Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-18526

Ambari breaks sudo and user access if Ambari Agent misconfigured

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.4.0
    • 2.4.2
    • ambari-server
    • None

    Description

      While working on Ambari installation using Vagrant I found following issues that can be potentially dangerous and destroy sudo and /home permissions

      Steps to reproduce:

      Remove or misconfigure following configs from ambari-agent.ini file:

      [agent]
logdir=/var/log/ambari-agent
piddir=/var/run/ambari-agent

      Start ambari agent. Note that log, pid, and out want to be written to /. Everything fails and sudo is destroyed as well as /home for all users. Sudo user will not be able to connect to cluster using private key due to permissions and folder ownership switch to root.

      [root@ambari-slave1 vagrant]# id
uid=0(root) gid=0(root) groups=0(root)

[root@ambari-slave1 vagrant]# ambari-agent start

chown: changing ownership of `/proc/12937': Operation not permitted
chown: changing ownership of `/proc/12938/task/12938': Operation not permitted
chown: changing ownership of `/proc/12938': Operation not permitted
chown: changing ownership of `/proc/12941/task/12941': Operation not permitted
chown: changing ownership of `/proc/12941': Operation not permitted
chown: changing ownership of `/proc/12942/task/12942/fd/4': No such file or directory
chown: changing ownership of `/proc/12942/task/12942/fdinfo/4': No such file or directory
chown: changing ownership of `/proc/12942/task/12942': Operation not permitted
chown: changing ownership of `/proc/12942/fd/4': No such file or directory
chown: changing ownership of `/proc/12942/fdinfo/4': No such file or directory
chown: changing ownership of `/proc/12942': Operation not permitted
Starting ambari-agent
Verifying ambari-agent process status...
Ambari Agent successfully started
Agent PID at: /ambari-agent.pid
Agent out at: /ambari-agent.out
Agent log at: /ambari-agent.log

      Sticky bit is removed from sudo as result of it

      [root@ambari-slave1 vagrant]# ls -l /usr/bin/sudo
---x--x--x. 1 root root 123832 Oct 15  2014 /usr/bin/sudo

      it should be:

      [root@ambari-slave2 vagrant]# ls -l /usr/bin/sudo
---s--x--x. 1 root root 123832 Oct 15  2014 /usr/bin/sudo

      All user folder is messed up as owned by root

      [root@ambari-slave1 vagrant]# ls -ld /home/
drwxr-xr-x. 3 root root 4096 Mar  9  2016 /home/

[root@ambari-slave1 vagrant]# ls -ld /home/vagrant
drwx------ 3 root root 4096 Sep 27 22:16 /home/vagrant

      sudo is broken:

      [root@ambari-slave1 vagrant]# id
uid=0(root) gid=0(root) groups=0(root)
[root@ambari-slave1 vagrant]# exit
exit
[vagrant@ambari-slave1 ~]$ sudo su
sudo: effective uid is not 0, is sudo installed setuid root?

      this is caused due to by function in /usr/sbin/ambari-agent

      get_agent_property() {
property_name="$1"
value=$(awk -F "=" "/$property_name/ {print \$2}" /etc/ambari-agent/conf/ambari-agent.ini)
echo $value
}

      Attachments

        1. AMBARI-18526.patch
          1 kB
          Dmitry Lysnichenko

        Issue Links

          links to

          Web Link review_request_

          Activity

            People

              dmitriusan Dmitry Lysnichenko
              dmitriusan Dmitry Lysnichenko
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: