On 06/13/12 13:05, Andrew Beekhof wrote:
And just to tie it directly to what we're doing here:
[root@pcmk-1 ~]# su - hacluster -bash-4.2$ ls -al /dev/shm/qb-cib_shm-event-1067-1073-12-data -rw------- 1 hacluster root 524288 Jun 13 15:03 /dev/shm/qb-cib_shm-event-1067-1073-12-data -bash-4.2$ chgrp haclient /dev/shm/qb-cib_shm-event-1067-1073-12-data -bash-4.2$ ls -al /dev/shm/qb-cib_shm-event-1067-1073-12-data -rw------- 1 hacluster haclient 524288 Jun 13 15:03 /dev/shm/qb-cib_shm-event-1067-1073-12-data
Just checked "su". It does initgroups().
So it should be possible to change the group.
On 13/06/2012, at 2:51 PM, Gao,Yan wrote:
On 06/13/12 12:36, Andrew Beekhof wrote:
On 13/06/2012, at 2:30 PM, Gao,Yan wrote:
On 06/13/12 12:27, Andrew Beekhof wrote:
On 13/06/2012, at 2:24 PM, Gao,Yan wrote:
On 06/13/12 12:00, Andrew Beekhof wrote: > I was just talking to angus on the phone... can you send me the pacemaker patch you're testing? > From what he describes, the existing libqb should be enough. I believe libqb provides all it can do. The problem is setuid() won't get what needed. Attached the patch I'm testing.
Where is the call to setuid()? in libqb somewhere?
I mean cib, such as in "lib/ais/utils.c:177". Cib setuid() to hacluster from root.
Ok, I don't understand the question then... setuid() doesn't "get" anything. Perhaps if you clarify the error/behavior you're getting? I.e. what is failing and where.
/dev/shm/qb-cib_*-control* will be like:
-rw-rw---- 1 hacluster root 24 Jun 13 12:36 qb-cib_rw-control-31947-32166-15
If an ordinary user in haclient group requests to cib, he'll definitely get "permission denied":
open("/dev/shm/qb-cib_rw-control-31947-32166-15", O_RDWR) = -1 EACCES (Permission denied)
Which means the invoking cib/callbacks.c:99 qb_ipcs_connection_auth_set(c, -1, crm_grp->gr_gid, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
did change the file mode but not the group of the file.
It's due to the chown() in libqb/libqb/lib/ipc_us.c:953 res = chown(r->request, c->auth.uid, c->auth.gid);
getting "Operation not permitted (1)".
That means cib's "hacluster:root" role which comes from setuid() is not allowed change the group of file to "haclient".
Regards, Gao,Yan -- Gao,Yan ygao@suse.com Software Engineer China Server Team, SUSE. _______________________________________________ quarterback-devel mailing list quarterback-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/quarterback-devel
quarterback-devel mailing list quarterback-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/quarterback-devel