Dmitry Lysnichenko created AMBARI-18526: -------------------------------------------
Summary: Ambari breaks sudo and user access if Ambari Agent misconfigured Key: AMBARI-18526 URL: https://issues.apache.org/jira/browse/AMBARI-18526 Project: Ambari Issue Type: Bug Reporter: Dmitry Lysnichenko Assignee: Dmitry Lysnichenko Attachments: AMBARI-18526.patch While working on Ambari installation using Vagrant I found following issues that can be potentially dangerous and destroy sudo and /home permissions Steps to reproduce: Remove or misconfigure following configs from ambari-agent.ini file: {code} [agent] logdir=/var/log/ambari-agent piddir=/var/run/ambari-agent {code} Start ambari agent. Note that log, pid, and out want to be written to /. Everything fails and sudo is destroyed as well as /home for all users. Sudo user will not be able to connect to cluster using private key due to permissions and folder ownership switch to root. {code} [root@ambari-slave1 vagrant]# id uid=0(root) gid=0(root) groups=0(root) [root@ambari-slave1 vagrant]# ambari-agent start chown: changing ownership of `/proc/12937': Operation not permitted chown: changing ownership of `/proc/12938/task/12938': Operation not permitted chown: changing ownership of `/proc/12938': Operation not permitted chown: changing ownership of `/proc/12941/task/12941': Operation not permitted chown: changing ownership of `/proc/12941': Operation not permitted chown: changing ownership of `/proc/12942/task/12942/fd/4': No such file or directory chown: changing ownership of `/proc/12942/task/12942/fdinfo/4': No such file or directory chown: changing ownership of `/proc/12942/task/12942': Operation not permitted chown: changing ownership of `/proc/12942/fd/4': No such file or directory chown: changing ownership of `/proc/12942/fdinfo/4': No such file or directory chown: changing ownership of `/proc/12942': Operation not permitted Starting ambari-agent Verifying ambari-agent process status... Ambari Agent successfully started Agent PID at: /ambari-agent.pid Agent out at: /ambari-agent.out Agent log at: /ambari-agent.log {code} Sticky bit is removed from sudo as result of it {code} [root@ambari-slave1 vagrant]# ls -l /usr/bin/sudo ---x--x--x. 1 root root 123832 Oct 15 2014 /usr/bin/sudo {code} it should be: {code} [root@ambari-slave2 vagrant]# ls -l /usr/bin/sudo ---s--x--x. 1 root root 123832 Oct 15 2014 /usr/bin/sudo {code} All user folder is messed up as owned by root {code} [root@ambari-slave1 vagrant]# ls -ld /home/ drwxr-xr-x. 3 root root 4096 Mar 9 2016 /home/ [root@ambari-slave1 vagrant]# ls -ld /home/vagrant drwx------ 3 root root 4096 Sep 27 22:16 /home/vagrant {code} sudo is broken: {code} [root@ambari-slave1 vagrant]# id uid=0(root) gid=0(root) groups=0(root) [root@ambari-slave1 vagrant]# exit exit [vagrant@ambari-slave1 ~]$ sudo su sudo: effective uid is not 0, is sudo installed setuid root? {code} this is caused due to by function in /usr/sbin/ambari-agent {code} get_agent_property() { property_name="$1" value=$(awk -F "=" "/$property_name/ {print \$2}" /etc/ambari-agent/conf/ambari-agent.ini) echo $value } {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)