[ClusterLabs] Calling crm executables via effective uid
    Reid Wahl 
    nwahl at redhat.com
       
    Thu Jan  7 21:16:30 EST 2021
    
    
  
For whatever reason, the IPC from the crm_mon client to the CIB
manager is getting opened with the real UID ("testuser" in my case)
instead of the effective UID. The CIB manager checks this unprivileged
user against the ACL list and pre-filters the entire CIB, causing a
"Permission denied" error.
What I haven't figured out yet (if I even keep going down this rabbit
hole) is why the IPC is attached to the real UID even though the
executable is owned by cmadmin with the setuid bit enabled.
On Mon, Dec 14, 2020 at 4:41 AM Klaus Wenninger <kwenning at redhat.com> wrote:
>
> On 12/11/20 10:20 PM, Alex Zarifoglu wrote:
> > Hello,
> >
> > I have question regarding the running crm commands with the effective uid.
> >
> > I am trying to create a tool to manage pacemaker resources for
> > multiple users. For security reasons, these users will only be able to
> > create/delete/manage resources that can impact that specific user
> > only. I cannot achieve this via ACLs because it is not possible to
> > enforce every user to only create primitives with certain parameters,
> > rules etc.
> >
> > Therefore, I created a user called cmadmin which has full write access
> > to the cib. And created an executable which is owned by this user and
> > has the setuid and setgid bits set.
> >
> > -r-sr-s--x   1 cmadmin cmadmin 24248 Dec 11 07:04 cmexc
> >
> > Within this executable I have the code:
> >
> >      pid_tpid;
> >      char*constparmList[] = {"/sbin/crm_mon", "-1", "-VVV", NULL};
> >
> >      if((pid = fork()) == -1)
> >         perror("fork error");
> >      else if(pid == 0) {
> >         execv("/sbin/crm_mon", parmList);
> >         printf("execv error");
> >      }
> >
> >
> > If I run this with a user other than cmadmin, crm_mon fails. I tested
> > with another executable to make sure effective user id is passed in
> > correctly and it worked fine.
> >
> > Checking the trace, we fail here with eacces permission denied:
> > |(crm_ipc_send)   trace: Sending cib_ro IPC request 5 of 191 bytes
> > using 120000ms timeout|
> > |(internal_ipc_get_reply) trace: client cib_ro waiting on reply to msg
> > id 5|
> > |(crm_ipc_send)   trace: Received 179-byte reply 5 to cib_ro IPC 5:
> > <cib-reply t="cib" cib_op="cib_query" cib_callid="2"
> > cib_clientid="f58912bf-cab6-4d1b-9025-701fc147c|
> > |(cib_native_perform_op_delegate) trace: Reply   <cib-reply t="cib"
> > cib_op="cib_query" cib_callid="2"
> > cib_clientid="f58912bf-cab6-4d1b-9025-701fc147c6cd" cib_callopt="4352"
> > *cib_rc="-13"*/>|
> >
> > I tested with other pacemaker commands and got similar results. I’ve
> > also tried adding users to haclient group (not to acls just to the
> > group) with no success.
> >
> > Is it not possible to change effective uids and call crm executables?
> > If so why and is there way I can achieve what I need differently?
> Are you running with selinux enforcing?
> Not saying you shouldn't - just to narrow down ...
>
> Klaus
> >
> > Thank you,
> > Alex
> >
> >
> > *Alex Zarifoglu*
> > Software Developer *|* *Db2* pureScale
> >
> >
> > _______________________________________________
> > Manage your subscription:
> > https://lists.clusterlabs.org/mailman/listinfo/users
> >
> > ClusterLabs home: https://www.clusterlabs.org/
>
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
>
> ClusterLabs home: https://www.clusterlabs.org/
--
Regards,
Reid Wahl, RHCA
Senior Software Maintenance Engineer, Red Hat
CEE - Platform Support Delivery - ClusterHA
    
    
More information about the Users
mailing list