[ClusterLabs] Calling crm executables via effective uid

Strahil Nikolov hunter86_bg at yahoo.com
Sat Dec 12 10:03:08 EST 2020 

Have you thought about Hawk ?

Best Regards,
Strahil Nikolov






В петък, 11 декември 2020 г., 23:20:49 Гринуич+2, Alex Zarifoglu <alex.zarifoglu at ibm.com> написа: 





Hello,

 

I have question regarding the running crm commands with the effective uid.

 

I am trying to create a tool to manage pacemaker resources for multiple users. For security reasons, these users will only be able to create/delete/manage resources that can impact that specific user only. I cannot achieve this via ACLs because it is not possible to enforce every user to only create primitives with certain parameters, rules etc.

 

Therefore, I created a user called cmadmin which has full write access to the cib. And created an executable which is owned by this user and has the setuid and setgid bits set.

 

-r-sr-s--x   1 cmadmin cmadmin 24248 Dec 11 07:04 cmexc

 

Within this executable I have the code:

 

     pid_t pid;

     char *const parmList[] = {"/sbin/crm_mon", "-1", "-VVV", NULL};

 

     if ((pid = fork()) == -1)

        perror("fork error");

     else if (pid == 0) {

        execv("/sbin/crm_mon", parmList);

        printf("execv error");

     }

 

 

If I run this with a user other than cmadmin, crm_mon fails. I tested with another executable to make sure effective user id is passed in correctly and it worked fine.

 

Checking the trace, we fail here with eacces permission denied:
(crm_ipc_send)   trace: Sending cib_ro IPC request 5 of 191 bytes using 120000ms timeout(internal_ipc_get_reply)  trace: client cib_ro waiting on reply to msg id 5(crm_ipc_send)   trace: Received 179-byte reply 5 to cib_ro IPC 5: <cib-reply t="cib" cib_op="cib_query" cib_callid="2" cib_clientid="f58912bf-cab6-4d1b-9025-701fc147c(cib_native_perform_op_delegate)  trace: Reply   <cib-reply t="cib" cib_op="cib_query" cib_callid="2" cib_clientid="f58912bf-cab6-4d1b-9025-701fc147c6cd" cib_callopt="4352" cib_rc="-13"/>
 

I tested with other pacemaker commands and got similar results. I’ve also tried adding users to haclient group (not to acls just to the group) with no success.

 

Is it not possible to change effective uids and call crm executables?

If so why and is there way I can achieve what I need differently?

 

Thank you,

Alex

 

 

Alex Zarifoglu

Software Developer | Db2 pureScale


_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/

More information about the Users mailing list