Fix #13707: teuthology globally disables requiretty - teuthology - Ceph

Actions

Copy link

Fix #13707

open

teuthology globally disables requiretty

Added by Ken Dreyer over 8 years ago. Updated over 7 years ago.

Status:

New

Priority:

Normal

Assignee:

Category:

% Done:

Source:

other

Tags:

Backport:

Reviewed:

Affected Versions:

ceph-qa-suite:

Crash signature (v1):

Crash signature (v2):

Description

https://github.com/ceph/ceph-cm-ansible/blob/master/roles/testnode/templates/sudoers#L15

On Ansible-managed systems, /etc/sudoers contains this line:

Defaults    !requiretty

This is bad for security in general, and hides bugs in Ceph in particular (eg #10927)

On a vanilla RHEL or CentOS install, /etc/sudoers has the following:

Defaults    requiretty

Can we list the exact things that are run in the labs that require us to disable the "requiretty" setting on the lab hosts?

For example, I think ceph-deploy (via execnet) needs this, but only for the unprivileged UID that ceph-deploy uses (ie "ubuntu"), so we could tighten the setting to just "ubuntu".

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Tools » teuthology

Custom queries

Fix #13707

teuthology globally disables requiretty

Updated by Zack Cerza over 8 years ago

Updated by David Galloway almost 8 years ago

Updated by Ken Dreyer almost 8 years ago

Updated by Zack Cerza over 7 years ago