| 1 |
I have been struggling to get my hardened systems managed by Ansible for |
| 2 |
quite some time now. I have almost everything working well now, except |
| 3 |
service control. It seems like the run_init stuff in OpenRC behaves |
| 4 |
strangely when /sbin/rc-service is called via exec(), |
| 5 |
stdin/stdout/stderr are connected to pipes, and the whole thing is run |
| 6 |
through sudo. I suspect it has something to do with the way run_init |
| 7 |
tries to prompt for credentials (even though I have that "disabled"). |
| 8 |
|
| 9 |
Here's what I've got set up: |
| 10 |
|
| 11 |
----------------- |
| 12 |
|
| 13 |
test-bd06fe ~ # grep -Ev '^#|^$' /etc/selinux/config |
| 14 |
SELINUX=permissive |
| 15 |
SELINUXTYPE=strict |
| 16 |
|
| 17 |
test-bd06fe ~ # getenforce |
| 18 |
Permissive |
| 19 |
|
| 20 |
test-bd06fe ~ # cat /etc/pam.d/run_init |
| 21 |
#%PAM-1.0 |
| 22 |
# Uncomment the next line if you do not want to enter your passwd everytime |
| 23 |
auth sufficient pam_rootok.so |
| 24 |
auth include system-auth |
| 25 |
account include system-auth |
| 26 |
password include system-auth |
| 27 |
session include system-auth |
| 28 |
session optional pam_xauth.so |
| 29 |
|
| 30 |
test-bd06fe ~ # cat /etc/sudoers.d/root |
| 31 |
root ALL = (ALL) ROLE=sysadm_r TYPE=sysadm_t ALL |
| 32 |
|
| 33 |
test-bd06fe ~ # cat test2.py |
| 34 |
import subprocess |
| 35 |
|
| 36 |
p = subprocess.Popen(['/sbin/rc-service', 'nfsmount', 'restart'], |
| 37 |
stdin=subprocess.PIPE, |
| 38 |
stdout=subprocess.PIPE, |
| 39 |
stderr=subprocess.PIPE) |
| 40 |
o, e = p.communicate() |
| 41 |
print('exitcode: {}'.format(p.returncode)) |
| 42 |
print('stdout: {}'.format(o)) |
| 43 |
print('stderr: {}'.format(e)) |
| 44 |
|
| 45 |
test-bd06fe ~ # python2.7 test2.py |
| 46 |
exitcode: 0 |
| 47 |
stdout: * Starting NFS sm-notify ... [ ok ] |
| 48 |
* Mounting NFS filesystems ... [ ok ] |
| 49 |
|
| 50 |
stderr: |
| 51 |
|
| 52 |
test-bd06fe ~ # rc-service nfsmount status |
| 53 |
* status: started |
| 54 |
|
| 55 |
test-bd06fe ~ # rc-service nfsmount stop |
| 56 |
* Unmounting NFS filesystems ... |
| 57 |
[ ok ] |
| 58 |
|
| 59 |
test-bd06fe ~ # sudo python2.7 test2.py |
| 60 |
exitcode: 0 |
| 61 |
stdout: |
| 62 |
stderr: |
| 63 |
|
| 64 |
test-bd06fe ~ # rc-service nfsmount status |
| 65 |
* status: stopped |
| 66 |
|
| 67 |
----------------- |
| 68 |
|
| 69 |
As you can see, this happens even when SELinux is not enforcing, so I |
| 70 |
don't think it is policy related. I wonder if there is some way to stop |
| 71 |
run_init from trying to prompt for authentication altogether, especially |
| 72 |
when stdin/stdout/stderr is not a tty. |
| 73 |
|
| 74 |
Any thoughts or pointers would be appreciated. |
| 75 |
|
| 76 |
Thanks, |
| 77 |
|
| 78 |
-- |
| 79 |
♫Dustin |
| 80 |
http://dustin.hatch.name/ |
Archives