Re: [Linux-HA] Pacemaker runs daemons as root

Andrew Beekhof Fri, 20 Jun 2008 04:04:37 -0700

On Fri, Jun 20, 2008 at 13:00, Dejan Muhamedagic <[EMAIL PROTECTED]> wrote:
> On Thu, Jun 19, 2008 at 12:11:15PM -0600, Serge Dubrouski wrote:
>> On Thu, Jun 19, 2008 at 3:27 AM, Dejan Muhamedagic <[EMAIL PROTECTED]> wrote:
>> > On Wed, Jun 18, 2008 at 02:48:15PM -0600, Serge Dubrouski wrote:
>> >> So I digged little bit more and here is what I found:
>> >>
>> >> lib/clpluming/uids.c file has the following code:
>> >>
>> >> #if defined(HAVE_SETEUID) && defined(HAVE_SETEGID) &&   \
>> >>                  defined(_POSIX_SAVED_IDS)
>> >> #       define  CAN_DROP_PRIVS  1
>> >>
>> >> #endif
>> >>
>> >>
>> >> #ifndef CAN_DROP_PRIVS
>> >>         int drop_privs(uid_t uid, gid_t gid)    {       return 0;       }
>> >>         int return_to_orig_privs(void)          {       return 0;       }
>> >>         int return_to_dropped_privs(void)       {       return 0;       }
>> >>         int cl_have_full_privs(void)            {       return 0;       }
>> >> #else
>> >>
>> >> In the old Heartebeat packaging HAVE_SETEUID and HAVE_SETEGID where
>> >> defined in include/config.h. In the new packaging that file does not
>> >> exist.
>> >
>> > Hmm, I don't think that that file is packaged. It's just created
>> > during the configuration phase by configure for the build stage.
>> >
>> >> So drop_privs defaults into "return 0;" and those daemons never
>> >> switch to "nobody" user. Any ideas on this change?
>> >
>> > That should depend on the configuration phase on the build host.
>>
>> I'm lost with this problem. It looks like build process finds seteuid
>> and setegid all right and compiles libraries correctly, Then I
>> modified lrmd.c like this:
>>
>>         drop_privs(0, 0); /* become "nobody" */
>>         lrmd_log(LOG_INFO, "Privs: %d.", (int) geteuid());
>>         lrmd_log(LOG_INFO, "Privs: %d.", (int) geteuid());
>>
>> Just added those 2 log lines. And this is what I've got in the log:
>>
>> Jun 19 11:47:12 bykov lrmd: [841]: INFO: Privs: 99.
>> Jun 19 11:47:12 bykov lrmd: [841]: INFO: Privs: 0.
>
> Very confusing indeed :) Took me also a while to figure out
> what's up. That's the bug which was found and squashed in April.
> See:
>
> changeset:   11928:fce950f0fcc8
> user:        Dejan Muhamedagic <[EMAIL PROTECTED]>
> date:        Tue Apr 22 18:30:02 2008 +0200
> summary:     High: cl_log (LF 1871): don't raise privileges needlessly
>
> This was post-2.1.3.


This will be included in the next refresh of the heartbeat packages
(on the opensuse build service) in August (or earlier if heartbeat
does an official release).
_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems

Re: [Linux-HA] Pacemaker runs daemons as root

Reply via email to