Skip to content

fix(ipmi_exporter): Fix privilege escalation when running in local mode #616

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix(ipmi_exporter): Fix privilege escalation when running in local mode #616

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ac7e473
fix(ipmi_exporter): Fix privilege escalation when running in local mode
netcho Jul 9, 2025
2ec036f
Merge branch 'prometheus-community:main' into main
netcho Jul 21, 2025
f9f2bc6
feat(_common): Add the selinux tag
netcho Jul 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions roles/_common/tasks/selinux.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
- "{{ ansible_parent_role_names | first | regex_replace(ansible_collection_name ~ '.', '') }}"
- configure
- "{{ ansible_parent_role_names | first | regex_replace(ansible_collection_name ~ '.', '') }}_configure"
- selinux
Copy link
Member

@gardar gardar Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are you adding this tag? It seems unrelated to the subject


- name: Install selinux python packages [clearlinux]
ansible.builtin.package:
Expand All @@ -40,6 +41,7 @@
- "{{ ansible_parent_role_names | first | regex_replace(ansible_collection_name ~ '.', '') }}"
- configure
- "{{ ansible_parent_role_names | first | regex_replace(ansible_collection_name ~ '.', '') }}_configure"
- selinux

- name: Allow port in SELinux
community.general.seport:
Expand All @@ -56,3 +58,4 @@
- "{{ ansible_parent_role_names | first | regex_replace(ansible_collection_name ~ '.', '') }}"
- configure
- "{{ ansible_parent_role_names | first | regex_replace(ansible_collection_name ~ '.', '') }}_configure"
- selinux
9 changes: 9 additions & 0 deletions roles/ipmi_exporter/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,15 @@ ipmi_exporter_modules:
- chassis
- sel

ipmi_exporter_sudo_commands:
- /usr/sbin/ipmimonitoring
- /usr/sbin/ipmi-sensors
- /usr/sbin/ipmi-dcmi
- /usr/sbin/ipmi-raw
- /usr/sbin/bmc-info
- /usr/sbin/ipmi-chassis
- /usr/sbin/ipmi-sel
Comment on lines +16 to +23
Copy link
Member

@gardar gardar Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the user ever need to overwrite this? Perhaps it would be better to place this as a internal variable under vars/main.yml


ipmi_exporter_web_listen_address: "0.0.0.0:9290"

ipmi_exporter_tls_server_config: {}
Expand Down
11 changes: 11 additions & 0 deletions roles/ipmi_exporter/tasks/configure.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,3 +30,14 @@
- ipmi_exporter
- configure
- ipmi_exporter_configure

- name: Create sudoers file to allow passwordless IPMI commands
ansible.builtin.copy:
dest: "/etc/sudoers.d/{{ ipmi_exporter_system_user }}"
content: |
{{ ipmi_exporter_system_user }} ALL=(ALL) NOPASSWD: {{ ipmi_exporter_sudo_commands | join(', ') }}
owner: root
group: root
mode: '0440'
become: true
when: ipmi_exporter_system_user is defined
Comment on lines +34 to +43
Copy link
Member

@gardar gardar Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use community.general.sudoers instead

3 changes: 0 additions & 3 deletions roles/ipmi_exporter/templates/ipmi_exporter.service.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,10 @@ RestartSec=1
StartLimitInterval=0

ProtectHome=yes
NoNewPrivileges=yes

{% if (ansible_facts.packages.systemd | first).version is version('232', '>=') %}
ProtectSystem=strict
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=yes
PrivateTmp=true
{% else %}
ProtectSystem=full
Expand Down