Project

General

Profile

Actions

Bug #9347

closed

sudo management isn't update-safe

Added by Florian Heigl over 7 years ago. Updated over 6 years ago.

Status:
Released
Priority:
N/A
Category:
Techniques
Target version:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
UX impact:
User visibility:
Getting started - demo | first install | level 1 Techniques
Effort required:
Medium
Priority:
65
Name check:
Fix check:
Regression:

Description

If you extend the list of allowed sudo commands, rudder will add another line with the second permission set.

also, it adds it's own entries in the last line, after the #include statement. that's not proper, can you make it so it adds its stuff before #include since that is the last line by convention (no technical need, just style)


Related issues 1 (0 open1 closed)

Related to Rudder - User story #11145: Add bundle in library to edit section, and enforce its content, as well as deleteing line matching regexp in all fileReleasedBenoît PECCATTEActions
Actions #1

Updated by Benoît PECCATTE over 7 years ago

Yes, this is due to a limitation in how we write techniques and how cfengine convergence works.

To make sure a technique is update-safe, we are thinking at how to solve this but it needs long term changes.

To work around the limitations, the best thing is to use templates.

Actions #2

Updated by François ARMAND almost 7 years ago

  • Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
  • User visibility set to Getting started - demo | first install | level 1 Techniques
  • Priority set to 72
Actions #3

Updated by François ARMAND almost 7 years ago

We should have an edit zone for rudder, and cleanly managed everything in that zone.

Actions #4

Updated by Nicolas CHARLES almost 7 years ago

  • Effort required set to Medium
  • Priority changed from 72 to 70
Ok, there are two parts in this:
  1. editing within a Rudder zone - striclty enforcing content there (but what about lines not in this zone, should they be moved within the zone when commands are managed ?). Question is: how do we know which Directives will trigger a change if several directives are editing this zone ?
  2. extending list of commands: we need to be able that we are extending a line (so partial match?); or strictly enforce the content (see previous point)

Feedback is welcome on the expected behaviour
Estimated effort is more than a day (something in between checkGenericFileContent + ensure_key_value_parameters)

Actions #5

Updated by Benoît PECCATTE almost 7 years ago

  • Assignee set to Nicolas CHARLES
  • Priority changed from 70 to 69
Actions #6

Updated by Nicolas CHARLES almost 7 years ago

  • Target version set to 3.1.21

We should use file_ensure_block_in_section to create and edit section

Actions #7

Updated by Nicolas CHARLES almost 7 years ago

Nicolas CHARLES wrote:

We should use file_ensure_block_in_section to create and edit section

Actually, this would prevent detecting which command has been edited
So we could either create a new generic method that would have name of section as class parameter, or find another solution :/

Actions #8

Updated by Nicolas CHARLES almost 7 years ago

To have a correct fix with generic method, we need to have composite keys for reporting, and this is quite a big change (it could only be in master for ncf), even if located only in ncf
So to have a suitable fix in Rudder 3.1, we'll create an ad-hoc code, like a generic method, in sudo technique, to edit section with proper reporting

Actions #9

Updated by Vincent MEMBRÉ almost 7 years ago

  • Target version changed from 3.1.21 to 3.1.22
  • Priority changed from 69 to 68
Actions #10

Updated by Nicolas CHARLES almost 7 years ago

  • Status changed from New to In progress
Actions #11

Updated by Nicolas CHARLES almost 7 years ago

there a huge question mark here.
We are moving from managing file like

# User privilege specification
root    ALL=(ALL:ALL) ALL

%admin ALL=(ALL) ALL

%sudo    ALL=(ALL:ALL) ALL

to

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Configuration name Name 1
%admin ALL=(ALL) ALL
# End Configuration name Name 1

# Configuration name Name 2
%sudo    ALL=(ALL:ALL) ALL
# End Configuration name Name 2

without having duplicate lines
an idea would be to create a globally managed section
#Managed by Rudder

#End of section Managed by Rudder

and work in this section, and purge all duplicated line in and out this section; but resulting code gets pretty complex
(but it's doable)

Actions #14

Updated by Nicolas CHARLES almost 7 years ago

Decided solution:
we check if expected line is there - if it is, but not in the section (and the section doesn't exist somewhere else), we wrap it around the section.
Otherwise, if section is there, we edit it
otherwise, we add the section

Actions #15

Updated by Nicolas CHARLES over 6 years ago

  • Status changed from In progress to Pending technical review
  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/1176
  • Priority changed from 68 to 67
Actions #16

Updated by Nicolas CHARLES over 6 years ago

  • Status changed from Pending technical review to In progress
  • Pull Request deleted (https://github.com/Normation/rudder-techniques/pull/1176)

it's still in progress (i did a rudder-dev wip, don't know why it created a PR)

Actions #17

Updated by Nicolas CHARLES over 6 years ago

  • Related to User story #11145: Add bundle in library to edit section, and enforce its content, as well as deleteing line matching regexp in all file added
Actions #18

Updated by Nicolas CHARLES over 6 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Nicolas CHARLES to Benoît PECCATTE
  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/1178
Actions #19

Updated by Vincent MEMBRÉ over 6 years ago

  • Target version changed from 3.1.22 to 3.1.23
  • Priority changed from 67 to 66
Actions #20

Updated by Nicolas CHARLES over 6 years ago

  • Status changed from Pending technical review to Pending release
Actions #21

Updated by Vincent MEMBRÉ over 6 years ago

  • Status changed from Pending release to Released
  • Priority changed from 66 to 65

This bug has been fixed in Rudder 3.1.23, 4.1.7 and 4.2.0~rc1 which were released today.

Actions

Also available in: Atom PDF