On 06/13/12 12:36, Andrew Beekhof wrote:
On 13/06/2012, at 2:30 PM, Gao,Yan wrote:
On 06/13/12 12:27, Andrew Beekhof wrote:
On 13/06/2012, at 2:24 PM, Gao,Yan wrote:
On 06/13/12 12:00, Andrew Beekhof wrote:
I was just talking to angus on the phone... can you send me the pacemaker patch you're testing? From what he describes, the existing libqb should be enough.
I believe libqb provides all it can do. The problem is setuid() won't get what needed. Attached the patch I'm testing.
Where is the call to setuid()? in libqb somewhere?
I mean cib, such as in "lib/ais/utils.c:177". Cib setuid() to hacluster from root.
Ok, I don't understand the question then... setuid() doesn't "get" anything. Perhaps if you clarify the error/behavior you're getting? I.e. what is failing and where.
/dev/shm/qb-cib_*-control* will be like:
-rw-rw---- 1 hacluster root 24 Jun 13 12:36 qb-cib_rw-control-31947-32166-15
If an ordinary user in haclient group requests to cib, he'll definitely get "permission denied":
open("/dev/shm/qb-cib_rw-control-31947-32166-15", O_RDWR) = -1 EACCES (Permission denied)
Which means the invoking cib/callbacks.c:99 qb_ipcs_connection_auth_set(c, -1, crm_grp->gr_gid, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
did change the file mode but not the group of the file.
It's due to the chown() in libqb/libqb/lib/ipc_us.c:953 res = chown(r->request, c->auth.uid, c->auth.gid);
getting "Operation not permitted (1)".
That means cib's "hacluster:root" role which comes from setuid() is not allowed change the group of file to "haclient".
Regards, Gao,Yan