Bug 1220389

Summary: [Build 20240226-1] openQA test fails in yast2_nfs4_client - root is not in the sudoers file.
Product: [openSUSE] PUBLIC SUSE Linux Enterprise Server 15 SP5 Reporter: yutao wang <yuwang>
Component: MaintenanceAssignee: Otto Hollmann <otto.hollmann>
Status: RESOLVED FIXED QA Contact:
Severity: Normal    
Priority: P5 - None CC: felix.niederwanger, rfrohl
Version: unspecified   
Target Milestone: ---   
Hardware: x86-64   
OS: SLES 15   
URL: https://openqa.suse.de/tests/13615479/modules/yast2_nfs4_client/steps/171
Whiteboard:
Found By: openQA Services Priority:
Business Priority: Blocker: Yes
Marketing QA Status: --- IT Deployment: ---
Attachments: yast2 log.

Description yutao wang 2024-02-27 08:14:59 UTC 
Created attachment 873019 [details]
yast2 log.

Hardware: aarch64, x86_64, s390x
Software: sles15sp2, 15sp3, 15sp4
***********************************************************
## Observation

openQA test in scenario sle-15-SP5-Server-DVD-Updates-x86_64-qam-nfs4-client@64bit fails in
[yast2_nfs4_client](https://openqa.suse.de/tests/13615479/modules/yast2_nfs4_client/steps/171)

## Test suite description
Testsuite maintained at https://gitlab.suse.de/qe-yam/openqa-job-groups


## Reproducible

Fails since (at least) Build [20240226-1](https://openqa.suse.de/tests/13615479)


## Further details

Always latest result in this scenario: [latest](https://openqa.suse.de/tests/latest?arch=x86_64&distri=sle&flavor=Server-DVD-Updates&machine=64bit&test=qam-nfs4-client&version=15-SP5)
Test steps:
1. Add maintain repos: 32785:sudo
2. Generate one image named:
autoyast_SLES-15-SP5-x86_64-create_hdd_yast_maintenance_minimal-Build20240226-1-Server-DVD-Updates-64bit.qcow2
3. Use this image to do yast2 nfs test.
Got error message:
https://openqa.suse.de/tests/13615479#step/yast2_nfs4_client/171
Command: sudo -u bernhard cat /tmp/nfs/client/secret.txt
Output information:
root is not in the sudoers file.
This incident has been reported to the administrator.
Comment 1 Felix Niederwanger 2024-02-27 08:20:44 UTC 
Also 12-SP5 and 15-SP6 - in short all SLES versions.

We see this issue in all public cloud test runs, where this means that the users would be locked out from becoming root. The current `sudo` updates must not be released.
Comment 2 Robert Frohl 2024-02-27 08:21:25 UTC 
@Otto: Could you please have a look, this seems to affect all of the submissions.
Comment 3 Otto Hollmann 2024-02-28 07:45:14 UTC 
I double checked my patch and the backport itself is correct. Problem seems to be in change

> -#define DENY	 0
> -#define ALLOW	 1
> +/* Allowed by policy (rowhammer resistent). */
> +#define ALLOW	 0x52a2925	/* 0101001010100010100100100101 */
> +/* Denied by policy (rowhammer resistent). */
> +#define DENY	 0xad5d6da	/* 1010110101011101011011011010 */

Because some other functions probably relying on older values.

I found two related commits
> https://github.com/sudo-project/sudo/commit/2ef90231a132547fa4236ff05fc0fafcd3f3d7a4
> https://github.com/sudo-project/sudo/commit/0495afac57f5bd783dd90bfaa25733f802b0f66f

I'm trying to backport them.
Comment 4 Otto Hollmann 2024-02-28 11:12:37 UTC 
I've fixed SLE15-SP5, the missing patch is this one:
> https://github.com/sudo-project/sudo/commit/cf00568d888c90a8c5d06a06283bc87a45992933

