Description of problem: In RHEL5, non-privileged users can receive incorrect service status information when running "service <service> status". The LSB standards do not explicitly define whether non-root users should be able to get service status, or even whether an "insufficient permissions" error message should be returned to the user for a status inquiry as the standard defines for other commands. We are requesting engineering to make a judgement call whether initscripts should be changed in RHEL5 so that a clear "insufficient permissions" (or similar) message is given to non-privileged users (or, that correct status information is given if anything other than an "insufficient permissins" status response is returned). Support and the customer have been advised that changes like this, especially this far into the release cycle, could be NAK'd by Engineering due to the impact it could have on our existing customer base. LSB specs for initscripts: http://refspecs.freestandards.org/LSB_3.1.0/LSB-Core-generic/LSB-Core-generic/iniscrptact.html Version-Release number of selected component (if applicable): initscripts (any RHEL5 version) How reproducible: always Steps to Reproduce: 1. example given will be for autofs service 2. log in to a system running the autofs service as a non-privileged user 3. run "service autofs status" Actual results: [skaven@plump ~]$ service autofs status automount is stopped Expected results: either: 1) correct status information, ie: automount (pid 2534) is running... (as will occur if they 'sudo service autofs status') or 2) an error message indicating the user does not have permission to request the service status. Additional info: This appears to be related to pidof as well, and options used in /etc/rc.d/init.d/functions. The following may be helpfuL ------------- I see what it is -- it's the -c switch: [skaven@bonnie ~]$ pidof -c -o 25031 -o 24858 -o %PPID -x syslog-ng [skaven@bonnie ~]$ pidof -o 25031 -o 24858 -o %PPID -x syslog-ng 28451 28450 -c Only return process ids that are running with the same root directory. This option does not make sense for non-root users, as they will be unable to check the current root directory of processes they do not own. That explains why it's not returning anything. So the problem is in /etc/init.d/functions. In RHEL4, all of the pidof calls in /etc/init.d/functions use the -o and -x switch, but not the -c switch, so it works fine for non-root users. In RHEL5, the __pids_pidof() function in /etc/init.d/functions uses the -c switch in addition to the -o and -x switch. Thus, non-root users cannot be reasonably expected to get accurate status back for processes where they can't access the root directory link of processes they don't own. Is this expected behavior? Is it expected that you be root to run 'service <something> status'? -------------
I think what you're looking for is a backport of the fix for #230829? Assigning to sysvinit.
(Note that there are still occasions where non-root might get incorrect status - unreadable pid files, etc.)
Hi Bill, What we'd ideally like to see is behavior like rsyslog in F14: novarese@gyrados /home/novarese/> service rsyslog status rsyslogd status unknown due to insufficient privileges. The pidof issue is just a contributing factor. The real issue here is the service scripts returning incorrect info. If the script needs privileges to return a correct status then it should output an appropriate message and exit with a non-zero code (IMO). This seems like basic fail-safe philosophy regardless of whether the LSB spec mandates any particular behavior in cases where non-root users query status or not. Thanks, --pvn
That would be backporting de8b2aed329ea2e3c087bc25764fc1779a83fafc and c9486ffd2452e83dc7ffa756b509ead3db698d9f, as well as the SysVinit change. Note that this changes the return code/behavior of a couple of init.d/functions functions in that case. It *shouldn't* break anything, but...
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1040.html