High: executor: restrict certain IPC requests to Pacemaker daemons
73d336c79d07
Actions

Description

High: executor: restrict certain IPC requests to Pacemaker daemons

This is a partial fix (along with two later commits) for CVE-2020-25654.

The executor IPC API allows clients to register resources, request agent
execution, and so forth.

If ACLs are enabled, this could allow an ACL-restricted user to bypass ACLs and
execute any code as root. (If ACLs are not enabled, users in the haclient group
have full access to the CIB, which already gives them that ability, so there is
no additional exposure in that case.)

When ACLs are supported, this commit effectively disables the executor IPC API
for clients that aren't connecting as root or hacluster. Such clients can only
register and poke now.

Details

Provenance

kgaillot

Authored on Oct 15 2020, 4:33 PM

Parents

rP3dbe8e2066d4: Low: executor: return appropriate error code when no remote support

Branches

Unknown

Tags

Unknown

Event Timeline

Changes (1)

Path

Size

daemons/

execd/

execd_commands.c

rP73d336c79d07

View Options

daemons/execd/execd_commands.c