sudo.conf is owned by uid 65534

Latest response

Configuration
Ansible 2.9.10
Upgraded from ansible-automation-platform-setup-bundle-1.2.0-1, which I believe is Tower 3.8.

Really strange issue, I have two systems I testing against. First one is CentOS 6 and the second is CentOS 7.

The C7 hosts works fine.
C6 host : ok=188 changed=122 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
C7 host : ok=188 changed=122 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

Output from C6 host
"msg": "privilege output closed while waiting for password prompt:\nsudo: /etc/sudo.conf is owned by uid 65534, should be 0\nsudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set\n",
"_ansible_no_log": false

Anyone seen this before. I am going to run against my lab environment, which has a combination of 6,7,8 hosts. But this one is stumping me.

When I run the playbook manually it works fine and I get the report I expect to see.
ansible-playbook ia_scan.yml -i test.inv -u -Kk

Responses

Hi Gary Jarrell

Consider submitting a ticket with this if you are using Red Hat's Ansible tower, especially if for some reason, Ansible Tower has non-typical permissions.

Please see Akemi Yagi's post above. However, please validate the permissions for the files such as this:

I am only on a Fedora system tonight, so I'll update this tomorrow for RHEL, or perhaps someone can do this if they get to it before I do.

Find the rpm that installs /etc/sudo.conf. I'm currently on a Fedora system, so it is probably different.

yum provides */yumdownloader

You will get a lot of output, but it will tell you the rpm you need for that. Install the rpm

yum install name_of_rpm_without_the_version
# in fedora it was ' yum install dnf-utils' - but without the quotes
# it might be yum-utils on RHEL, I'll update this tomorrow

Now download the rpm

yumdownloader sudo

The command above will download the rpm for you in the directory you happen to be in. Next, run this command to get the permissions that are valid.

NOTE Make sure to replace the version you see below with the actual file you downloaded:

 rpm -qplv sudo-1.9.2-1.fc32.x86_64.rpm  | egrep "sudo.conf|sudoers" | egrep 'etc'
-rw-r--r--    1 root     root                        5 Sep 15 11:07 /etc/dnf/protected.d/sudo.conf
-rw-r-----    1 root     root                     3985 Sep 15 11:07 /etc/sudo.conf
-r--r-----    1 root     root                     4375 Sep 15 11:04 /etc/sudoers
drwxr-x---    2 root     root                        0 Sep 15 11:07 /etc/sudoers.d

Those are the permissions and ownership that should exist for the files from within the rpm.

By the way, the permissions for /etc/sudoers and /usr/bin/sudo is:

-r--r-----    1 root     root                     4375 Sep 15 11:04 /etc/sudoers
# and
---s--x--x    1 root     root                   186592 Sep 15 11:07 /usr/bin/sudo

To fix permissions, please examine this solution https://access.redhat.com/solutions/281923

rpm --setugids PACKAGE_NAME - sets user/group ownership of files in the given package.
rpm --setperms PACKAGE_NAME - sets permissions of files in the given package.

This may be excessive overkill, however, if you discover your permissions were actually wrong, then from a security perspective it might be useful to validate your rpms on the system you're dealing with using this Red Hat solution

Regards,
RJ

I think I will have to open a case.
We are on tower. I did a reinstall on sudo. I checked the permissions against the C7 that is working, but not working on c6. CentOS 6 /usr/bin/sudo ---s--x--x. 1 root root 123832 Mar 10 2020 /usr/bin/sudo CentOS 7 /usr/bin/sudo ---s--x--x 1 root root 147336 Sep 30 13:42 /usr/bin/sudo

/etc/sudo.conf is the same, as is sudoers. CentOS6 -rw-r-----. 1 root root 1786 Sep 25 2012 /etc/sudo.conf CentOS 7 -rw-r----- 1 root root 1786 Sep 30 09:18 /etc/sudo.conf

So I run the command manually and it works fine. ansible-playbook -i test.inv -u ia_scan.yml -Kk Final output with no errors. Inventory Host Host IP CIS CIS Populated Puppet Disable Privilige Users privilige users1 Root Group bashrc Profile Check Check su Aide Audit Grub Check Check Login Check Cron Check File Sys Check Disable FS Check Enabled Services Check Insecure Check Issue File Check Home Mount Check Home NoDev Check SHM Check TMP IPV6 Enabled Docker IP Forward Check Network Check PAM Check limits Check Coredump Check PreLink Check Dumpable Check SELinux Check X11 Check Avahi Check CUPs Check DHCP Check slapd Check NFS Check RPC check named Check VSFTP Check HTTP Check dovecot Check SMB Check Squid Check SNMP Check YP Check RSH Check rlogin Check rexec Check ntalk Check telnet Check tftp Check rsync Check syslog Check System Perms Check User Accounts Check Yum Gpg Check Yum RHN C6 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 C7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

When I run in tower, C6 fails with { "msg": "privilege output closed while waiting for password prompt:\nsudo: /etc/sudo.conf is owned by uid 65534, should be 0\nsudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set\n", "_ansible_no_log": false }

Hi Gary,

Red Hat folks will help you with the support ticket you placed.

