HomeClusterLabs Projects
Diffusion SBD 9695ba05fede

Fix: do not rely on DAC_OVERRIDE capability on Linux despite being root
9695ba05fedeUnpublished

Unpublished Commit · Learn More

  • Repository Importing: This repository is still importing.
  • Not On Permanent Ref: This commit is not an ancestor of any permanent ref.

Description

Fix: do not rely on DAC_OVERRIDE capability on Linux despite being root

It turns out, for example, that SELinux will prevent this capability
for confined processes running as root. It then means that sbd cannot
access, as a client, files used for joining two local communication sides
within libqb-arranged IPC mechanism in case those files do not have
permissions to explicitly allow file-based access with credentials
of this client -- which is exactly what happens when the IPC servers
are pacemaker daemons not run as root on their own.

Solution is two-phased:

  1. have sbd add respective non-privileged group corresponding to the server side of the IPC -- this patch
  2. ensure this server side (pacemaker) does allow group-derived access (i.e., the access permissions for group are as relaxed as needed, umask notwithstanding) -- outside of the sbd's scope

Signed-off-by: Jan Pokorný <jpokorny@redhat.com>

Details

Provenance
Jan Pokorný <jpokorny@redhat.com>Authored on Feb 14 2019, 4:18 PM
Parents
rSf949aa8077fb: Merge pull request #68 from wenningerk/fail_earlier_on_empty_diskname
Branches
Unknown
Tags
Unknown

Event Timeline