|
|
8b462f |
From f837f95dfe96d60f2367e900efd4def7a07b2a89 Mon Sep 17 00:00:00 2001
|
|
|
8b462f |
From: Jan Friesse <jfriesse@redhat.com>
|
|
|
8b462f |
Date: Wed, 3 Aug 2016 16:51:51 +0200
|
|
|
8b462f |
Subject: [PATCH] Config: Flag config uidgid entries
|
|
|
8b462f |
|
|
|
8b462f |
Uidgid entries parsed from configuration files now has prefix
|
|
|
8b462f |
(uidgid.config.) so they are distinguishable from dynamically added
|
|
|
8b462f |
entries. Entries added from config file are pruned on reload if no
|
|
|
8b462f |
longer exists in config file (dynamic one stays unaffected). Also whole
|
|
|
8b462f |
uidgid.config. prefix is made read only.
|
|
|
8b462f |
|
|
|
8b462f |
This make PCMK work again after configuration reload is called.
|
|
|
8b462f |
|
|
|
8b462f |
Signed-off-by: Jan Friesse <jfriesse@redhat.com>
|
|
|
8b462f |
Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
|
|
|
8b462f |
---
|
|
|
8b462f |
exec/cfg.c | 2 +-
|
|
|
8b462f |
exec/coroparse.c | 8 ++++----
|
|
|
8b462f |
exec/ipc_glue.c | 8 ++++++++
|
|
|
8b462f |
exec/main.c | 1 +
|
|
|
8b462f |
man/cmap_keys.8 | 4 +++-
|
|
|
8b462f |
5 files changed, 17 insertions(+), 6 deletions(-)
|
|
|
8b462f |
|
|
|
8b462f |
diff --git a/exec/cfg.c b/exec/cfg.c
|
|
|
8b462f |
index 87e49c4..4e62d73 100644
|
|
|
8b462f |
--- a/exec/cfg.c
|
|
|
8b462f |
+++ b/exec/cfg.c
|
|
|
8b462f |
@@ -703,7 +703,7 @@ static void message_handler_req_exec_cfg_reload_config (
|
|
|
8b462f |
remove_deleted_entries(temp_map, "totem.");
|
|
|
8b462f |
remove_deleted_entries(temp_map, "nodelist.");
|
|
|
8b462f |
remove_deleted_entries(temp_map, "quorum.");
|
|
|
8b462f |
- remove_deleted_entries(temp_map, "uidgid.");
|
|
|
8b462f |
+ remove_deleted_entries(temp_map, "uidgid.config.");
|
|
|
8b462f |
|
|
|
8b462f |
/* Remove entries that cannot be changed */
|
|
|
8b462f |
remove_ro_entries(temp_map);
|
|
|
8b462f |
diff --git a/exec/coroparse.c b/exec/coroparse.c
|
|
|
8b462f |
index 4c1fea9..374ed7d 100644
|
|
|
8b462f |
--- a/exec/coroparse.c
|
|
|
8b462f |
+++ b/exec/coroparse.c
|
|
|
8b462f |
@@ -794,7 +794,7 @@ static int main_config_parser_cb(const char *path,
|
|
|
8b462f |
*error_string = error_string_response;
|
|
|
8b462f |
return (0);
|
|
|
8b462f |
}
|
|
|
8b462f |
- snprintf(key_name, ICMAP_KEYNAME_MAXLEN, "uidgid.uid.%u",
|
|
|
8b462f |
+ snprintf(key_name, ICMAP_KEYNAME_MAXLEN, "uidgid.config.uid.%u",
|
|
|
8b462f |
uid);
|
|
|
8b462f |
icmap_set_uint8_r(config_map, key_name, 1);
|
|
|
8b462f |
add_as_string = 0;
|
|
|
8b462f |
@@ -804,7 +804,7 @@ static int main_config_parser_cb(const char *path,
|
|
|
8b462f |
*error_string = error_string_response;
|
|
|
8b462f |
return (0);
|
|
|
8b462f |
}
|
|
|
8b462f |
- snprintf(key_name, ICMAP_KEYNAME_MAXLEN, "uidgid.gid.%u",
|
|
|
8b462f |
+ snprintf(key_name, ICMAP_KEYNAME_MAXLEN, "uidgid.config.gid.%u",
|
|
|
8b462f |
gid);
|
|
|
8b462f |
icmap_set_uint8_r(config_map, key_name, 1);
|
|
|
8b462f |
add_as_string = 0;
|
|
|
8b462f |
@@ -1203,7 +1203,7 @@ static int uidgid_config_parser_cb(const char *path,
|
|
|
8b462f |
*error_string = error_string_response;
|
|
|
8b462f |
return (0);
|
|
|
8b462f |
}
|
|
|
8b462f |
- snprintf(key_name, ICMAP_KEYNAME_MAXLEN, "uidgid.uid.%u",
|
|
|
8b462f |
+ snprintf(key_name, ICMAP_KEYNAME_MAXLEN, "uidgid.config.uid.%u",
