Re: [Linux-HA] Pacemaker runs daemons as root

Thu, 19 Jun 2008 12:07:30 -0700 

On Thu, Jun 19, 2008 at 3:27 AM, Dejan Muhamedagic <[EMAIL PROTECTED]> wrote:
> On Wed, Jun 18, 2008 at 02:48:15PM -0600, Serge Dubrouski wrote:
>> So I digged little bit more and here is what I found:
>>
>> lib/clpluming/uids.c file has the following code:
>>
>> #if defined(HAVE_SETEUID) && defined(HAVE_SETEGID) &&   \
>>                  defined(_POSIX_SAVED_IDS)
>> #       define  CAN_DROP_PRIVS  1
>>
>> #endif
>>
>>
>> #ifndef CAN_DROP_PRIVS
>>         int drop_privs(uid_t uid, gid_t gid)    {       return 0;       }
>>         int return_to_orig_privs(void)          {       return 0;       }
>>         int return_to_dropped_privs(void)       {       return 0;       }
>>         int cl_have_full_privs(void)            {       return 0;       }
>> #else
>>
>> In the old Heartebeat packaging HAVE_SETEUID and HAVE_SETEGID where
>> defined in include/config.h. In the new packaging that file does not
>> exist.
>
> Hmm, I don't think that that file is packaged. It's just created
> during the configuration phase by configure for the build stage.
>
>> So drop_privs defaults into "return 0;" and those daemons never
>> switch to "nobody" user. Any ideas on this change?
>
> That should depend on the configuration phase on the build host.

I'm lost with this problem. It looks like build process finds seteuid
and setegid all right and compiles libraries correctly, Then I
modified lrmd.c like this:

        drop_privs(0, 0); /* become "nobody" */
        lrmd_log(LOG_INFO, "Privs: %d.", (int) geteuid());
        lrmd_log(LOG_INFO, "Privs: %d.", (int) geteuid());

Just added those 2 log lines. And this is what I've got in the log:

Jun 19 11:47:12 bykov lrmd: [841]: INFO: Privs: 99.
Jun 19 11:47:12 bykov lrmd: [841]: INFO: Privs: 0.
Jun 19 11:47:12 bykov lrmd: [841]: info: G_main_add_SignalHandler:
Added signal handler for signal 10
Jun 19 11:47:12 bykov lrmd: [841]: info: G_main_add_SignalHandler:
Added signal handler for signal 12
Jun 19 11:47:12 bykov lrmd: [841]: info: Started.

99 is uid for nobody so it does switch to it. But then that switch is
lost. I see this behavior on Fedora Core 6 (XenU 2.6.18), CentOS 4
(Xen0 2.6.18) and CentOS5 (Kernel 2.6.18-53.1.21.el5) and can't find
any explanation for it.


-- 
Serge Dubrouski.
_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems

Reply via email to