[ClusterLabs] Calling crm executables via effective uid

Reid Wahl nwahl at redhat.com
Thu Jan 7 22:08:10 EST 2021 

On Thu, Jan 7, 2021 at 6:16 PM Reid Wahl <nwahl at redhat.com> wrote:

> For whatever reason, the IPC from the crm_mon client to the CIB
> manager is getting opened with the real UID ("testuser" in my case)
> instead of the effective UID. The CIB manager checks this unprivileged
> user against the ACL list and pre-filters the entire CIB, causing a
> "Permission denied" error.
>
> What I haven't figured out yet (if I even keep going down this rabbit
> hole) is why the IPC is attached to the real UID even though the
> executable is owned by cmadmin with the setuid bit enabled.
>

Seems to be getting set within libqb, and I'm not sure whether it's
intentional that

It doesn't seem to be possible to debug cmadmin's SUID process when running
it as testuser. I'm not particularly familiar with libqb and am not sure
how to debug further without building libqb from source and adding tracing,
which is a whole other can of worms.


> On Mon, Dec 14, 2020 at 4:41 AM Klaus Wenninger <kwenning at redhat.com>
> wrote:
> >
> > On 12/11/20 10:20 PM, Alex Zarifoglu wrote:
> > > Hello,
> > >
> > > I have question regarding the running crm commands with the effective
> uid.
> > >
> > > I am trying to create a tool to manage pacemaker resources for
> > > multiple users. For security reasons, these users will only be able to
> > > create/delete/manage resources that can impact that specific user
> > > only. I cannot achieve this via ACLs because it is not possible to
> > > enforce every user to only create primitives with certain parameters,
> > > rules etc.
> > >
> > > Therefore, I created a user called cmadmin which has full write access
> > > to the cib. And created an executable which is owned by this user and
> > > has the setuid and setgid bits set.
> > >
> > > -r-sr-s--x   1 cmadmin cmadmin 24248 Dec 11 07:04 cmexc
> > >
> > > Within this executable I have the code:
> > >
> > >      pid_tpid;
> > >      char*constparmList[] = {"/sbin/crm_mon", "-1", "-VVV", NULL};
> > >
> > >      if((pid = fork()) == -1)
> > >         perror("fork error");
> > >      else if(pid == 0) {
> > >         execv("/sbin/crm_mon", parmList);
> > >         printf("execv error");
> > >      }
> > >
> > >
> > > If I run this with a user other than cmadmin, crm_mon fails. I tested
> > > with another executable to make sure effective user id is passed in
> > > correctly and it worked fine.
> > >
> > > Checking the trace, we fail here with eacces permission denied:
> > > |(crm_ipc_send)   trace: Sending cib_ro IPC request 5 of 191 bytes
> > > using 120000ms timeout|
> > > |(internal_ipc_get_reply) trace: client cib_ro waiting on reply to msg
> > > id 5|
> > > |(crm_ipc_send)   trace: Received 179-byte reply 5 to cib_ro IPC 5:
> > > <cib-reply t="cib" cib_op="cib_query" cib_callid="2"
> > > cib_clientid="f58912bf-cab6-4d1b-9025-701fc147c|
> > > |(cib_native_perform_op_delegate) trace: Reply   <cib-reply t="cib"
> > > cib_op="cib_query" cib_callid="2"
> > > cib_clientid="f58912bf-cab6-4d1b-9025-701fc147c6cd" cib_callopt="4352"
> > > *cib_rc="-13"*/>|
> > >
> > > I tested with other pacemaker commands and got similar results. I’ve
> > > also tried adding users to haclient group (not to acls just to the
> > > group) with no success.
> > >
> > > Is it not possible to change effective uids and call crm executables?
> > > If so why and is there way I can achieve what I need differently?
> > Are you running with selinux enforcing?
> > Not saying you shouldn't - just to narrow down ...
> >
> > Klaus
> > >
> > > Thank you,
> > > Alex
> > >
> > >
> > > *Alex Zarifoglu*
> > > Software Developer *|* *Db2* pureScale
> > >
> > >
> > > _______________________________________________
> > > Manage your subscription:
> > > https://lists.clusterlabs.org/mailman/listinfo/users
> > >
> > > ClusterLabs home: https://www.clusterlabs.org/
> >
> > _______________________________________________
> > Manage your subscription:
> > https://lists.clusterlabs.org/mailman/listinfo/users
> >
> > ClusterLabs home: https://www.clusterlabs.org/
>
>
>
> --
> Regards,
>
> Reid Wahl, RHCA
> Senior Software Maintenance Engineer, Red Hat
> CEE - Platform Support Delivery - ClusterHA
>


-- 
Regards,

Reid Wahl, RHCA
Senior Software Maintenance Engineer, Red Hat
CEE - Platform Support Delivery - ClusterHA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.clusterlabs.org/pipermail/users/attachments/20210107/425b1988/attachment.htm>

More information about the Users mailing list