|
|
|
8b462f |
uid);
|
|
|
8b462f |
icmap_set_uint8_r(config_map, key_name, 1);
|
|
|
8b462f |
} else if (strcmp(path, "uidgid.gid") == 0) {
|
|
|
8b462f |
@@ -1212,7 +1212,7 @@ static int uidgid_config_parser_cb(const char *path,
|
|
|
8b462f |
*error_string = error_string_response;
|
|
|
8b462f |
return (0);
|
|
|
8b462f |
}
|
|
|
8b462f |
- snprintf(key_name, ICMAP_KEYNAME_MAXLEN, "uidgid.gid.%u",
|
|
|
8b462f |
+ snprintf(key_name, ICMAP_KEYNAME_MAXLEN, "uidgid.config.gid.%u",
|
|
|
8b462f |
gid);
|
|
|
8b462f |
icmap_set_uint8_r(config_map, key_name, 1);
|
|
|
8b462f |
} else {
|
|
|
8b462f |
diff --git a/exec/ipc_glue.c b/exec/ipc_glue.c
|
|
|
8b462f |
index 79ee4df..c8cbbf8 100644
|
|
|
8b462f |
--- a/exec/ipc_glue.c
|
|
|
8b462f |
+++ b/exec/ipc_glue.c
|
|
|
8b462f |
@@ -194,10 +194,18 @@ static int32_t cs_ipcs_connection_accept (qb_ipcs_connection_t *c, uid_t euid, g
|
|
|
8b462f |
if (icmap_get_uint8(key_name, &u8) == CS_OK && u8 == 1)
|
|
|
8b462f |
return 0;
|
|
|
8b462f |
|
|
|
8b462f |
+ snprintf(key_name, ICMAP_KEYNAME_MAXLEN, "uidgid.config.uid.%u", euid);
|
|
|
8b462f |
+ if (icmap_get_uint8(key_name, &u8) == CS_OK && u8 == 1)
|
|
|
8b462f |
+ return 0;
|
|
|
8b462f |
+
|
|
|
8b462f |
snprintf(key_name, ICMAP_KEYNAME_MAXLEN, "uidgid.gid.%u", egid);
|
|
|
8b462f |
if (icmap_get_uint8(key_name, &u8) == CS_OK && u8 == 1)
|
|
|
8b462f |
return 0;
|
|
|
8b462f |
|
|
|
8b462f |
+ snprintf(key_name, ICMAP_KEYNAME_MAXLEN, "uidgid.config.gid.%u", egid);
|
|
|
8b462f |
+ if (icmap_get_uint8(key_name, &u8) == CS_OK && u8 == 1)
|
|
|
8b462f |
+ return 0;
|
|
|
8b462f |
+
|
|
|
8b462f |
log_printf(LOGSYS_LEVEL_ERROR, "Denied connection attempt from %d:%d", euid, egid);
|
|
|
8b462f |
|
|
|
8b462f |
return -EACCES;
|
|
|
8b462f |
diff --git a/exec/main.c b/exec/main.c
|
|
|
8b462f |
index 54df1b6..82fb808 100644
|
|
|
8b462f |
--- a/exec/main.c
|
|
|
8b462f |
+++ b/exec/main.c
|
|
|
8b462f |
@@ -1011,6 +1011,7 @@ static void set_icmap_ro_keys_flag (void)
|
|
|
8b462f |
icmap_set_ro_access("runtime.totem.", CS_TRUE, CS_TRUE);
|
|
|
8b462f |
icmap_set_ro_access("runtime.services.", CS_TRUE, CS_TRUE);
|
|
|
8b462f |
icmap_set_ro_access("runtime.config.", CS_TRUE, CS_TRUE);
|
|
|
8b462f |
+ icmap_set_ro_access("uidgid.config.", CS_TRUE, CS_TRUE);
|
|
|
8b462f |
|
|
|
8b462f |
/*
|
|
|
8b462f |
* Set RO flag for constrete keys of configuration which can't be changed
|
|
|
8b462f |
diff --git a/man/cmap_keys.8 b/man/cmap_keys.8
|
|
|
8b462f |
index a17147a..7517788 100644
|
|
|
8b462f |
--- a/man/cmap_keys.8
|
|
|
8b462f |
+++ b/man/cmap_keys.8
|
|
|
8b462f |
@@ -275,7 +275,9 @@ State of the client. Can be one of failed, stopped, running and waiting for quor
|
|
|
8b462f |
.TP
|
|
|
8b462f |
uidgid.*
|
|
|
8b462f |
Information about users/groups which are allowed to make IPC connections to
|
|
|
8b462f |
-corosync.
|
|
|
8b462f |
+corosync. Entries loaded from configuration file are stored with
|
|
|
8b462f |
+uidgid.config.* prefix and are pruned on configuration file reload. Dynamic
|
|
|
8b462f |
+entries has uidgid.* prefix and a configuration file reload doesn't affect them.
|
|
|
8b462f |
|
|
|
8b462f |
.TP
|
|
|
8b462f |
quorum.cancel_wait_for_all
|
|
|
8b462f |
--
|
|
|
8b462f |
1.7.1
|
|
|
8b462f |
|