<div class="socmaildefaultfont" dir="ltr" style="font-family:Tahoma, Geneva, sans-serif;font-size:10pt" ><div dir="ltr" style="font-family:Tahoma, Geneva, sans-serif;font-size:10pt" ><div dir="ltr" ><div><span style="font-family:Arial,Helvetica,sans-serif;" >Hello,</span></div>
<div> </div>
<div><span style="font-family:Arial,Helvetica,sans-serif;" >I have question regarding the running crm commands with the effective uid.</span></div>
<div> </div>
<div><span style="font-family:Arial,Helvetica,sans-serif;" >I am trying to create a tool to manage pacemaker resources for multiple users. For security reasons, these users will only be able to create/delete/manage resources that can impact that specific user only. I cannot achieve this via ACLs because it is not possible to enforce every user to only create primitives with certain parameters, rules etc.</span></div>
<div> </div>
<div><span style="font-family:Arial,Helvetica,sans-serif;" >Therefore, I created a user called cmadmin which has full write access to the cib. And created an executable which is owned by this user and has the setuid and setgid bits set.</span></div>
<div> </div>
<div><span style="font-family:Courier;" >-r-sr-s--x 1 </span><span style="font-family:Courier;" >cmadmin cmadmin </span><span style="font-family:Courier;" >24248 Dec 11 07:04 cmexc</span></div>
<div> </div>
<div><span style="font-family:Arial,Helvetica,sans-serif;" >Within this executable I have the code:</span></div>
<div> </div>
<div> <span style="color:#005cc5;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >pid_t</span></span></span><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" > pid;</span></span></span></div>
<div> <span style="color:#d73a49;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >char</span></span></span><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" > *</span></span></span><span style="color:#d73a49;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >const</span></span></span><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" > parmList[] = {</span></span></span><span style="color:#032f62;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >"/sbin/crm_mon"</span></span></span><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >, </span></span></span><span style="color:#032f62;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >"-1"</span></span></span><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >, </span></span></span><span style="color:#032f62;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >"-VVV"</span></span></span><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >, </span></span></span><span style="color:#005cc5;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >NULL</span></span></span><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >};</span></span></span></div>
<div> </div>
<div> <span style="color:#d73a49;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >if</span></span></span><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" > ((pid = </span></span></span><span style="color:#005cc5;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >fork</span></span></span><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >()) == -</span></span></span><span style="color:#005cc5;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >1</span></span></span><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >)</span></span></span></div>
<div> <span style="color:#005cc5;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >perror</span></span></span><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >(</span></span></span><span style="color:#032f62;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >"fork error"</span></span></span><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >);</span></span></span></div>
<div> <span style="color:#d73a49;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >else</span></span></span> <span style="color:#d73a49;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >if</span></span></span><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" > (pid == </span></span></span><span style="color:#005cc5;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >0</span></span></span><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >) {</span></span></span></div>
<div> <span style="color:#005cc5;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >execv</span></span></span><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >(</span></span></span><span style="color:#032f62;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >"/sbin/crm_mon"</span></span></span><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >, parmList);</span></span></span></div>
<div> <span style="color:#005cc5;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >printf</span></span></span><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >(</span></span></span><span style="color:#032f62;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >"execv error"</span></span></span><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >);</span></span></span></div>
<div><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" > }</span></span></span></div>
<div> </div>
<div> </div>
<div><span style="font-family:Arial,Helvetica,sans-serif;" >If I run this with a user other than cmadmin, crm_mon fails. I tested with another executable to make sure effective user id is passed in correctly and it worked fine.</span></div>
<div> </div>
<div><span style="font-family:Arial,Helvetica,sans-serif;" >Checking the trace, we fail here with eacces permission denied:</span></div>
<pre><code><span style="border:none windowtext 1.0pt;padding:0cm;" ><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >(crm_ipc_send) trace: Sending cib_ro IPC request 5 of 191 bytes using 120000ms timeout</span></span></span></span></code></pre>
<pre><code><span style="border:none windowtext 1.0pt;padding:0cm;" ><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >(internal_ipc_get_reply) trace: client cib_ro waiting on reply to msg id 5</span></span></span></span></code></pre>
<pre><code><span style="border:none windowtext 1.0pt;padding:0cm;" ><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >(crm_ipc_send) trace: Received 179-byte reply 5 to cib_ro IPC 5: <cib-reply t="cib" cib_op="cib_query" cib_callid="2" cib_clientid="f58912bf-cab6-4d1b-9025-701fc147c</span></span></span></span></code></pre>
<pre><code><span style="border:none windowtext 1.0pt;padding:0cm;" ><span style="color:#24292e;" ><span style="font-family:Courier;" ><span style="font-size:9.0pt;" >(cib_native_perform_op_delegate) trace: Reply <cib-reply t="cib" cib_op="cib_query" cib_callid="2" cib_clientid="f58912bf-cab6-4d1b-9025-701fc147c6cd" cib_callopt="4352" <strong>cib_rc="-13"</strong>/></span></span></span></span></code></pre>
<div> </div>
<div><span style="font-family:Arial,Helvetica,sans-serif;" >I tested with other pacemaker commands and got similar results. I’ve also tried adding users to haclient group (not to acls just to the group) with no success.</span></div>
<div> </div>
<div><span style="font-family:Arial,Helvetica,sans-serif;" >Is it not possible to change effective uids and call crm executables?</span></div>
<div><span style="font-family:Arial,Helvetica,sans-serif;" >If so why and is there way I can achieve what I need differently?</span></div>
<div> </div>
<div><span style="font-family:Arial,Helvetica,sans-serif;" >Thank you,</span></div>
<div><span style="font-family:Arial,Helvetica,sans-serif;" >Alex</span></div>
<div> </div>
<div> </div></div>
<div dir="ltr" ><div dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10pt" ><div dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10pt" ><div dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10pt" ><div dir="ltr" ><strong><span style="font-size:12pt;" >Alex Zarifoglu</span></strong></div>
<div dir="ltr" >Software Developer <strong>|</strong> <strong>Db2</strong> pureScale</div></div></div></div></div></div></div><BR>