Bug 1537019

Summary: Make pcs run "corosync -v" probe under unprivileged user (hacluster?) to avoid DDoS'ing unpatched corosync+libqb combo
Product: Red Hat Enterprise Linux 7 Reporter: Jan Pokorný [poki] <jpokorny>
Component: pcsAssignee: Tomas Jelinek <tojeline>
Status: CLOSED WONTFIX QA Contact: cluster-qe <cluster-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.5CC: cfeist, cluster-maint, idevat, omular, tojeline
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-15 07:34:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1539939    
Bug Blocks:    

Description Jan Pokorný [poki] 2018-01-22 09:40:03 UTC 
Upstream report (let's discuss over there):
https://github.com/ClusterLabs/pcs/issues/158
Comment 1 Jan Pokorný [poki] 2018-01-30 09:18:41 UTC 
Note that this bug should be treated as urgent only as long as the
pcs-based management is arranged such that fix on the controlling side
(assumed to contain a fix for this) can influence the controlled side
(not necessarily containing the fix) so that it won't run "corosync -v"
as root.  Otherwise, this is just a low-prio specific item of
[bug 1539939], as the proper fix is to arrive at corosync and perhaps
libqb side -- [bug 1536219] and [bug 1539936], respectively, which
will have fixed the original trigger in the particular minor release
fully.
Comment 2 Tomas Jelinek 2018-01-31 08:18:10 UTC 
The root cause is being fixed in bz1536219.

Based on that and Jan's reasoning (a fixed controlling side cannot influence a controlled side to make it run "corosync -v" as root) I am lowering the priority of this bz.
Comment 3 Jan Pokorný [poki] 2018-02-07 10:53:42 UTC 
Apparently, hacluster user is unprivileged only as long as pacemaker
(and perhaps not alone) package is _not_ involved, and actually holds
some possibly sensitive files.

Therefore, it might make sense for pcs to (dynamically if possible)
define it's own unprivileged user that will assuredly have limited
permissions and next to no files under possesion
(relying on predefined "nobody" is wrong on multiple levels).
Comment 6 RHEL Program Management 2021-02-15 07:34:47 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.