[ClusterLabs] Calling crm executables via effective uid
Reid Wahl
nwahl at redhat.com
Fri Jan 8 01:21:46 EST 2021
Seems that the SCM_CREDENTIALS ancillary message passes the real UID rather
than the effective UID in the ucred struct. It looks like that's where we
get a value for ugp.uid.
I wonder if there's any way to work around this and whether it's intended
behavior. Based on variable naming (c->euid), libqb seems to expect an
effective UID. For example:
https://github.com/ClusterLabs/libqb/blob/master/lib/ipc_setup.c#L497
https://github.com/ClusterLabs/libqb/blob/master/lib/ipc_setup.c#L652
I'm way out of my depth here :) Just seemed fun to dig into.
On Thu, Jan 7, 2021 at 7:08 PM Reid Wahl <nwahl at redhat.com> wrote:
>
> On Thu, Jan 7, 2021 at 6:16 PM Reid Wahl <nwahl at redhat.com> wrote:
>
>> For whatever reason, the IPC from the crm_mon client to the CIB
>> manager is getting opened with the real UID ("testuser" in my case)
>> instead of the effective UID. The CIB manager checks this unprivileged
>> user against the ACL list and pre-filters the entire CIB, causing a
>> "Permission denied" error.
>>
>> What I haven't figured out yet (if I even keep going down this rabbit
>> hole) is why the IPC is attached to the real UID even though the
>> executable is owned by cmadmin with the setuid bit enabled.
>>
>
> Seems to be getting set within libqb, and I'm not sure whether it's
> intentional that
>
> It doesn't seem to be possible to debug cmadmin's SUID process when
> running it as testuser. I'm not particularly familiar with libqb and am not
> sure how to debug further without building libqb from source and adding
> tracing, which is a whole other can of worms.
>
>
>> On Mon, Dec 14, 2020 at 4:41 AM Klaus Wenninger <kwenning at redhat.com>
>> wrote:
>> >
>> > On 12/11/20 10:20 PM, Alex Zarifoglu wrote:
>> > > Hello,
>> > >
>> > > I have question regarding the running crm commands with the effective
>> uid.
>> > >
>> > > I am trying to create a tool to manage pacemaker resources for
>> > > multiple users. For security reasons, these users will only be able to
>> > > create/delete/manage resources that can impact that specific user
>> > > only. I cannot achieve this via ACLs because it is not possible to
>> > > enforce every user to only create primitives with certain parameters,
>> > > rules etc.
>> > >
>> > > Therefore, I created a user called cmadmin which has full write access
>> > > to the cib. And created an executable which is owned by this user and
>> > > has the setuid and setgid bits set.
>> > >
>> > > -r-sr-s--x 1 cmadmin cmadmin 24248 Dec 11 07:04 cmexc
>> > >
>> > > Within this executable I have the code:
>> > >
>> > > pid_tpid;
>> > > char*constparmList[] = {"/sbin/crm_mon", "-1", "-VVV", NULL};
>> > >
>> > > if((pid = fork()) == -1)
>> > > perror("fork error");
>> > > else if(pid == 0) {
>> > > execv("/sbin/crm_mon", parmList);
>> > > printf("execv error");
>> > > }
>> > >
>> > >
>> > > If I run this with a user other than cmadmin, crm_mon fails. I tested
>> > > with another executable to make sure effective user id is passed in
>> > > correctly and it worked fine.
>> > >
>> > > Checking the trace, we fail here with eacces permission denied:
>> > > |(crm_ipc_send) trace: Sending cib_ro IPC request 5 of 191 bytes
>> > > using 120000ms timeout|
>> > > |(internal_ipc_get_reply) trace: client cib_ro waiting on reply to msg
>> > > id 5|
>> > > |(crm_ipc_send) trace: Received 179-byte reply 5 to cib_ro IPC 5:
>> > > <cib-reply t="cib" cib_op="cib_query" cib_callid="2"
>> > > cib_clientid="f58912bf-cab6-4d1b-9025-701fc147c|
>> > > |(cib_native_perform_op_delegate) trace: Reply <cib-reply t="cib"
>> > > cib_op="cib_query" cib_callid="2"
>> > > cib_clientid="f58912bf-cab6-4d1b-9025-701fc147c6cd" cib_callopt="4352"
>> > > *cib_rc="-13"*/>|
>> > >
>> > > I tested with other pacemaker commands and got similar results. I’ve
>> > > also tried adding users to haclient group (not to acls just to the
>> > > group) with no success.
>> > >
>> > > Is it not possible to change effective uids and call crm executables?
>> > > If so why and is there way I can achieve what I need differently?
>> > Are you running with selinux enforcing?
>> > Not saying you shouldn't - just to narrow down ...
>> >
>> > Klaus
>> > >
>> > > Thank you,
>> > > Alex
>> > >
>> > >
>> > > *Alex Zarifoglu*
>> > > Software Developer *|* *Db2* pureScale
>> > >
>> > >
>> > > _______________________________________________
>> > > Manage your subscription:
>> > > https://lists.clusterlabs.org/mailman/listinfo/users
>> > >
>> > > ClusterLabs home: https://www.clusterlabs.org/
>> >
>> > _______________________________________________
>> > Manage your subscription:
>> > https://lists.clusterlabs.org/mailman/listinfo/users
>> >
>> > ClusterLabs home: https://www.clusterlabs.org/
>>
>>
>>
>> --
>> Regards,
>>
>> Reid Wahl, RHCA
>> Senior Software Maintenance Engineer, Red Hat
>> CEE - Platform Support Delivery - ClusterHA
>>
>
>
> --
> Regards,
>
> Reid Wahl, RHCA
> Senior Software Maintenance Engineer, Red Hat
> CEE - Platform Support Delivery - ClusterHA
>
--
Regards,
Reid Wahl, RHCA
Senior Software Maintenance Engineer, Red Hat
CEE - Platform Support Delivery - ClusterHA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.clusterlabs.org/pipermail/users/attachments/20210107/4586c891/attachment.htm>
More information about the Users
mailing list