[pgpool-general: 1611] Re: watchdog root requirement

Yuri Bayteryakov yuriymagnum at gmail.com
Fri Apr 12 14:34:14 JST 2013


Hi,

I used following method:

pgpool.conf:
...
ping_path = '/bin'
ifconfig_path = '/usr/bin'
if_up_cmd = 'sudo ifconfig eth0:0 inet $_IP_$ netmask 255.255.255.0'
if_down_cmd = 'sudo ifconfig eth0:0 down'
arping_path = '/usr/bin'
arping_cmd = 'sudo arping -U $_IP_$ -w 1'
....

and a string in /etc/sudoers. I just don't like this decision but it works.
It's better than run daemon as root.

Thanks, Yuriy


2013/4/11 Tatsuo Ishii <ishii at postgresql.org>

> So your idea is edit /etc/sudoers to allow to execute via sudo arping
> and ifconfig without password? I'm not a security expert but this
> sounds like a good idea to me.
>
> > Hi,
> >
> > I am trying to avoid running pgpool as root but it seems it expects you
> to use a setuid root executable (which I'm not comfortable with).  I've
> come up with a solution which I think should be acceptable but does not
> currently work because the code will exit based on what it thinks is
> required.
> >
> > I feel like this should be decided by the administrator via either
> compile time option and/or command line argument and or configuration param.
>
> Agreed. Do you think which option is the best?
>
> > Here's what I've done:
> >
> > ifconfig_path = '/var/lib/postgresql/bin'
> > if_up_cmd = 'pg_ifconfig eth0:2 $_IP_$ 255.255.255.0 up'
> > if_down_cmd = 'pg_ifconfig eth0:2 $_IP_$ 255.255.255.0 down'
> > arping_path = '/var/lib/postgresql/bin'           # arping command path
> > arping_cmd = 'pg_arping $_IP_$ 1'
> >
> > created 2 scripts (pg_arping/pg_ifconfig) which execute the commands
> required via sudo:
> >
> > $ cat pg_arping
> > #!/bin/bash
> > [ $# -ne 2 ] && echo "$0 ip.add.re.ss timeout" && exit 3
> > ip=$1
> > timeout=$2
> > /usr/bin/sudo /usr/sbin/arping -U $ip -w $timeout
> >
> > $ cat pg_ifconfig
> > #!/bin/bash
> > [ $# -ne 4 ] && echo "$0 interface ip.add.re.ss netmask [up|down]" &&
> exit 3
> > iface=$1
> > ip=$2
> > netmask=$3
> > action=$4
> > /usr/bin/sudo /sbin/ifconfig $iface inet $ip netmask $netmask $action
> >
> >
> > FYI to get this working I simply removed the code I didn't like, but I'm
> not a huge fan of this either:
> >
> > main.c:
> >
> >                         /* check root
> >                         if (geteuid() != 0)
> >                         {
> >                                 pool_error("watchdog must be started
> under the privileged user ID to up/down virtual network interface.");
> >                                 pool_shmem_exit(1);
> >                                 exit(1);
> >                         } */
> >
> > --kyleo
> > _______________________________________________
> > pgpool-general mailing list
> > pgpool-general at pgpool.net
> > http://www.pgpool.net/mailman/listinfo/pgpool-general
> _______________________________________________
> pgpool-general mailing list
> pgpool-general at pgpool.net
> http://www.pgpool.net/mailman/listinfo/pgpool-general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.sraoss.jp/pipermail/pgpool-general/attachments/20130412/13b9fde3/attachment.html>


More information about the pgpool-general mailing list