[SRU] cannot sudo, prompted for password on 12.04 Windows Azure

Bug #1224684 reported by Scott Moser on 2013-09-12
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
cloud-init (Ubuntu)
Critical
Scott Moser
Precise
Critical
Ben Howard

Bug Description

[IMPACT] On Windows Azure for 12.04, cloud-init fails to set right user name for the sudoer.d file unless the user sets a password. This means that SSH-key auth users are locked out of sudo access, effectively making the instance useless.

This is critical, as instances that are affected are completely useless for things requiring sudo access. There is no recovery and no work around.

This only affects new instances, not existing instances. However, it may affect rebundled instances.

[Test Case] Launch a new build with -proposed using SSH-only authentication. The defined user in the launch should be able to "sudo -i".

[Regression Potential] Regression potential is low, as this fixes a completely broken feature.

[Original Report]:
Launcing an instance like this:
azure vm create --vm-size=extrasmall --vm-name=smoser0912pr-hack2 "--location=East US" --<email address hidden> --no-ssh-password --ssh=22 b39f27a8b8c64d52b05eac6a62ebad85__Ubuntu-12_04_3-LTS-amd64-server-20130909-en-us-30GB smoser

results in being prompted for a password on sudo.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: cloud-init 0.6.3-0ubuntu1.6
ProcVersionSignature: Ubuntu 3.2.0-53.81-virtual 3.2.50
Uname: Linux 3.2.0-53-virtual x86_64
ApportVersion: 2.0.1-0ubuntu17.4
Architecture: amd64
Date: Thu Sep 12 20:45:02 2013
MarkForUpload: True
PackageArchitecture: all
ProcEnviron:
 TERM=screen
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: cloud-init
UpgradeStatus: No upgrade log present (probably fresh install)

Scott Moser (smoser) wrote :
Changed in cloud-init (Ubuntu):
status: New → Fix Released
importance: Undecided → Critical
Changed in cloud-init (Ubuntu Precise):
status: New → Confirmed
importance: Undecided → Critical
Scott Moser (smoser) wrote :

Here is what went wrong:
$ sudo cat /etc/sudoers.d/90-cloudimg-ubuntu
# ubuntu user is default user in cloud-images.
# It needs passwordless sudo functionality.
ubuntu ALL=(ALL) NOPASSWD:ALL

The user provisioned was 'smoser'. but 'ubuntu' was given passwordless sudo.

Ben Howard (darkmuggle) wrote :

Confirmed that the passwordless instances have no sudo.

Ben Howard (darkmuggle) wrote :

Will build a test image when this become availabe.

Ben Howard (darkmuggle) wrote :

Fixed confirmed with a test build against the PPA.

utlemming@utl-0913-ppa1:~$ sudo su
root@utl-0913-ppa1:/home/utlemming# dpkg -l cloud-init
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Description
+++-================================-================================-================================================================================
ii cloud-init 0.6.3-0ubuntu1.7~ppa1 Init scripts for cloud instances
root@utl-0913-ppa1:/home/utlemming#

Ben Howard (darkmuggle) on 2013-09-13
summary: - cannot sudo, prompted for password
+ [SRU] cannot sudo, prompted for password on 12.04 Windows Azure
Ben Howard (darkmuggle) on 2013-09-13
Changed in cloud-init (Ubuntu Precise):
assignee: nobody → Ben Howard (utlemming)
Changed in cloud-init (Ubuntu):
assignee: nobody → Ben Howard (utlemming)
assignee: Ben Howard (utlemming) → Scott Moser (smoser)
description: updated

Hello Scott, or anyone else affected,

Accepted cloud-init into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/cloud-init/0.6.3-0ubuntu1.7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in cloud-init (Ubuntu Precise):
status: Confirmed → Fix Committed
tags: added: verification-needed
Ben Howard (darkmuggle) wrote :

Throughly tested -proposed:
1. Launched with username ubuntu, SSH Auth only
2. Launched with username utlemming, SSH Auth only
3. Launched with username ubuntu, password auth only
4. Launched with username utlemming, password auth only
5. Launched with username utlemming, SSH Auth with password set
6. Launched with username ubuntu, SSH Auth with password set

Confirmed that sudo works as expected. Marking as confirmed.

tags: added: verification-done
removed: verification-needed
Colin Watson (cjwatson) wrote :

I'm waiving the usual aging period as this is a critical regression.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cloud-init - 0.6.3-0ubuntu1.7

---------------
cloud-init (0.6.3-0ubuntu1.7) precise-proposed; urgency=low

  * debian/patches/lp-1224684-azure-passwordless-sudo.patch:
    set up passwordless sudo for provisioned user on azure (LP: #1224684).
 -- Scott Moser <email address hidden> Fri, 13 Sep 2013 11:44:00 -0400

Changed in cloud-init (Ubuntu Precise):
status: Fix Committed → Fix Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Ben Howard (darkmuggle) wrote :

Started candidate build of 12.04.3 LTS Cloud Images. ETA is roughly 3hrs, plus another 2.5hrs for testing. Assuming things pass tests, I'll release a new image to Windows Azure only.

Ben Howard (darkmuggle) wrote :

Image with fix is confirmed and is now pending replication in Windows Azure. The fixed image is:
b39f27a8b8c64d52b05eac6a62ebad85__Ubuntu-12_04_3-LTS-amd64-server-20130916.1-en-us-30GB

Ben Howard (darkmuggle) wrote :

Affected images are:
Ubuntu_DAILY_BUILD-saucy-13_10-amd64-server-20130916-en-us-30GB
Ubuntu_DAILY_BUILD-precise-12_04_3-LTS-amd64-server-20130916.1-en-us-30GB
Ubuntu_DAILY_BUILD-precise-12_04_3-LTS-amd64-server-20130916-en-us-30GB
Ubuntu-12_04_3-LTS-amd64-server-20130916.1-en-us-30GB

Ben Howard (darkmuggle) wrote :

Scratch comment 15, wrong bug.

Ben Howard (darkmuggle) wrote :

New image, Ubuntu-12_04_3-LTS-amd64-server-20130916.1-en-us-30GB has been made public.

Ben Howard (darkmuggle) wrote :

Due to the severity of the sudo bug, image Ubuntu-12_04_3-LTS-amd64-server-20130909-en-us-30GB is has been removed from the gallary. The new image has the same kernel and very few package version differences.

Stephen A. Zarkos (stevez) wrote :

It looks like the image dated 20130827 also appears to have this issue. Should this one be removed as well?

Ben Howard (darkmuggle) wrote :

Stephan,

Can you post the full image name? The SRU that triggered this is wasn't released till after 20130827, which makes me wonder if this is a different issue.

Scott Moser (smoser) wrote :

azure vm create --vm-size=extrasmall --vm-name=smoser0930p "--location=East US" --<email address hidden> --no-ssh-password --ssh=22 smoser0930p b39f27a8b8c64d52b05eac6a62ebad85__Ubuntu-12_04_3-LTS-amd64-server-20130827-en-us-30GB smoser

I confirmed with that.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers