Seems that the SCM_CREDENTIALS ancillary message passes the real UID rather than the effective UID in the ucred struct. It looks like that's where we get a value for ugp.uid.
I wonder if there's any way to work around this and whether it's intended behavior. Based on variable naming (c->euid), libqb seems to expect an effective UID. For example: https://github.com/ClusterLabs/libqb/blob/master/lib/ipc_setup.c#L497 https://github.com/ClusterLabs/libqb/blob/master/lib/ipc_setup.c#L652 I'm way out of my depth here :) Just seemed fun to dig into. On Thu, Jan 7, 2021 at 7:08 PM Reid Wahl <[email protected]> wrote: > > On Thu, Jan 7, 2021 at 6:16 PM Reid Wahl <[email protected]> wrote: > >> For whatever reason, the IPC from the crm_mon client to the CIB >> manager is getting opened with the real UID ("testuser" in my case) >> instead of the effective UID. The CIB manager checks this unprivileged >> user against the ACL list and pre-filters the entire CIB, causing a >> "Permission denied" error. >> >> What I haven't figured out yet (if I even keep going down this rabbit >> hole) is why the IPC is attached to the real UID even though the >> executable is owned by cmadmin with the setuid bit enabled. >> > > Seems to be getting set within libqb, and I'm not sure whether it's > intentional that > > It doesn't seem to be possible to debug cmadmin's SUID process when > running it as testuser. I'm not particularly familiar with libqb and am not > sure how to debug further without building libqb from source and adding > tracing, which is a whole other can of worms. > > >> On Mon, Dec 14, 2020 at 4:41 AM Klaus Wenninger <[email protected]> >> wrote: >> > >> > On 12/11/20 10:20 PM, Alex Zarifoglu wrote: >> > > Hello, >> > > >> > > I have question regarding the running crm commands with the effective >> uid. >> > > >> > > I am trying to create a tool to manage pacemaker resources for >> > > multiple users. For security reasons, these users will only be able to >> > > create/delete/manage resources that can impact that specific user >> > > only. I cannot achieve this via ACLs because it is not possible to >> > > enforce every user to only create primitives with certain parameters, >> > > rules etc. >> > > >> > > Therefore, I created a user called cmadmin which has full write access >> > > to the cib. And created an executable which is owned by this user and >> > > has the setuid and setgid bits set. >> > > >> > > -r-sr-s--x 1 cmadmin cmadmin 24248 Dec 11 07:04 cmexc >> > > >> > > Within this executable I have the code: >> > > >> > > pid_tpid; >> > > char*constparmList[] = {"/sbin/crm_mon", "-1", "-VVV", NULL}; >> > > >> > > if((pid = fork()) == -1) >> > > perror("fork error"); >> > > else if(pid == 0) { >> > > execv("/sbin/crm_mon", parmList); >> > > printf("execv error"); >> > > } >> > > >> > > >> > > If I run this with a user other than cmadmin, crm_mon fails. I tested >> > > with another executable to make sure effective user id is passed in >> > > correctly and it worked fine. >> > > >> > > Checking the trace, we fail here with eacces permission denied: >> > > |(crm_ipc_send) trace: Sending cib_ro IPC request 5 of 191 bytes >> > > using 120000ms timeout| >> > > |(internal_ipc_get_reply) trace: client cib_ro waiting on reply to msg >> > > id 5| >> > > |(crm_ipc_send) trace: Received 179-byte reply 5 to cib_ro IPC 5: >> > > <cib-reply t="cib" cib_op="cib_query" cib_callid="2" >> > > cib_clientid="f58912bf-cab6-4d1b-9025-701fc147c| >> > > |(cib_native_perform_op_delegate) trace: Reply <cib-reply t="cib" >> > > cib_op="cib_query" cib_callid="2" >> > > cib_clientid="f58912bf-cab6-4d1b-9025-701fc147c6cd" cib_callopt="4352" >> > > *cib_rc="-13"*/>| >> > > >> > > I tested with other pacemaker commands and got similar results. I’ve >> > > also tried adding users to haclient group (not to acls just to the >> > > group) with no success. >> > > >> > > Is it not possible to change effective uids and call crm executables? >> > > If so why and is there way I can achieve what I need differently? >> > Are you running with selinux enforcing? >> > Not saying you shouldn't - just to narrow down ... >> > >> > Klaus >> > > >> > > Thank you, >> > > Alex >> > > >> > > >> > > *Alex Zarifoglu* >> > > Software Developer *|* *Db2* pureScale >> > > >> > > >> > > _______________________________________________ >> > > Manage your subscription: >> > > https://lists.clusterlabs.org/mailman/listinfo/users >> > > >> > > ClusterLabs home: https://www.clusterlabs.org/ >> > >> > _______________________________________________ >> > Manage your subscription: >> > https://lists.clusterlabs.org/mailman/listinfo/users >> > >> > ClusterLabs home: https://www.clusterlabs.org/ >> >> >> >> -- >> Regards, >> >> Reid Wahl, RHCA >> Senior Software Maintenance Engineer, Red Hat >> CEE - Platform Support Delivery - ClusterHA >> > > > -- > Regards, > > Reid Wahl, RHCA > Senior Software Maintenance Engineer, Red Hat > CEE - Platform Support Delivery - ClusterHA > -- Regards, Reid Wahl, RHCA Senior Software Maintenance Engineer, Red Hat CEE - Platform Support Delivery - ClusterHA
_______________________________________________ Manage your subscription: https://lists.clusterlabs.org/mailman/listinfo/users ClusterLabs home: https://www.clusterlabs.org/
