RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1352047 - [cli] possibly dangerous treatment of environment variables when running a subprocess
Summary: [cli] possibly dangerous treatment of environment variables when running a su...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pcs
Version: 7.1
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Tomas Jelinek
QA Contact: cluster-qe@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-01 13:39 UTC by Jan Pokorný [poki]
Modified: 2020-12-15 07:42 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-12-15 07:42:44 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1318656 0 unspecified CLOSED document supported ENV variables in man pages 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1347335 0 medium CLOSED built-in documentation fixes 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1352039 1 None None None 2021-01-20 06:05:38 UTC

Internal Links: 1318656 1347335 1352039

Description Jan Pokorný [poki] 2016-07-01 13:39:26 UTC 
pcs should be careful about the variables from the environment
(at the moment of running pcs command) as they may influence
the spawned subprocesses (pacemaker CLI utilities call-outs
in most of the cases) substantially.

Idea:
- by default, do not propagate CIB_* and PCMK_* variables and
  warn about their presence
- establish an expert-mode switch that may propagate all variables
  without a change and even overwrite those established by pcs
  internally (it's an expert mode, after all)

Example:
- PCMK_schema_directory - tells where the pacemaker will search
  for the schemas to approve the validation; it would be really
  bad if the validation process would be subverted artificially
  only to hit the running cluster badly later on


from pcs.utils:run:
> 817 def run(                                                               
> 818     args, ignore_stderr=False, string_for_stdin=None, env_extend=None, 
> 819     binary_output=False                                                
> 820 ):                                                                     
> 821     if not env_extend:                                                 
> 822         env_extend = dict()                                            
> 823     env_var = env_extend                                               
> 824     env_var.update(dict(os.environ))                                   
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Comment 2 Tomas Jelinek 2016-10-26 13:14:10 UTC 
We also need to document how pcs handles these environment variables in pcs man page.
Comment 3 Tomas Jelinek 2016-10-27 11:49:09 UTC 
We definitely want to propagate CIB_user as we use it to relay login of user who requested an action from web UI down to pacemaker.
We do not want to propagate CIB_file, because this is handled by pcs based on -f option.

Can you provide a list of other environment variables which pcs should and should not pass to pacemaker? I tried running cibadmin and crm_mon with various PCMK_* debugging options with no effect. Does it mean these only apply at pacemaker daemons startup and therefore pcs does not need to care about them?

Thanks
Comment 4 Jan Pokorný [poki] 2016-10-27 16:46:39 UTC 
Admittedly, most PCMK_* variables mentioned in /etc/sysconfig/pacemaker
are only applicable to the actual daemons.

I'll compile the list of which variables are relevant in the context
of CLI utilities (keeping needinfo).
Comment 7 Tomas Jelinek 2017-05-29 11:34:05 UTC 
(In reply to Jan Pokorný from comment #4)
> Admittedly, most PCMK_* variables mentioned in /etc/sysconfig/pacemaker
> are only applicable to the actual daemons.
> 
> I'll compile the list of which variables are relevant in the context
> of CLI utilities (keeping needinfo).

Jan, do you have any updates on this? Thanks.
Comment 9 Tomas Jelinek 2018-06-27 15:11:28 UTC 
(In reply to Jan Pokorný from comment #4)
> Admittedly, most PCMK_* variables mentioned in /etc/sysconfig/pacemaker
> are only applicable to the actual daemons.
> 
> I'll compile the list of which variables are relevant in the context
> of CLI utilities (keeping needinfo).

Jan, do you have any updates on this? Thanks.
Comment 10 Tomas Jelinek 2018-11-13 13:13:03 UTC 
(In reply to Jan Pokorný from comment #4)
> Admittedly, most PCMK_* variables mentioned in /etc/sysconfig/pacemaker
> are only applicable to the actual daemons.
> 
> I'll compile the list of which variables are relevant in the context
> of CLI utilities (keeping needinfo).

