execute[update-pam] resource fails on Ubuntu 14.04 on Azure about chef-os-hardening HOT 6 CLOSED

@sean-nixon thanks for raising this issue. Are you able to reproduce this issue?

from chef-os-hardening.

@artem-sidorenko I am. I just created a new Ubuntu 14.04 node in Azure and am seeing the same error. If I run chef-client directly, it works fine, however. I believe it's an environment issue with the Azure Chef extension. It's creating a crontab entry and not setting the path to include /usr/sbin. Any possibility of updating the recipe to use an absolute path?

from chef-os-hardening.

@sean-nixon I saw already similar issues in some other areas with cloud images :(

Before we discuss the option to add the full path within this cookbook, is there any option to inform the developers of Azure Chef extension about that issue? It should fail with lots of other cookbooks too, so I would like to see this issue ideally be fixed properly in the area, where it's also located...

from chef-os-hardening.

I've raised an issue with them. so we can see what they say.

Would it not be more secure, though, to invoke the command using the full path and not rely on it being in the path? I'm not sure if there's complexity regarding different paths on different distros/versions.

from chef-os-hardening.

@sean-nixon it should be fine as pam-auth-update gets executed only on debian family, so it's unlikely to get a mismatch on different distributions.

I had a look to the issue: the /usr/Sbin is probably the reason why it's not in the default PATH. Not sure how this gets handled.

I think it's not a problem to add /usr/sbin here for pam-auth-update. @chris-rock any other view?

from chef-os-hardening.

I took the liberty to submit a pull request with the suggested fix pending Chris's feedback.

from chef-os-hardening.