ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dmitry Lysnichenko (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AMBARI-18525) Ambari breaks sudo and user access if Ambari Agent misconfigured
Date Tue, 04 Oct 2016 15:32:20 GMT
Dmitry Lysnichenko created AMBARI-18525:
-------------------------------------------

             Summary: Ambari breaks sudo and user access if Ambari Agent misconfigured
                 Key: AMBARI-18525
                 URL: https://issues.apache.org/jira/browse/AMBARI-18525
             Project: Ambari
          Issue Type: Bug
            Reporter: Dmitry Lysnichenko
            Assignee: Dmitry Lysnichenko



While working on Ambari installation using Vagrant I found following issues that can be potentially
dangerous and destroy sudo and /home permissions

Steps to reproduce:

Remove or misconfigure following configs from ambari-agent.ini file:
{code}
[agent]
logdir=/var/log/ambari-agent
piddir=/var/run/ambari-agent
{code}

Start ambari agent.  Note that log, pid, and out want to be written to /.  Everything fails
and sudo is destroyed as well as /home for all users.  Sudo user will not be able to connect
to cluster using private key due to permissions and folder ownership switch to root.

{code}
[root@ambari-slave1 vagrant]# id
uid=0(root) gid=0(root) groups=0(root)

[root@ambari-slave1 vagrant]# ambari-agent start

chown: changing ownership of `/proc/12937': Operation not permitted
chown: changing ownership of `/proc/12938/task/12938': Operation not permitted
chown: changing ownership of `/proc/12938': Operation not permitted
chown: changing ownership of `/proc/12941/task/12941': Operation not permitted
chown: changing ownership of `/proc/12941': Operation not permitted
chown: changing ownership of `/proc/12942/task/12942/fd/4': No such file or directory
chown: changing ownership of `/proc/12942/task/12942/fdinfo/4': No such file or directory
chown: changing ownership of `/proc/12942/task/12942': Operation not permitted
chown: changing ownership of `/proc/12942/fd/4': No such file or directory
chown: changing ownership of `/proc/12942/fdinfo/4': No such file or directory
chown: changing ownership of `/proc/12942': Operation not permitted
Starting ambari-agent
Verifying ambari-agent process status...
Ambari Agent successfully started
Agent PID at: /ambari-agent.pid
Agent out at: /ambari-agent.out
Agent log at: /ambari-agent.log
{code}

Sticky bit is removed from sudo as result of it

{code}
[root@ambari-slave1 vagrant]# ls -l /usr/bin/sudo
---x--x--x. 1 root root 123832 Oct 15  2014 /usr/bin/sudo
{code}

it should be:

{code}
[root@ambari-slave2 vagrant]# ls -l /usr/bin/sudo
---s--x--x. 1 root root 123832 Oct 15  2014 /usr/bin/sudo
{code}

All user folder is messed up as owned by root

{code}
[root@ambari-slave1 vagrant]# ls -ld /home/
drwxr-xr-x. 3 root root 4096 Mar  9  2016 /home/

[root@ambari-slave1 vagrant]# ls -ld /home/vagrant
drwx------ 3 root root 4096 Sep 27 22:16 /home/vagrant
{code}

sudo is broken:

{code}
[root@ambari-slave1 vagrant]# id
uid=0(root) gid=0(root) groups=0(root)
[root@ambari-slave1 vagrant]# exit
exit
[vagrant@ambari-slave1 ~]$ sudo su
sudo: effective uid is not 0, is sudo installed setuid root?
{code}

this is caused due to by function in /usr/sbin/ambari-agent

{code}
get_agent_property() {
property_name="$1"
value=$(awk -F "=" "/$property_name/ {print \$2}" /etc/ambari-agent/conf/ambari-agent.ini)
echo $value
}
{code}




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message