RHEL-08-010740 PATCH Task fails if home directory is set to /dev/null #284
Comments
|
Looks like the logic introduced with the resolution of #251 impacted both RHEL-08-010740 as well as RHEL-08-010741. The latter logic attempts to access transient paths under /proc/self that may have existed during initial query but not during attempted “resolution”. As with the initial issue and its workaround (item.dir != '/dev/null'), I am currently working around this issue by excluding paths containing /proc/self ('/proc/self' not in item.dir). Filtering based on shell is probably cleaner. |
|
Also, with 2f81776#diff-35cfe8756c71552d3b6700a13f666c527fb0611caa46588369338d2d95f1eb49 we seem to be parsing all of /etc/passwd but arbitrarily filtering out the root, halt, sync, and shutdown users. If the task-specific conditionals that I referenced above are not the preferred way of resolving this, I would prefer to filter based on login shell (do not parse /sbin/nologin users as they are explicitly non-interactive) which would resolve issues with both referenced Controls, or at the very least add the nss user (for resolving the /dev/null problem with RHEL-08-010740) and then the dbus, nobody, system-coredump, systemd-resolve, polkitd, sssd, and clamscan users (for resolving the /proc/self problem with RHEL-08-010741) as their home directories are defined as /. Unsure if these are the only accounts that cause this issue with RHEL-08-010741.. Need more testing. |
|
This issue is still present in the latest (3.3.0 // V1R13) release. |
|
hi @SeanathanVT Thank you for the detailed information. I can see this has been attempted to be addressed a few times and so as to utilise different data to ensure its matching as expected. Many thanks uk-bolly |
|
hi @SeanathanVT Thank you again for this issue. I believe a fix has been applied and is now in the main branch and release. I will close this issue, Please reopen if you feel this is not resolved. Many thanks uk-bolly |
Describe the Issue
On el8 baselines, the tss user’s home directory appears to be set to /dev/null. This causes the Task to fail as /dev/null is a not a directory.
Expected Behavior
Task should gracefully handle a situation where a user’s "home directory” is not actually a directory.
Actual Behavior
Execution of the RHEL-08-010740 PATCH logic fails if a local user’s home directory (as defined in /etc/passwd) is not actually a directory due to the Task’s inclusion of “state: directory”. I acknowledge the intent behind this (why would a home directory not be a home directory?), but in the case of the tss user on el8 baselines, the home directory is not actually a directory.
Control(s) Affected
RHEL-08-010740
Environment (please complete the following information):
Additional Notes
Possible Solution
Either remove the “state: directory” definition or add a conditional that excludes an item if its path is /dev/null (ex. item.dir != '/dev/null') or filter based on shell (ex. item.shell != '/sbin/nologin'). Not sure how you guys would prefer to handle this situation, so I don’t want to assume the proper resolution. Also unsure how likely this is to surface with a non-directory defined as a home directory that isn’t /dev/null.
The text was updated successfully, but these errors were encountered: