Sudoers.d wrong file permissions

dnutan · March 3, 2020, 7:38pm

[root@server ~]# visudo -c|grep ^OK|sort
/etc/sudoers.d/20_nethserver_openvpn: bad permissions, should be mode 0440
/etc/sudoers.d/20_nethserver_subscription: bad permissions, should be mode 0440
/etc/sudoers.d/20_nethserver_suricata: bad permissions, should be mode 0440
/etc/sudoers.d/samba-audit: bad permissions, should be mode 0440

mrmarkuz · March 3, 2020, 7:58pm

There’s another thread:

I collected the output from some of my servers:

/etc/sudoers.d/20_nethserver_openvpn: bad permissions, should be mode 0440
/etc/sudoers.d/20_nethserver_suricata: bad permissions, should be mode 0440
/etc/sudoers.d/20_nethserver_subscription: bad permissions, should be mode 0440
/etc/sudoers.d/30_nethserver_sambastatus: bad permissions, should be mode 0440
/etc/sudoers.d/50_nsapi_nethserver_awstats: bad permissions, should be mode 0440
/etc/sudoers.d/50_nsapi_nethserver_crontabmanager: bad permissions, should be mode 0440
/etc/sudoers.d/50_nsapi_nethserver_dokuwiki: bad permissions, should be mode 0440
/etc/sudoers.d/50_nsapi_nethserver_phpldapadmin: bad permissions, should be mode 0440
/etc/sudoers.d/50_nsapi_nethserver_phpmyadmin: bad permissions, should be mode 0440
/etc/sudoers.d/50_nsapi_nethserver_phppgadmin: bad permissions, should be mode 0440
/etc/sudoers.d/samba-audit: bad permissions, should be mode 0440

/cc @stephdl

EDIT:

@federico.ballarini I tested your fixed packages and they still throw the permission error, even reinstalling did not work.

[root@testserver]# visudo -c|grep ^OK|sort
/etc/sudoers.d/20_nethserver_openvpn: bad permissions, should be mode 0440
/etc/sudoers.d/20_nethserver_subscription: bad permissions, should be mode 0440
/etc/sudoers.d/20_nethserver_suricata: bad permissions, should be mode 0440

I think this is relevant.

I don’t know how to handle it exactly but maybe just adding another --file param with the correct file may solve it.

%{genfilelist} %{buildroot} --file /etc/sudoers.d/50_nsapi_nethserver_suricata 'attr(0440,root,root)' > %{name}-%{version}-%{release}-filelist`

EDIT2:

Instead of using %attr(0440,root,root) /etc/sudoers.d/20_nethserver_suricata the following worked for me:

%{genfilelist} %{buildroot} \
  --file /etc/sudoers.d/20_nethserver_suricata 'attr(0440,root,root)'
  --file /etc/sudoers.d/50_nsapi_nethserver_suricata 'attr(0440,root,root)' > %{name}-%{version}-%{release}-filelist

federico.ballarini · March 3, 2020, 10:05pm

I have tried them locally and fix seems to work… I don’t know why now they won’t work.

Probably we have to change them as suggested by Mr Markuz. @davidep @giacomo

mrmarkuz · March 3, 2020, 10:21pm

I don’t know. The fix in my above post worked for me. But maybe same problem that it works locally?

Could you test the following package? I compiled it but unfortunaty messed up my git repo and deleted it.

yum install https://mrmarkuz.goip.de/mirror/devtest/nethserver-suricata-1.3.1-1.2.g43119d8.ns7.noarch.rpm

giacomo · March 4, 2020, 10:56am

I’ve tested @federico.ballarini fix on nethserver-suricata: while @mrmarkuz method is the preferred one, also Federico implementation seems to work.

Before update:

[root@demosecurity ~]# rpm -q nethserver-suricata
nethserver-suricata-1.3.1-1.ns7.noarch
[root@demosecurity ~]# visudo  -c 2>&1| grep suricata
/etc/sudoers.d/20_nethserver_suricata: bad permissions, should be mode 0440
/etc/sudoers.d/50_nsapi_nethserver_suricata: parsed OK

After update (package built locally from master):

[root@demosecurity ~]# rpm -q nethserver-suricata
nethserver-suricata-1.3.1-1.1.g5f43f1f.ns7.noarch
[root@demosecurity ~]# visudo  -c 2>&1| grep suricata
/etc/sudoers.d/20_nethserver_suricata: parsed OK
/etc/sudoers.d/50_nsapi_nethserver_suricata: parsed OK

I also quickly verified also other RPMs (built locally), to recap:

nethserver-openvpn: ok
nethserver-subscription: ko
nethserver-suricata: ok
nethserver-samba-audit: ko

Since this is the second topic about sudoers permission, would you like to open an issue @dnutan?
It’s of course, highly cosmetic, but we could fix all official packages (and eventually also nethforge ones).

mrmarkuz · March 4, 2020, 11:57am

My fault, I thought nethserver-suricata-1.3.1-1 already includes the fix of @federico.ballarini but the fixed package isn’t released.

I confirm that nethserver-suricata-1.3.1-1.1.g5f43f1f.ns7.noarch works as expected. Sorry for the inconvenience…

giacomo · March 4, 2020, 2:53pm

No problem Markus, two tests are better than one!
And really thank you for you effort!

stephdl · March 4, 2020, 3:22pm

will try to fix my rpm this wk…thank a lot

stephdl · March 5, 2020, 10:10pm

should be good, done

dnutan · March 7, 2020, 1:54pm

@federico.ballarini, I think your fix on nethserver-subscription was OK but maybe in the wrong section (ui instead of core), as the .spec splits files in two packages (nethserver-subscription, nethserver-subscription-ui).

Opened issue:

stephdl · March 7, 2020, 8:26pm

Travis has failed to build your rpm, we need to wait after the @dev_team

giacomo · March 9, 2020, 8:23am

We are experiencing problems with travis cli since few days, we already opened a ticket but no news so far.

giacomo · March 9, 2020, 9:26am

Thank you @dnutan for opening the issue and the PR!
I’ve fixed manually the builds so everything is ready for testing