HomeClusterLabs Projects
Diffusion Pacemaker 970736b1c7ad

High: pacemakerd vs. IPC/procfs confused deputy authenticity issue (2/4)
970736b1c7ad
Actions

Description

High: pacemakerd vs. IPC/procfs confused deputy authenticity issue (2/4)

[2/4: pacemakerd to trust pre-existing processes via new checks instead]

In pacemakerd in the context of entrusting pre-existing processes,
we now resort to procfs-based solution only in boundary, fouled cases,
and primarily examine the credentials of the processes already
occupying known IPC end-points before adopting them.

The commit applies the new helpers from 1/1 so as to close the both
related sensitive problems, CVE-2018-16877 and CVE-2018-16878, in
a unified manner, this time limited to the main daemon of pacemaker
(pacemakerd).

To be noted that it is clearly not 100% for this purpose for still
allowing for TOCTTOU, but that's what commit (3/3) is meant to solve
for the most part, plus there may be optimizations solving this concern
as a side effect, but that requires an active assistance on the libqb
side (https://github.com/ClusterLabs/libqb/issues/325) since any
improvement on pacemaker side in isolation would be very
cumbersome if generally possible at all, but either way
means a new, soft compatibility encumberment.

As a follow-up to what was put in preceding 1/3 commit, PID of 1 tracked
as child's identification on FreeBSD (or when socket-based activation is
used with systemd) is treated specially, incl. special precaution with
child's PID discovered as 1 elsewhere.

v2: courtesy of Yan Gao of SUSE for early discovery and report for

what's primarily solved with 4/4 commit, in extension, child
daemons in the initialization phase coinciding with IPC-feasibility
based process scan in pacemakerd in a way that those are missed
(although they are to come up fully just moments later only
to interfere with naturally spawned ones) are now considered so
that if any native children later fail for said clash, the
pre-existing counterpart may get adopted instead of ending up
with repeated spawn-bury loop ad nauseam without real progress
(note that PCMK_fail_fast=true could possibly help, but that's
rather a big hammer not suitable for all the use cases, not
the ones we try to deal with gracefully here)

Details

Provenance
Jan Pokorný <jpokorny@redhat.com>Authored on Apr 15 2019, 6:13 PM
Parents
rP1148f45da977: High: pacemakerd vs. IPC/procfs confused deputy authenticity issue (1/4)
Branches
Unknown
Tags
Unknown

Event Timeline

Changes (1)

PathSize
daemons/
pacemakerd/

rP970736b1c7ad

View Options

daemons/pacemakerd/pacemakerd.c

Loading...