Skip to content

fix(ipmi_exporter): Fix privilege escalation when running in local mode #616

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix(ipmi_exporter): Fix privilege escalation when running in local mode #616

wants to merge 3 commits into from

Conversation

@netcho
Copy link

@netcho netcho commented Jul 9, 2025

Fixes #526

@github-actions github-actions bot added the bugfix label Jul 9, 2025
@github-actions github-actions bot added bugfix and removed bugfix labels Jul 9, 2025
@github-actions github-actions bot added bugfix and removed bugfix labels Jul 9, 2025
@github-actions github-actions bot added bugfix and removed bugfix labels Jul 9, 2025
@SkytAsul
Copy link

SkytAsul commented Jul 18, 2025

Would love to see this merged

@github-actions github-actions bot added bugfix and removed bugfix labels Jul 21, 2025
@netcho
feat(_common): Add the selinux tag
f9f2bc6 
Add the selinus tag to all SELinux tasks to allow skipping/selecting them
@github-actions github-actions bot added bugfix and removed bugfix labels Jul 21, 2025
gardar
gardar requested changes Aug 12, 2025
View reviewed changes
roles/_common/tasks/selinux.yml
- "{{ ansible_parent_role_names | first | regex_replace(ansible_collection_name ~ '.', '') }}"
- configure
- "{{ ansible_parent_role_names | first | regex_replace(ansible_collection_name ~ '.', '') }}_configure"
- selinux
Copy link
Member

@gardar gardar Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are you adding this tag? It seems unrelated to the subject

roles/ipmi_exporter/tasks/configure.yml
Comment on lines +34 to +43
- name: Create sudoers file to allow passwordless IPMI commands
ansible.builtin.copy:
dest: "/etc/sudoers.d/{{ ipmi_exporter_system_user }}"
content: |
{{ ipmi_exporter_system_user }} ALL=(ALL) NOPASSWD: {{ ipmi_exporter_sudo_commands | join(', ') }}
owner: root
group: root
mode: '0440'
become: true
when: ipmi_exporter_system_user is defined
Copy link
Member

@gardar gardar Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use community.general.sudoers instead

roles/ipmi_exporter/defaults/main.yml
Comment on lines +16 to +23
ipmi_exporter_sudo_commands:
- /usr/sbin/ipmimonitoring
- /usr/sbin/ipmi-sensors
- /usr/sbin/ipmi-dcmi
- /usr/sbin/ipmi-raw
- /usr/sbin/bmc-info
- /usr/sbin/ipmi-chassis
- /usr/sbin/ipmi-sel
Copy link
Member

@gardar gardar Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the user ever need to overwrite this? Perhaps it would be better to place this as a internal variable under vars/main.yml

@gardar
Copy link
Member

gardar commented Aug 12, 2025

The sudo policy should not be used for every installation of ipmi_exporter since it only applies to the local mode.
Also, perhaps a better solution would be to just use root, since the sudo trickery won't work when using the Go-native IPMI implementation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gardar gardar gardar requested changes

Assignees

No one assigned

Labels

bugfix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Not possible to run ipmi-exporter as non-root due to NoNewPrivileges in systemd service

3 participants

@netcho @SkytAsul @gardar