Bug #47112
closedcephadm RPM package installs /etc/sudoers.d/cephadm - review whether this file is still needed
0%
Description
The cephadm user was introduced by https://github.com/ceph/ceph/pull/31698 (originally as the "cephdaemon" user). It was renamed to "cephadm" by https://github.com/ceph/ceph/pull/32193
When the "cephadm" RPM is installed on the system, a new "cephadm" is created and a file /etc/sudoers.d/cephadm is created. Apparently, until now nobody noticed the following discrepancy:
The file /etc/sudoers.d/cephadm refers to "/usr/bin/cephadm":
(venv) smithfarm@wilbur:~/src/ceph/smithfarm/ceph> cat sudoers.d/cephadm # allow cephadm user to sudo cephadm cephadm ALL=NOPASSWD: /usr/bin/cephadm --image * ls cephadm ALL=NOPASSWD: /usr/bin/cephadm --image * unit * cephadm ALL=NOPASSWD: /usr/bin/cephadm --image * shell * cephadm ALL=NOPASSWD: /usr/bin/cephadm --image * deploy * cephadm ALL=NOPASSWD: /usr/bin/cephadm --image * ceph-volume * cephadm ALL=NOPASSWD: /usr/bin/cephadm --image * rm-daemon *
But THERE IS NO /usr/bin/cephadm in the system, because the cephadm binary is installed under /usr/sbin
.
Instead of just blindly doing s/bin/sbin/g
in /etc/sudoers.d/cephadm, though, I thought I'd ask the following questions:
How is it that this was not noticed before?
Given that it was not noticed, maybe /etc/sudoers.d/cephadm
is not needed and could be dropped?