You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Hadoop QA (JIRA)" <ji...@apache.org> on 2016/10/04 21:36:20 UTC

[jira] [Commented] (AMBARI-18526) Ambari breaks sudo and user access if Ambari Agent misconfigured

    [ https://issues.apache.org/jira/browse/AMBARI-18526?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15546742#comment-15546742 ] 

Hadoop QA commented on AMBARI-18526:
------------------------------------

{color:red}-1 overall{color}.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12831556/AMBARI-18526.patch
  against trunk revision .

    {color:green}+1 @author{color}.  The patch does not contain any @author tags.

    {color:red}-1 tests included{color}.  The patch doesn't appear to include any new or modified tests.
                        Please justify why no new tests are needed for this patch.
                        Also please list what manual steps were performed to verify this patch.

    {color:green}+1 javac{color}.  The applied patch does not increase the total number of javac compiler warnings.

    {color:green}+1 release audit{color}.  The applied patch does not increase the total number of release audit warnings.

    {color:green}+1 core tests{color}.  The patch passed unit tests in .

Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/8805//testReport/
Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/8805//console

This message is automatically generated.

> Ambari breaks sudo and user access if Ambari Agent misconfigured
> ----------------------------------------------------------------
>
>                 Key: AMBARI-18526
>                 URL: https://issues.apache.org/jira/browse/AMBARI-18526
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.4.0
>            Reporter: Dmitry Lysnichenko
>            Assignee: Dmitry Lysnichenko
>             Fix For: 2.5.0
>
>         Attachments: AMBARI-18526.patch
>
>
> While working on Ambari installation using Vagrant I found following issues that can be potentially dangerous and destroy sudo and /home permissions
> Steps to reproduce:
> Remove or misconfigure following configs from ambari-agent.ini file:
> {code}
> [agent]
> logdir=/var/log/ambari-agent
> piddir=/var/run/ambari-agent
> {code}
> Start ambari agent.  Note that log, pid, and out want to be written to /.  Everything fails and sudo is destroyed as well as /home for all users.  Sudo user will not be able to connect to cluster using private key due to permissions and folder ownership switch to root.
> {code}
> [root@ambari-slave1 vagrant]# id
> uid=0(root) gid=0(root) groups=0(root)
> [root@ambari-slave1 vagrant]# ambari-agent start
> chown: changing ownership of `/proc/12937': Operation not permitted
> chown: changing ownership of `/proc/12938/task/12938': Operation not permitted
> chown: changing ownership of `/proc/12938': Operation not permitted
> chown: changing ownership of `/proc/12941/task/12941': Operation not permitted
> chown: changing ownership of `/proc/12941': Operation not permitted
> chown: changing ownership of `/proc/12942/task/12942/fd/4': No such file or directory
> chown: changing ownership of `/proc/12942/task/12942/fdinfo/4': No such file or directory
> chown: changing ownership of `/proc/12942/task/12942': Operation not permitted
> chown: changing ownership of `/proc/12942/fd/4': No such file or directory
> chown: changing ownership of `/proc/12942/fdinfo/4': No such file or directory
> chown: changing ownership of `/proc/12942': Operation not permitted
> Starting ambari-agent
> Verifying ambari-agent process status...
> Ambari Agent successfully started
> Agent PID at: /ambari-agent.pid
> Agent out at: /ambari-agent.out
> Agent log at: /ambari-agent.log
> {code}
> Sticky bit is removed from sudo as result of it
> {code}
> [root@ambari-slave1 vagrant]# ls -l /usr/bin/sudo
> ---x--x--x. 1 root root 123832 Oct 15  2014 /usr/bin/sudo
> {code}
> it should be:
> {code}
> [root@ambari-slave2 vagrant]# ls -l /usr/bin/sudo
> ---s--x--x. 1 root root 123832 Oct 15  2014 /usr/bin/sudo
> {code}
> All user folder is messed up as owned by root
> {code}
> [root@ambari-slave1 vagrant]# ls -ld /home/
> drwxr-xr-x. 3 root root 4096 Mar  9  2016 /home/
> [root@ambari-slave1 vagrant]# ls -ld /home/vagrant
> drwx------ 3 root root 4096 Sep 27 22:16 /home/vagrant
> {code}
> sudo is broken:
> {code}
> [root@ambari-slave1 vagrant]# id
> uid=0(root) gid=0(root) groups=0(root)
> [root@ambari-slave1 vagrant]# exit
> exit
> [vagrant@ambari-slave1 ~]$ sudo su
> sudo: effective uid is not 0, is sudo installed setuid root?
> {code}
> this is caused due to by function in /usr/sbin/ambari-agent
> {code}
> get_agent_property() {
> property_name="$1"
> value=$(awk -F "=" "/$property_name/ {print \$2}" /etc/ambari-agent/conf/ambari-agent.ini)
> echo $value
> }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)