Fix #13707
openteuthology globally disables requiretty
0%
Description
https://github.com/ceph/ceph-cm-ansible/blob/master/roles/testnode/templates/sudoers#L15
On Ansible-managed systems, /etc/sudoers contains this line:
Defaults !requiretty
This is bad for security in general, and hides bugs in Ceph in particular (eg #10927)
On a vanilla RHEL or CentOS install, /etc/sudoers has the following:
Defaults requiretty
Can we list the exact things that are run in the labs that require us to disable the "requiretty" setting on the lab hosts?
For example, I think ceph-deploy (via execnet) needs this, but only for the unprivileged UID that ceph-deploy uses (ie "ubuntu"), so we could tighten the setting to just "ubuntu".
Updated by Zack Cerza over 8 years ago
Things that need this:
1. ansible pipelining
2. teuthology itself
Yes, the teuthology commit was mine and contains no explanation of why it was necessary. Whoops.
Perhaps we can set this only for the 'cm' user (ansible) an the test user ('ubuntu').
Updated by David Galloway almost 8 years ago
Zack Cerza wrote:
Yes, the teuthology commit was mine and contains no explanation of why it was necessary. Whoops.
Is it possible that got added for chef? IOW, maybe it's only needed for the cm user now.
Updated by Ken Dreyer almost 8 years ago
I think that this requirement is going away in the latest versions of Ansible? See https://github.com/ansible/ansible/pull/13200
Updated by Zack Cerza over 7 years ago
Unfortunately not; it was reverted two days after being merged: https://github.com/ansible/ansible/commit/e201a255d17a72b338be92b8db881effb79b5ece