-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default socketdir (/var/run
) is restricted area
#294
Comments
What? You can create |
@jirib, I don't get your point. This issue is about libqb in general. How can you write under |
You can configure libqb with --socketdir though that's obviously not a good general solution. I think this is partly down to libqb being spun-off from corosync where the daemons it was connected to were all run as root. Also there is quite a lot of other code in the IPC that still requires root anyway (eg authentication) - of course it could be bypassed in the event of a non-root server socket but it's all work that needs to be done to make it work properly. And, TBH, we've never had the need so far :) |
Yes, that's what I currently do. Why isn't that a good general solution? I opened this issue because it wasn't obvious to me. If configuring with
Understandable. But now it begs the question whether running corosync as root is really necessary. It could inherit elevated scheduling priority and does not run plugins anymore.
Could you please provide a more concrete hint? Which IPC operations require privileges?
Now that |
Standards mainly (which is a fairly feeble excuse I'll grant) - keeping things tidy means utilities like things in familiar places - certainly for system programs. One of the problems with an API to change the location of the socket is that there is the problem of clients not knowing where servers have put sockets. If a server calls an API to put a socket in /tmp rather than /var/run how does the client know to look in /tmp? If they're from the same package then that's easy to manage but it's not always the case.
You've seen the code in knet - I'm not about to de-root that any time soon :) Yes, I know you've de-rooted the tests but that's not feasible for a performance-sensitive thing like corosync. And now we can add/remove links at will in corosync we need to be able to configure those sockets on the fly.
Yeah, sorry about that - I didn't fancy writing yet another hash table (which is literally all it uses from libqb) :/ |
Some daemons (e.g. postfix) use /var/spool, so /var/spool/qb (or libqb) could be created at package install time. I would make that directory root-only, for well-known daemons to use, and create a subdirectory (./public?) that would have /tmp permissions, for non-daemon programs. For backward compatibility, maybe libqb could create a symlink from /var/run when the caller is root. The only downside I see is leaving more files behind in an unclean exit; /var/run will at least be cleaned at boot, but /var/spool/qb wouldn't. |
Aren't we comparing apples to oranges here? Since libqb was split out of corosync, it isn't an application anymore (like postfix). It became a library , and as such it shouldn't have (much less force its) policy on applications using it. This doesn't look easy the least, with all those privileges having been taken granted in the past, but might be something to aim for. |
I agree totally, and sometimes it's hard for us (well, me perhaps as I mainly work on knet & corosync) to get out of the 'libqb supports the cluster; mindset. Sometimes we need help with this :) |
Hi,
The default directory for file system sockets (
/var/run
) is generally writable by root only, making file system sockets usable by privileged applications only. On the other hand abstract sockets (used by default on Linux) have no access control whatsoever. Looks like the default socket file directory should be changed to a world-writable one like/tmp
to achieve similar behavior on Linux and BSDs for example. This have already come up a couple of times: #248 (comment), #222 (comment).Is there a good reason to stay with the restricted default? Or not to introduce some means of changing the socket directory from the application (for example a new API call)?
Thanks,
Feri.
The text was updated successfully, but these errors were encountered: