ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-18526) Ambari breaks sudo and user access if Ambari Agent misconfigured
Date Thu, 06 Oct 2016 19:25:20 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-18526?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15552916#comment-15552916
] 

Hudson commented on AMBARI-18526:
---------------------------------

FAILURE: Integrated in Jenkins build Ambari-branch-2.5 #122 (See [https://builds.apache.org/job/Ambari-branch-2.5/122/])
AMBARI-18526. Ambari breaks sudo and user access if Ambari Agent (dlysnichenko: [http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=351b8f1954db7edf8523698bbb33cc480afc6096])
* (edit) ambari-agent/conf/unix/ambari-agent


> Ambari breaks sudo and user access if Ambari Agent misconfigured
> ----------------------------------------------------------------
>
>                 Key: AMBARI-18526
>                 URL: https://issues.apache.org/jira/browse/AMBARI-18526
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.4.0
>            Reporter: Dmitry Lysnichenko
>            Assignee: Dmitry Lysnichenko
>             Fix For: 2.4.2
>
>         Attachments: AMBARI-18526.patch
>
>
> While working on Ambari installation using Vagrant I found following issues that can
be potentially dangerous and destroy sudo and /home permissions
> Steps to reproduce:
> Remove or misconfigure following configs from ambari-agent.ini file:
> {code}
> [agent]
> logdir=/var/log/ambari-agent
> piddir=/var/run/ambari-agent
> {code}
> Start ambari agent.  Note that log, pid, and out want to be written to /.  Everything
fails and sudo is destroyed as well as /home for all users.  Sudo user will not be able to
connect to cluster using private key due to permissions and folder ownership switch to root.
> {code}
> [root@ambari-slave1 vagrant]# id
> uid=0(root) gid=0(root) groups=0(root)
> [root@ambari-slave1 vagrant]# ambari-agent start
> chown: changing ownership of `/proc/12937': Operation not permitted
> chown: changing ownership of `/proc/12938/task/12938': Operation not permitted
> chown: changing ownership of `/proc/12938': Operation not permitted
> chown: changing ownership of `/proc/12941/task/12941': Operation not permitted
> chown: changing ownership of `/proc/12941': Operation not permitted
> chown: changing ownership of `/proc/12942/task/12942/fd/4': No such file or directory
> chown: changing ownership of `/proc/12942/task/12942/fdinfo/4': No such file or directory
> chown: changing ownership of `/proc/12942/task/12942': Operation not permitted
> chown: changing ownership of `/proc/12942/fd/4': No such file or directory
> chown: changing ownership of `/proc/12942/fdinfo/4': No such file or directory
> chown: changing ownership of `/proc/12942': Operation not permitted
> Starting ambari-agent
> Verifying ambari-agent process status...
> Ambari Agent successfully started
> Agent PID at: /ambari-agent.pid
> Agent out at: /ambari-agent.out
> Agent log at: /ambari-agent.log
> {code}
> Sticky bit is removed from sudo as result of it
> {code}
> [root@ambari-slave1 vagrant]# ls -l /usr/bin/sudo
> ---x--x--x. 1 root root 123832 Oct 15  2014 /usr/bin/sudo
> {code}
> it should be:
> {code}
> [root@ambari-slave2 vagrant]# ls -l /usr/bin/sudo
> ---s--x--x. 1 root root 123832 Oct 15  2014 /usr/bin/sudo
> {code}
> All user folder is messed up as owned by root
> {code}
> [root@ambari-slave1 vagrant]# ls -ld /home/
> drwxr-xr-x. 3 root root 4096 Mar  9  2016 /home/
> [root@ambari-slave1 vagrant]# ls -ld /home/vagrant
> drwx------ 3 root root 4096 Sep 27 22:16 /home/vagrant
> {code}
> sudo is broken:
> {code}
> [root@ambari-slave1 vagrant]# id
> uid=0(root) gid=0(root) groups=0(root)
> [root@ambari-slave1 vagrant]# exit
> exit
> [vagrant@ambari-slave1 ~]$ sudo su
> sudo: effective uid is not 0, is sudo installed setuid root?
> {code}
> this is caused due to by function in /usr/sbin/ambari-agent
> {code}
> get_agent_property() {
> property_name="$1"
> value=$(awk -F "=" "/$property_name/ {print \$2}" /etc/ambari-agent/conf/ambari-agent.ini)
> echo $value
> }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message