[ClusterLabs] Calling crm executables via effective uid

Klaus Wenninger kwenning at redhat.com
Mon Dec 14 07:40:32 EST 2020 

On 12/11/20 10:20 PM, Alex Zarifoglu wrote:
> Hello,
>  
> I have question regarding the running crm commands with the effective uid.
>  
> I am trying to create a tool to manage pacemaker resources for
> multiple users. For security reasons, these users will only be able to
> create/delete/manage resources that can impact that specific user
> only. I cannot achieve this via ACLs because it is not possible to
> enforce every user to only create primitives with certain parameters,
> rules etc.
>  
> Therefore, I created a user called cmadmin which has full write access
> to the cib. And created an executable which is owned by this user and
> has the setuid and setgid bits set.
>  
> -r-sr-s--x   1 cmadmin cmadmin 24248 Dec 11 07:04 cmexc
>  
> Within this executable I have the code:
>  
>      pid_tpid;
>      char*constparmList[] = {"/sbin/crm_mon", "-1", "-VVV", NULL};
>  
>      if((pid = fork()) == -1)
>         perror("fork error");
>      else if(pid == 0) {
>         execv("/sbin/crm_mon", parmList);
>         printf("execv error");
>      }
>  
>  
> If I run this with a user other than cmadmin, crm_mon fails. I tested
> with another executable to make sure effective user id is passed in
> correctly and it worked fine.
>  
> Checking the trace, we fail here with eacces permission denied:
> |(crm_ipc_send)   trace: Sending cib_ro IPC request 5 of 191 bytes
> using 120000ms timeout|
> |(internal_ipc_get_reply) trace: client cib_ro waiting on reply to msg
> id 5|
> |(crm_ipc_send)   trace: Received 179-byte reply 5 to cib_ro IPC 5:
> <cib-reply t="cib" cib_op="cib_query" cib_callid="2"
> cib_clientid="f58912bf-cab6-4d1b-9025-701fc147c|
> |(cib_native_perform_op_delegate) trace: Reply   <cib-reply t="cib"
> cib_op="cib_query" cib_callid="2"
> cib_clientid="f58912bf-cab6-4d1b-9025-701fc147c6cd" cib_callopt="4352"
> *cib_rc="-13"*/>|
>  
> I tested with other pacemaker commands and got similar results. I’ve
> also tried adding users to haclient group (not to acls just to the
> group) with no success.
>  
> Is it not possible to change effective uids and call crm executables?
> If so why and is there way I can achieve what I need differently?
Are you running with selinux enforcing?
Not saying you shouldn't - just to narrow down ...

Klaus
>  
> Thank you,
> Alex
>  
>  
> *Alex Zarifoglu*
> Software Developer *|* *Db2* pureScale
>
>
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
>
> ClusterLabs home: https://www.clusterlabs.org/

More information about the Users mailing list