

1 Like

Thank you @dnutan for opening the issue and the PR!
I’ve fixed manually the builds so everything is ready for testing :wink:

2 Likes