Bug #47112
closedcephadm RPM package installs /etc/sudoers.d/cephadm - review whether this file is still needed
0%
Description
The cephadm user was introduced by https://github.com/ceph/ceph/pull/31698 (originally as the "cephdaemon" user). It was renamed to "cephadm" by https://github.com/ceph/ceph/pull/32193
When the "cephadm" RPM is installed on the system, a new "cephadm" is created and a file /etc/sudoers.d/cephadm is created. Apparently, until now nobody noticed the following discrepancy:
The file /etc/sudoers.d/cephadm refers to "/usr/bin/cephadm":
(venv) smithfarm@wilbur:~/src/ceph/smithfarm/ceph> cat sudoers.d/cephadm # allow cephadm user to sudo cephadm cephadm ALL=NOPASSWD: /usr/bin/cephadm --image * ls cephadm ALL=NOPASSWD: /usr/bin/cephadm --image * unit * cephadm ALL=NOPASSWD: /usr/bin/cephadm --image * shell * cephadm ALL=NOPASSWD: /usr/bin/cephadm --image * deploy * cephadm ALL=NOPASSWD: /usr/bin/cephadm --image * ceph-volume * cephadm ALL=NOPASSWD: /usr/bin/cephadm --image * rm-daemon *
But THERE IS NO /usr/bin/cephadm in the system, because the cephadm binary is installed under /usr/sbin
.
Instead of just blindly doing s/bin/sbin/g
in /etc/sudoers.d/cephadm, though, I thought I'd ask the following questions:
How is it that this was not noticed before?
Given that it was not noticed, maybe /etc/sudoers.d/cephadm
is not needed and could be dropped?
Updated by Nathan Cutler over 3 years ago
- Status changed from New to Fix Under Review
- Assignee set to Nathan Cutler
- Pull request ID set to 36972
Updated by Kefu Chai over 3 years ago
- Status changed from Fix Under Review to Resolved
Updated by Nathan Cutler over 3 years ago
- Status changed from Resolved to Pending Backport
- Backport set to octopus
Updated by Nathan Cutler over 3 years ago
- Project changed from Orchestrator to Ceph
Updated by Nathan Cutler over 3 years ago
- Copied to Backport #47644: octopus: cephadm RPM package installs /etc/sudoers.d/cephadm - review whether this file is still needed added
Updated by Nathan Cutler over 3 years ago
- Status changed from Pending Backport to Resolved
While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved" or "Rejected".