[Linux-HA] Pacemaker runs daemons as root

Dejan Muhamedagic dejanmm at fastmail.fm
Thu Jun 19 03:16:15 MDT 2008


On Wed, Jun 18, 2008 at 10:56:22PM +0200, Andrew Beekhof wrote:
> On Wed, Jun 18, 2008 at 22:50, Serge Dubrouski <sergeyfd at gmail.com> wrote:
> > On Wed, Jun 18, 2008 at 2:47 PM, Andrew Beekhof <beekhof at gmail.com> wrote:
> >> On Wed, Jun 18, 2008 at 20:43, Serge Dubrouski <sergeyfd at gmail.com> wrote:
> >>> Here is some additional info from the log file:
> >>>
> >>> heartbeat[5555]: 2008/06/18_14:38:16 info: respawn directive: root
> >>> /usr/lib/heartbeat/lrmd -r
> >>> heartbeat[5556]: 2008/06/18_14:38:18 info: Starting child client
> >>> "/usr/lib/heartbeat/lrmd -r" (0,0)
> >>> heartbeat[5569]: 2008/06/18_14:38:18 info: Starting
> >>> "/usr/lib/heartbeat/lrmd -r" as uid 0  gid 0 (pid 5569)
> >>>
> >>> Why would it start a child process as root?
> >>
> >> particularly for the lrmd - it must be run as root in order to be able
> >> to run the RAs.
> >
> > On old systems it drops own privileges to "nobody" and still can
> > control all those things, don;t know how.
> 
> I think it asks for root privs back (return_to_orig_privs() ), spawns
> the RA process and drops them again.

Right. It runs all the time as user nobody, then raises
privileges when it's about to fork/exec a resource agent.

> But as you pointed out, that only works if CAN_DROP_PRIVS is defined/working.

I guess that this is the culprit.

> _______________________________________________
> Linux-HA mailing list
> Linux-HA at lists.linux-ha.org
> http://lists.linux-ha.org/mailman/listinfo/linux-ha
> See also: http://linux-ha.org/ReportingProblems



More information about the Linux-HA mailing list