Is there a way to control this behavior (force matching real and effective user IDs), at least for the lrmd? We've encountered an issue with some perl script HA resources. It seems that when a process that does not have matching real and effective user IDs starts a perl script, perl automatically enables data "tainting", with a similar security purpose in mind. The data that first goes into our scripts which comes in tainted when run from under HA control goes through a global pattern match, triggering a known bug in perl. According to the perl docs it can cause an infinite loop, memory leaks, etc. We have a work-around we're implementing in our scripts, but I wanted to explore the possibility of altering the behavior coming out of heartbeat.
Doug -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dejan Muhamedagic Sent: Wednesday, September 10, 2008 12:24 PM To: General Linux-HA mailing list Subject: Re: [Linux-HA] Real vs Effective userids for heartbeat processes On Wed, Sep 10, 2008 at 10:39:43AM -0400, Knight, Doug wrote: > All, > > Why do certain heartbeat processes run with a real user ID of root, but > an effective user ID of nobody? It was introduced before I got here, but I'm sure that it was for security reasons. The less code runs as root, the less potential vulnerabilities. Thanks, Dejan > The specific processes on our system > that run this way are FIFO reader, write: bcast eth1, read:bcast eth1, > write: ucast eth1, read: ucast eth1 lrmd, and stonithd. The other > processes run either as root:root (master control process and mgmtd) or > as 24:24 (ccm, cib, attrd, and crmd). > > > > Thanks, > > Doug Knight > > WSI Corp > > _______________________________________________ > Linux-HA mailing list > [email protected] > http://lists.linux-ha.org/mailman/listinfo/linux-ha > See also: http://linux-ha.org/ReportingProblems _______________________________________________ Linux-HA mailing list [email protected] http://lists.linux-ha.org/mailman/listinfo/linux-ha See also: http://linux-ha.org/ReportingProblems _______________________________________________ Linux-HA mailing list [email protected] http://lists.linux-ha.org/mailman/listinfo/linux-ha See also: http://linux-ha.org/ReportingProblems
