Bug 1537019
Summary: | Make pcs run "corosync -v" probe under unprivileged user (hacluster?) to avoid DDoS'ing unpatched corosync+libqb combo | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Pokorný [poki] <jpokorny> |
Component: | pcs | Assignee: | Tomas Jelinek <tojeline> |
Status: | CLOSED WONTFIX | QA Contact: | cluster-qe <cluster-qe> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.5 | CC: | cfeist, cluster-maint, idevat, omular, tojeline |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-02-15 07:34:47 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1539939 | ||
Bug Blocks: |
Description
Jan Pokorný [poki]
2018-01-22 09:40:03 UTC
Note that this bug should be treated as urgent only as long as the pcs-based management is arranged such that fix on the controlling side (assumed to contain a fix for this) can influence the controlled side (not necessarily containing the fix) so that it won't run "corosync -v" as root. Otherwise, this is just a low-prio specific item of [bug 1539939], as the proper fix is to arrive at corosync and perhaps libqb side -- [bug 1536219] and [bug 1539936], respectively, which will have fixed the original trigger in the particular minor release fully. The root cause is being fixed in bz1536219. Based on that and Jan's reasoning (a fixed controlling side cannot influence a controlled side to make it run "corosync -v" as root) I am lowering the priority of this bz. Apparently, hacluster user is unprivileged only as long as pacemaker (and perhaps not alone) package is _not_ involved, and actually holds some possibly sensitive files. Therefore, it might make sense for pcs to (dynamically if possible) define it's own unprivileged user that will assuredly have limited permissions and next to no files under possesion (relying on predefined "nobody" is wrong on multiple levels). After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened. |