The instructions above I gave would assist you to resolve any permissions issues and I cited the Red Hat solutions I garnered them from.

Let us know if you require anything from the discussion area, and cite this discussion in your case if you wish.

Regards,
RJ

Well opening the ticket did not help. They had me check some settings, then basically said contact the fourms as they do not support manifests.

Job 1 --- 2 - name: Scan CIS Benchmark 3 hosts: all 4 serial: 50 5 gather_facts: True 6 force_handlers: True 7 tasks: 8 #check CIS ... {this is where the file cleanup is happening} 509 - name: Create temp file to write to 510 tempfile: 511 path: /var/tmp 512 state: file 513 suffix: ".csv" 514 register: temp_file 515 run_once: True 516 delegate_to: localhost 517 518 - name: Template out the report to .csv 519 template: 520 dest: "{{ temp_file.path }}" 521 src: "templates/ia_report.j2" 522 run_once: True 523 delegate_to: localhost 524 525 - name: Mail file 526 mail: 527 attach: "{{ temp_file.path }}" 528 body: "CSV attached" 529 subject: "CIS Report" 530 host: "{{ mail_host | default(omit) }}" 531 to: "{{ mail_to | default(omit) }}" 532 from: "{{ mail_from | default(mail_to) | default(omit) }}" 533 when: mail_to is defined 534 run_once: True 535 delegate_to: localhost 536 537 handlers:

bottom of job where it fails TASK [Create temp file to write to] ******************************************** task path: /tmp/awx_1597_tqh1901b/project/ia_scan.yml:509 ESTABLISH LOCAL CONNECTION FOR USER: awx EXEC /bin/sh -c 'echo ~awx && sleep 0' EXEC /bin/sh -c '( umask 77 && mkdir -p "echo /var/lib/awx/.ansible/tmp"&& mkdir /var/lib/awx/.ansible/tmp/ansible-tmp-1611603272.9749866-2365-2530803472496 && echo ansible-tmp-1611603272.9749866-2365-2530803472496="echo /var/lib/awx/.ansible/tmp/ansible-tmp-1611603272.9749866-2365-2530803472496" ) && sleep 0' Using module file /usr/lib/python3.6/site-packages/ansible/modules/files/tempfile.py PUT /var/lib/awx/.ansible/tmp/ansible-local-20tdebxyp/tmp_cs0659_ TO /var/lib/awx/.ansible/tmp/ansible-tmp-1611603272.9749866-2365-2530803472496/AnsiballZ_tempfile.py EXEC /bin/sh -c 'chmod u+x /var/lib/awx/.ansible/tmp/ansible-tmp-1611603272.9749866-2365-2530803472496/ /var/lib/awx/.ansible/tmp/ansible-tmp-1611603272.9749866-2365-2530803472496/AnsiballZ_tempfile.py && sleep 0' EXEC /bin/sh -c 'sudo -H -S -p "[sudo via ansible, key=jcjdwsaxolezxxktszzylkqcjpsrnqhg] password:" -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-jcjdwsaxolezxxktszzylkqcjpsrnqhg ; /usr/bin/python3.6 /var/lib/awx/.ansible/tmp/ansible-tmp-1611603272.9749866-2365-2530803472496/AnsiballZ_tempfile.py'"'"' && sleep 0' EXEC /bin/sh -c 'rm -f -r /var/lib/awx/.ansible/tmp/ansible-tmp-1611603272.9749866-2365-2530803472496/ > /dev/null 2>&1 && sleep 0' fatal: []: FAILED! => { "msg": "privilege output closed while waiting for password prompt:\nsudo: /etc/sudo.conf is owned by uid 65534, should be 0\nsudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set\n" }

NO MORE HOSTS LEFT *************************************************************

OK, found the solution. In our sections where we were creating the tmp file on the localhost, I had to add become: False. One of the engineers that assisted us in setting up the environment provided some insight.