Re: [Linux-HA] Pacemaker runs daemons as root

Wed, 18 Jun 2008 13:49:00 -0700 

So I digged little bit more and here is what I found:

lib/clpluming/uids.c file has the following code:

#if defined(HAVE_SETEUID) && defined(HAVE_SETEGID) &&   \
                 defined(_POSIX_SAVED_IDS)
#       define  CAN_DROP_PRIVS  1

#endif


#ifndef CAN_DROP_PRIVS
        int drop_privs(uid_t uid, gid_t gid)    {       return 0;       }
        int return_to_orig_privs(void)          {       return 0;       }
        int return_to_dropped_privs(void)       {       return 0;       }
        int cl_have_full_privs(void)            {       return 0;       }
#else

In the old Heartebeat packaging HAVE_SETEUID and HAVE_SETEGID where
defined in include/config.h. In the new packaging that file does not
exist. So drop_privs defaults into "return 0;" and those daemons never
switch to "nobody" user. Any ideas on this change?

Sources for new Heartbeat were taken from here:
http://download.opensuse.org/repositories/server:/ha-clustering/Fedora_6/src/

On Wed, Jun 18, 2008 at 1:01 PM, Serge Dubrouski <[EMAIL PROTECTED]> wrote:
> On Wed, Jun 18, 2008 at 12:55 PM, Andrew Beekhof <[EMAIL PROTECTED]> wrote:
>> On Wed, Jun 18, 2008 at 18:51, Serge Dubrouski <[EMAIL PROTECTED]> wrote:
>>> On Wed, Jun 18, 2008 at 10:45 AM, Dejan Muhamedagic <[EMAIL PROTECTED]> 
>>> wrote:
>>>> Hi,
>>>>
>>>> On Wed, Jun 18, 2008 at 09:09:15AM -0600, Serge Dubrouski wrote:
>>>>> There was this question already but I don;t recall what was the
>>>>> answer. Heartbeat used to run lrmd, stonithd and some other heartbeat
>>>>> daemons as nobody user. Pacemaker runs them as root.
>>
>> Actually Pacemaker doesn't ever run them as root.
>> I can say this quite confidently since these daemons are spawned by
>> Heartbeat not Pacemaker :-)
>
> I know that. The reason why I said Pacemaker is just it started to
> happen after switching form old packaging to the new one.
>
>>
>> Whatever the change causing the behavior you're seeing, its not in the
>> Pacemaker code.
>
> Then something has changed in the way how heartbeat/heartbeat-common
> packages get installed on the system. It looks like Alan doesn't
> support those packages anymore so I ask here.
>
>> _______________________________________________
>> Linux-HA mailing list
>> [email protected]
>> http://lists.linux-ha.org/mailman/listinfo/linux-ha
>> See also: http://linux-ha.org/ReportingProblems
>>
>
>
>
> --
> Serge Dubrouski.
>



-- 
Serge Dubrouski.
_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems

Reply via email to