[pgpool-general: 1627] Re: watchdog root requirement
Tatsuo Ishii
ishii at postgresql.org
Wed Apr 17 15:00:28 JST 2013
Looks like it is not only safe but desirable to remove the root check
part in main.c. I will do it for master and supported stable branches.
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese: http://www.sraoss.co.jp
> I'm no security expert either, but I do work in finance and the information security teams have approved using sudo to execute escalated privileges without a password.
>
> IMHO the best option is to just run whatever is in the configuration for ifconfig/arping. If it succeeds, great. If it fails, exit with an error. It's better to beg for forgiveness than ask permission as far as I'm concerned :)
>
> Failing that, I would think the next best option is a configuration parameter in pgpool.conf (dontcheckroot=yes or something). Second best would be command line option for the pgpool binary. Compile time option would be fine, but not the best option.
>
> --kyleo
> ----- Original Message -----
> From: "Tatsuo Ishii" <ishii at postgresql.org>
> To: kyleo at 0b10.mx
> Cc: pgpool-general at pgpool.net
> Sent: Thursday, April 11, 2013 10:11:39 AM
> Subject: Re: [pgpool-general: 1590] watchdog root requirement
>
> So your idea is edit /etc/sudoers to allow to execute via sudo arping
> and ifconfig without password? I'm not a security expert but this
> sounds like a good idea to me.
>
>> Hi,
>>
>> I am trying to avoid running pgpool as root but it seems it expects you to use a setuid root executable (which I'm not comfortable with). I've come up with a solution which I think should be acceptable but does not currently work because the code will exit based on what it thinks is required.
>>
>> I feel like this should be decided by the administrator via either compile time option and/or command line argument and or configuration param.
>
> Agreed. Do you think which option is the best?
>
>> Here's what I've done:
>>
>> ifconfig_path = '/var/lib/postgresql/bin'
>> if_up_cmd = 'pg_ifconfig eth0:2 $_IP_$ 255.255.255.0 up'
>> if_down_cmd = 'pg_ifconfig eth0:2 $_IP_$ 255.255.255.0 down'
>> arping_path = '/var/lib/postgresql/bin' # arping command path
>> arping_cmd = 'pg_arping $_IP_$ 1'
>>
>> created 2 scripts (pg_arping/pg_ifconfig) which execute the commands required via sudo:
>>
>> $ cat pg_arping
>> #!/bin/bash
>> [ $# -ne 2 ] && echo "$0 ip.add.re.ss timeout" && exit 3
>> ip=$1
>> timeout=$2
>> /usr/bin/sudo /usr/sbin/arping -U $ip -w $timeout
>>
>> $ cat pg_ifconfig
>> #!/bin/bash
>> [ $# -ne 4 ] && echo "$0 interface ip.add.re.ss netmask [up|down]" && exit 3
>> iface=$1
>> ip=$2
>> netmask=$3
>> action=$4
>> /usr/bin/sudo /sbin/ifconfig $iface inet $ip netmask $netmask $action
>>
>>
>> FYI to get this working I simply removed the code I didn't like, but I'm not a huge fan of this either:
>>
>> main.c:
>>
>> /* check root
>> if (geteuid() != 0)
>> {
>> pool_error("watchdog must be started under the privileged user ID to up/down virtual network interface.");
>> pool_shmem_exit(1);
>> exit(1);
>> } */
>>
>> --kyleo
>> _______________________________________________
>> pgpool-general mailing list
>> pgpool-general at pgpool.net
>> http://www.pgpool.net/mailman/listinfo/pgpool-general
More information about the pgpool-general
mailing list