On Thu, Jun 19, 2008 at 12:11:15PM -0600, Serge Dubrouski wrote:
> On Thu, Jun 19, 2008 at 3:27 AM, Dejan Muhamedagic <[EMAIL PROTECTED]> wrote:
> > On Wed, Jun 18, 2008 at 02:48:15PM -0600, Serge Dubrouski wrote:
> >> So I digged little bit more and here is what I found:
> >>
> >> lib/clpluming/uids.c file has the following code:
> >>
> >> #if defined(HAVE_SETEUID) && defined(HAVE_SETEGID) && \
> >> defined(_POSIX_SAVED_IDS)
> >> # define CAN_DROP_PRIVS 1
> >>
> >> #endif
> >>
> >>
> >> #ifndef CAN_DROP_PRIVS
> >> int drop_privs(uid_t uid, gid_t gid) { return 0; }
> >> int return_to_orig_privs(void) { return 0; }
> >> int return_to_dropped_privs(void) { return 0; }
> >> int cl_have_full_privs(void) { return 0; }
> >> #else
> >>
> >> In the old Heartebeat packaging HAVE_SETEUID and HAVE_SETEGID where
> >> defined in include/config.h. In the new packaging that file does not
> >> exist.
> >
> > Hmm, I don't think that that file is packaged. It's just created
> > during the configuration phase by configure for the build stage.
> >
> >> So drop_privs defaults into "return 0;" and those daemons never
> >> switch to "nobody" user. Any ideas on this change?
> >
> > That should depend on the configuration phase on the build host.
>
> I'm lost with this problem. It looks like build process finds seteuid
> and setegid all right and compiles libraries correctly, Then I
> modified lrmd.c like this:
>
> drop_privs(0, 0); /* become "nobody" */
> lrmd_log(LOG_INFO, "Privs: %d.", (int) geteuid());
> lrmd_log(LOG_INFO, "Privs: %d.", (int) geteuid());
>
> Just added those 2 log lines. And this is what I've got in the log:
>
> Jun 19 11:47:12 bykov lrmd: [841]: INFO: Privs: 99.
> Jun 19 11:47:12 bykov lrmd: [841]: INFO: Privs: 0.
Very confusing indeed :) Took me also a while to figure out
what's up. That's the bug which was found and squashed in April.
See:
changeset: 11928:fce950f0fcc8
user: Dejan Muhamedagic <[EMAIL PROTECTED]>
date: Tue Apr 22 18:30:02 2008 +0200
summary: High: cl_log (LF 1871): don't raise privileges needlessly
This was post-2.1.3.
Thanks,
Dejan
> Jun 19 11:47:12 bykov lrmd: [841]: info: G_main_add_SignalHandler:
> Added signal handler for signal 10
> Jun 19 11:47:12 bykov lrmd: [841]: info: G_main_add_SignalHandler:
> Added signal handler for signal 12
> Jun 19 11:47:12 bykov lrmd: [841]: info: Started.
>
> 99 is uid for nobody so it does switch to it. But then that switch is
> lost. I see this behavior on Fedora Core 6 (XenU 2.6.18), CentOS 4
> (Xen0 2.6.18) and CentOS5 (Kernel 2.6.18-53.1.21.el5) and can't find
> any explanation for it.
>
>
> --
> Serge Dubrouski.
> _______________________________________________
> Linux-HA mailing list
> [email protected]
> http://lists.linux-ha.org/mailman/listinfo/linux-ha
> See also: http://linux-ha.org/ReportingProblems
_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems
