Plugins » Foreman Remote Execution

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=2222816

Description of problem:
When using remote_execution_ssh_user different than root and allowing the user to run only specific commands (via sudoers configuration), it is required to add /usr/bin/true on the list of allowed commands for REX to work

How reproducible:
Always

Steps to Reproduce:
1. Configure remote_execution_ssh_user to be a non-root user
2. Configure sudoers like below:

Cmnd_Alias SATCMNDS=/var/tmp/foreman-ssh-cmd-*/script,!/var/tmp/foreman-ssh-cmd-*\ ,!/var/tmp/foreman-ssh-cmd-..*
SATUSER ALL=NOPASSWD:SATCMNDS

3. Run any REX job

Actual results:

On the task, got this error:

~_{~
1:
Error initializing command: RuntimeError - Failed to change to effective user, exit code: 1
2:
Exit status: EXCEPTION}
~~

On the target host, on /var/log/secure:

~_{~
Jul 13 20:33:54 josh-medling sshd²⁹⁸⁴: Postponed publickey for rexuser from $ip_address port 59356 ssh2 [preauth]
Jul 13 20:33:54 josh-medling sshd²⁹⁸⁴: Accepted publickey for rexuser from $ip_address port 59356 ssh2: RSA SHA256:fngWpLD7nmwGryQgzeHvvU1NtOL/26NXrrCRzD6SWxM
Jul 13 20:33:54 josh-medling sshd²⁹⁸⁴: pam_unix(sshd:session): session opened for user rexuser by (uid=0)
Jul 13 20:33:55 josh-medling unix_chkpwd³¹²⁹: password check failed for user (rexuser)
Jul 13 20:33:55 josh-medling sudo³¹⁰⁴: pam_unix(sudo:auth): authentication failure; logname=rexuser uid=1000 euid=0 tty=/dev/pts/1 ruser=rexuser rhost= user=rexuser
Jul 13 20:33:56 josh-medling unix_chkpwd³¹³¹: password check failed for user (rexuser)
Jul 13 20:33:58 josh-medling unix_chkpwd³¹³³: password check failed for user (rexuser)
Jul 13 20:34:00 josh-medling sudo³¹⁰⁴: rexuser : command not allowed ; TTY=pts/1 ; PWD=/home/rexuser ; USER=root ; COMMAND=/bin/true}
~~

Expected results:
Not any special sudo permissions required.

Additional info:

These preflight tests were introduced on solve this issue¹.

[1]: https://projects.theforeman.org/issues/34363