Jan, do you have any updates on this? Thanks.
Comment 11 Tomas Jelinek 2020-09-16 12:22:25 UTC 
(In reply to Tomas Jelinek from comment #3)
> We definitely want to propagate CIB_user as we use it to relay login of user
> who requested an action from web UI down to pacemaker.
> We do not want to propagate CIB_file, because this is handled by pcs based
> on -f option.
> 
> Can you provide a list of other environment variables which pcs should and
> should not pass to pacemaker? I tried running cibadmin and crm_mon with
> various PCMK_* debugging options with no effect. Does it mean these only
> apply at pacemaker daemons startup and therefore pcs does not need to care
> about them?
> 
> Thanks

(In reply to Jan Pokorný from comment #4)
> Admittedly, most PCMK_* variables mentioned in /etc/sysconfig/pacemaker
> are only applicable to the actual daemons.
> 
> I'll compile the list of which variables are relevant in the context
> of CLI utilities (keeping needinfo).


Jan is no longer available. Ken, can you provide a list of those variables?
Comment 12 Ken Gaillot 2020-09-16 14:24:33 UTC 
I'm not sure what the goal is here -- how did the variables get into the environment to begin with? If the user (or script) sourced /etc/sysconfig/pacemaker, then they are the same values the daemons will use, so there should be no harm done. If the user explicitly changed some value, do we want to deny that? Or maybe print a warning and require --force?

New Pacemaker versions sometime adds new variables, so keeping this list up to date might be a challenge.

If we do want to filter the user's environment, it's worth considering whether we want a deny list (strip such-and-such from the environment) or an allow list (strip all PCMK_*, CIB_*, and SBD_* except such-and-such). I wouldn't strip any OCF_* variables in case pcs is run from a resource agent. (Pacemaker accepts HA_* instead of PCMK_* for a few options for backward compatibility with heartbeat, but that will eventually go away, and none of them matter for this purpose anyway.)

PCMK_schema_directory (which has the RNG files used to validate the CIB schema) is the only option from /etc/sysconfig/pacemaker that should matter. If someone sets this, I'm guessing they installed from source in a nonstandard location, and they need to set it to whatever the daemons are using. Or they're experimenting with changing the schema for some reason.

The CIB_* variables CIB_user, CIB_password, CIB_server, CIB_port, and CIB_encrypted allow a user to modify the CIB from a non-cluster machine, as documented in "Pacemaker Administration":

https://clusterlabs.org/pacemaker/doc/en-US/Pacemaker/2.0/html-single/Pacemaker_Administration/#s-remote-connection

If you don't want to allow pcs to run on non-cluster machines, it would make sense to filter those (if not set by pcs). Similarly if you only want pcs -f to modify CIB_file, you could otherwise filter that.

The crm_shadow command sets the CIB_shadow variable behind the scenes:

https://clusterlabs.org/pacemaker/doc/en-US/Pacemaker/2.0/html-single/Pacemaker_Administration/#s-crm_shadow

If it's set, then someone is likely in the middle of a crm_shadow session. That makes other command-line tools modify a temporary copy of the CIB. You could either allow that, or require --force (especially if a pcs command involves anything other than querying or modifying the CIB).
Comment 13 Tomas Jelinek 2020-09-22 14:22:40 UTC 
This is the current situation in pcs:

Legacy function to run external processes passes the whole environment to them. The only exceptions are: If -f is used, pcs sets CIB_file to the value of -f option. Pcs always sets LC_ALL = "C" so that we don't have to implement parsers for various locales and deal with ASCII vs UTF issues.
New architecture uses different approach: External processes are run with an empty environment. Only LC_ALL, CIB_user and CIB_file is set - details in comment 3.
Pcsd, being a daemon, has its own environment, so it cannot pass anything from shell environment in the way legacy pcs function does. Because of that, this bz and our long term plan to make CLI fully client-server as well we went with an empty environment approach in the new architecture.


The original intention of this bz was to filter environment in the legacy function. Jan was to provide more details and an overview of the variables so that we could work on that, but he never did.
Comment 15 RHEL Program Management 2020-12-15 07:42:44 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Note You need to log in before you can comment on or make changes to this bug.