Bug 485469 - Normal users cannot run CPG clients if openais is started by cman.
Normal users cannot run CPG clients if openais is started by cman.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: cman (Show other bugs)
5.3
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Christine Caulfield
Cluster QE
: ZStream
Depends On:
Blocks: 504531
  Show dependency treegraph
 
Reported: 2009-02-13 12:23 EST by Alan Conway
Modified: 2016-04-26 10:36 EDT (History)
6 users (show)

See Also:
Fixed In Version: cman-2.0.100-1.el5
Doc Type: Bug Fix
Doc Text:
Cause: cman set the objdb keys "user" and "group" to the value "root" so that only root could access openais services. Consequence: Any user other than root that tried to run service that connected to openais would be rejected as a privilege violation. Fix: The values of "user" and "group" were set to be "ais" Result: Users that are a member of the "ais" group can now run openais service programs
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-02 07:06:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1341 normal SHIPPED_LIVE Low: cman security, bug fix, and enhancement update 2009-09-01 06:43:16 EDT

  None (edit)
Description Alan Conway 2009-02-13 12:23:25 EST
Description of problem:

Run cman, run a CPG client as a non-root user with gid=ais: cpg_init
returns error 2 - library. Running the CPG client as root works. 

If openais is started without cman, then running CPG client as non-root user
with gid=ais works correctly.

This bug is almost identical to 485462, but cpg_init returns a different error code.
Comment 1 Christine Caulfield 2009-02-18 06:19:40 EST
The fix is trivial, and in Fedora 10. If you really need this in RHEL-5 we'll need some ACKs.
Comment 3 Christine Caulfield 2009-03-27 11:25:03 EDT
Committed for RHEL5.4

commit 49e8d4b32390184b1794b90b11865d8d60ee352d
Author: Christine Caulfield <ccaulfie@redhat.com>
Date:   Fri Mar 27 15:23:30 2009 +0000

    cman: Allow connections from unprivileged user/group "ais"
Comment 6 Christine Caulfield 2009-05-19 03:12:43 EDT
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
Cause:  cman set the objdb keys "user" and "group" to the value "root" so that only root could access openais services.

Consequence:  Any user other than root that tried to run service that connected to openais would be rejected as a privilege violation.

Fix:   The values of "user" and "group" were set to be "ais"

Result:  Users that are a member of the "ais" group can now run openais service programs
Comment 8 Chris Ward 2009-07-03 14:24:56 EDT
~~ Attention - RHEL 5.4 Beta Released! ~~

RHEL 5.4 Beta has been released! There should be a fix present in the Beta release that addresses this particular request. Please test and report back results here, at your earliest convenience. RHEL 5.4 General Availability release is just around the corner!

If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity.

Please do not flip the bug status to VERIFIED. Only post your verification results, and if available, update Verified field with the appropriate value.

Questions can be posted to this bug or your customer or partner representative.
Comment 10 errata-xmlrpc 2009-09-02 07:06:25 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-1341.html

Note You need to log in before you can comment on or make changes to this bug.