Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Scripts invoke sudo even if running as root

Description

The following scripts in $OPENNMS_HOME/bin/ invoke sudo, even when run as root:

[root@30horizon etc]# grep -Ril sudo ../bin/ ../bin/fix-karaf-setup.sh ../bin/fix-permissions ../bin/install ../bin/opennms ../bin/runjava ../bin/update-package-permissions ../bin/upgrade

 

This is problematic as some environments do not allow the root user to run commands via sudo (which is unnecessary anyway). This causes each of these commands to fail, and necessitates manually modifying the script to remove the sudo invocation.

Acceptance / Success Criteria

None

Lucidchart Diagrams

Activity

Show:

Alex May July 15, 2022 at 8:21 PM
Edited

Scripts were updated to use runuser if they are initially run as root to drop privileges. If the current user doesn't match RUNAS and is not root, an error is printed recommending using sudo -u $RUNAS ....

 

The two exceptions are fix-permissions and update-package-permissions. If run as root, they run as-is. If not, they attempt to use sudo to run as root if it's available.

Will Keaney July 12, 2022 at 8:26 PM

In its current state, fix-permissions always tries to sudo, even when run as root. This fails in our environment, including at package install / upgrade time.

If run as a non-root user, it won't be able to do its job of fixing ownership and permissions on files owned by users other than the RUNAS user.

Benjamin Reed July 12, 2022 at 3:19 PM

fix-permissions has 2 modes, the first is meant to be run in an automated fashion at package installation time, as root, and it only changes things that the package itself owns. The second mode is run manually, by a user, and it should be done as root, and it will fix ownership on the entirety of $OPENNMS_HOME to be owned by $RUNAS.

Mode 2 is intentionally manual, to be done deliberately by the end-user, because it could take hours on systems with a buttload of RRDs, or NAS-mounted files, or whatever.

Will Keaney July 7, 2022 at 8:08 PM

Our systems also block running sudo as root.

Maybe the real fix is to rip off the band-aid and just have any RUNAS scripts to just exit nonzero if they're being run as any other user.

How will the fix-permissions scripts work if they can't be run as root?

Benjamin Reed July 5, 2022 at 6:03 PM

Maybe the real fix is to rip off the band-aid and just have any RUNAS scripts to just exit nonzero if they're being run as any other user.

Then we can just add echo "Try 'sudo -u opennms $@'" instead." or something.

Fixed

Details

Assignee

Reporter

Labels

HB Backlog Status

FD#

Components

Sprint

Fix versions

Affects versions

Priority

PagerDuty

Created June 15, 2022 at 4:41 PM
Updated July 18, 2022 at 3:09 PM
Resolved July 15, 2022 at 8:21 PM

Flag notifications