[ClusterLabs] Antw: Re: Question on permissions for pcsd ghost files

Ulrich Windl Ulrich.Windl at rz.uni-regensburg.de
Tue Apr 23 07:26:43 EDT 2019 

>>> Tomas Jelinek <tojeline at redhat.com> schrieb am 23.04.2019 um 12:36 in
Nachricht
<f68313c6-9c5a-4835-44e8-274d71ab56ac at redhat.com>:
> The files are listed as ghost files in order to let rpm know they belong 
> to pcs but are not distributed in rpm packages. Those files are created 
> by pcsd in runtime. I guess the 000 permissions come from the fact those 
> files are not present in rpm packages.

My guess it's just bad packing: I have an RPM myself that introduces a %ghost,
and it has permissions:
%ghost %config(missingok) %verify(not md5 mtime size) %attr(0644,root,root)
/etc/%{name}.conf

Regards,
Ulrich

> 
> The real permissions you have look OK to me as long as /var/lib/pcsd has 
> 700. Files pcsd.cookiesecret, pcsd.crt and pcsd.key should not be 
> executable but it does not matter that much. We fixed it pcs‑0.9.165. 
> The fix doesn't change permissions of existing files, though.
> 
> 
> Regards,
> Tomas
> 
> 
> Dne 19. 04. 19 v 21:20 Hayden,Robert napsal(a):
>> Working through an audit and need to determine what the expected 
>> permissions are for the following files.
>> 
>> [root at techval13]# rpm ‑V pcs
>> 
>> .M.......  c /var/lib/pcsd/pcs_settings.conf
>> 
>> .M.......  c /var/lib/pcsd/pcs_users.conf
>> 
>> .M.......  c /var/lib/pcsd/pcsd.cookiesecret
>> 
>> .M.......  c /var/lib/pcsd/pcsd.crt
>> 
>> .M.......  c /var/lib/pcsd/pcsd.key
>> 
>> .M.......  c /var/lib/pcsd/tokens
>> 
>> Looking at the RPM spec, these appear to be ghost files with permissions 
>> set to 000 in the spec.
>> 
>> [root at techval13]# rpm ‑q ‑‑dump pcs | grep /var/lib/pcsd/pcs_settings.conf
>> 
>> /var/lib/pcsd/pcs_settings.conf 0 1541089158 
>> 0000000000000000000000000000000000000000000000000000000000000000 0100000 
>> root root 1 0 0 X
>> 
>> Currently, the permissions after a normal installation are listed in the 
>> “first” column from my custom report output.  The second column is the 
>> “expected” permissions from the RPM spec.
>> 
>>    644 | 000 | /var/lib/pcsd/pcs_settings.conf | 
>> pcs‑0.9.165‑6.0.1.el7.x86_64
>> 
>>    644 | 000 | /var/lib/pcsd/pcs_users.conf | pcs‑0.9.165‑6.0.1.el7.x86_64
>> 
>>    700 | 000 | /var/lib/pcsd/pcsd.cookiesecret | 
>> pcs‑0.9.165‑6.0.1.el7.x86_64
>> 
>>    700 | 000 | /var/lib/pcsd/pcsd.crt | pcs‑0.9.165‑6.0.1.el7.x86_64
>> 
>>    700 | 000 | /var/lib/pcsd/pcsd.key | pcs‑0.9.165‑6.0.1.el7.x86_64
>> 
>>    600 | 000 | /var/lib/pcsd/tokens | pcs‑0.9.165‑6.0.1.el7.x86_64
>> 
>> Any help or guidance would be greatly appreciated.
>> 
>> 
>> Thanks
>> 
>> Robert
>> 
>> CONFIDENTIALITY NOTICE This message and any included attachments are 
>> from Cerner Corporation and are intended only for the addressee. The 
>> information contained in this message is confidential and may constitute 
>> inside or non‑public information under international, federal, or state 
>> securities laws. Unauthorized forwarding, printing, copying, 
>> distribution, or use of such information is strictly prohibited and may 
>> be unlawful. If you are not the addressee, please promptly delete this 
>> message and notify the sender of the delivery error by e‑mail or you may 
>> call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1) 
>> (816)221‑1024.
>> 
>> 
>> _______________________________________________
>> Manage your subscription:
>> https://lists.clusterlabs.org/mailman/listinfo/users 
>> 
>> ClusterLabs home: https://www.clusterlabs.org/ 
>> 
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users 
> 
> ClusterLabs home: https://www.clusterlabs.org/

More information about the Users mailing list