I will backport this patch to remaining codestreams and hopefuly today resubmit it.
Comment 5 Otto Hollmann 2024-02-28 15:31:48 UTC 
resubmitted:
> Codestream               Version   SR
> -----------------------------------------------
> SUSE_SLE-15-SP5_Update   1.9.12p1  322748 -> 322941
> SUSE_SLE-15-SP4_Update   1.9.9     322749 -> 322942
> SUSE_SLE-15-SP3_Update   1.9.5p2   322750 -> 322943
> SUSE_SLE-15_Update       1.8.27    322751 -> 322944
> SUSE_SLE-12-SP5_Update   1.8.27    322752 -> 322945
> SUSE_SLE-12-SP3_Update   1.8.20p2  322758 -> 322946
Comment 8 Maintenance Automation 2024-03-07 12:30:30 UTC 
SUSE-SU-2024:0797-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1219026, 1220389
CVE References: CVE-2023-42465
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): sudo-1.8.27-4.45.1
SUSE Linux Enterprise Server 12 SP5 (src): sudo-1.8.27-4.45.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): sudo-1.8.27-4.45.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): sudo-1.8.27-4.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2024-03-07 12:30:33 UTC 
SUSE-SU-2024:0796-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1219026, 1220389
CVE References: CVE-2023-42465
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): sudo-1.8.27-150000.4.50.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): sudo-1.8.27-150000.4.50.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): sudo-1.8.27-150000.4.50.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2024-03-07 12:30:38 UTC 
SUSE-SU-2024:0795-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1219026, 1220389
CVE References: CVE-2023-42465
Sources used:
openSUSE Leap Micro 5.3 (src): sudo-1.9.9-150400.4.33.1
openSUSE Leap Micro 5.4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Micro 5.3 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Micro 5.4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): sudo-1.9.9-150400.4.33.1
SUSE Manager Proxy 4.3 (src): sudo-1.9.9-150400.4.33.1
SUSE Manager Retail Branch Server 4.3 (src): sudo-1.9.9-150400.4.33.1
SUSE Manager Server 4.3 (src): sudo-1.9.9-150400.4.33.1
openSUSE Leap 15.4 (src): sudo-1.9.9-150400.4.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2024-03-07 12:30:44 UTC 
SUSE-SU-2024:0794-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1219026, 1220389
CVE References: CVE-2023-42465
Sources used:
openSUSE Leap 15.5 (src): sudo-1.9.12p1-150500.7.7.1
SUSE Linux Enterprise Micro 5.5 (src): sudo-1.9.12p1-150500.7.7.1
Basesystem Module 15-SP5 (src): sudo-1.9.12p1-150500.7.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2024-03-08 12:30:13 UTC 
SUSE-SU-2024:0796-2: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1219026, 1220389
CVE References: CVE-2023-42465
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): sudo-1.8.27-150000.4.50.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): sudo-1.8.27-150000.4.50.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): sudo-1.8.27-150000.4.50.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2024-03-08 12:30:15 UTC 
SUSE-SU-2024:0795-2: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1219026, 1220389
CVE References: CVE-2023-42465
Sources used:
openSUSE Leap Micro 5.3 (src): sudo-1.9.9-150400.4.33.1
openSUSE Leap Micro 5.4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Micro 5.3 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Micro 5.4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): sudo-1.9.9-150400.4.33.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): sudo-1.9.9-150400.4.33.1
SUSE Manager Proxy 4.3 (src): sudo-1.9.9-150400.4.33.1
SUSE Manager Retail Branch Server 4.3 (src): sudo-1.9.9-150400.4.33.1
SUSE Manager Server 4.3 (src): sudo-1.9.9-150400.4.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Maintenance Automation 2024-03-08 12:36:26 UTC 
SUSE-SU-2024:0797-2: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1219026, 1220389
CVE References: CVE-2023-42465
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): sudo-1.8.27-4.45.1
SUSE Linux Enterprise Server 12 SP5 (src): sudo-1.8.27-4.45.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): sudo-1.8.27-4.45.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): sudo-1.8.27-4.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Maintenance Automation 2024-03-08 12:36:31 UTC 
SUSE-SU-2024:0794-2: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1219026, 1220389
CVE References: CVE-2023-42465
Sources used:
openSUSE Leap 15.5 (src): sudo-1.9.12p1-150500.7.7.1
SUSE Linux Enterprise Micro 5.5 (src): sudo-1.9.12p1-150500.7.7.1
Basesystem Module 15-SP5 (src): sudo-1.9.12p1-150500.7.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Maintenance Automation 2024-03-12 16:36:36 UTC 
SUSE-SU-2024:0834-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1219026, 1220389
CVE References: CVE-2023-42465
Sources used:
openSUSE Leap 15.3 (src): sudo-1.9.5p2-150300.3.33.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): sudo-1.9.5p2-150300.3.33.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): sudo-1.9.5p2-150300.3.33.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): sudo-1.9.5p2-150300.3.33.1
SUSE Enterprise Storage 7.1 (src): sudo-1.9.5p2-150300.3.33.1
SUSE Linux Enterprise Micro 5.1 (src): sudo-1.9.5p2-150300.3.33.1
SUSE Linux Enterprise Micro 5.2 (src): sudo-1.9.5p2-150300.3.33.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): sudo-1.9.5p2-150300.3.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Otto Hollmann 2024-05-06 15:01:13 UTC 
Closing