[pgpool-general: 1604] Re: watchdog root requirement

Tatsuo Ishii ishii at postgresql.org
Thu Apr 11 23:11:39 JST 2013 

So your idea is edit /etc/sudoers to allow to execute via sudo arping
and ifconfig without password? I'm not a security expert but this
sounds like a good idea to me.

> Hi,
> 
> I am trying to avoid running pgpool as root but it seems it expects you to use a setuid root executable (which I'm not comfortable with).  I've come up with a solution which I think should be acceptable but does not currently work because the code will exit based on what it thinks is required.
> 
> I feel like this should be decided by the administrator via either compile time option and/or command line argument and or configuration param.

Agreed. Do you think which option is the best?

> Here's what I've done:
> 
> ifconfig_path = '/var/lib/postgresql/bin'
> if_up_cmd = 'pg_ifconfig eth0:2 $_IP_$ 255.255.255.0 up'
> if_down_cmd = 'pg_ifconfig eth0:2 $_IP_$ 255.255.255.0 down'
> arping_path = '/var/lib/postgresql/bin'           # arping command path
> arping_cmd = 'pg_arping $_IP_$ 1'  
> 
> created 2 scripts (pg_arping/pg_ifconfig) which execute the commands required via sudo:
> 
> $ cat pg_arping
> #!/bin/bash
> [ $# -ne 2 ] && echo "$0 ip.add.re.ss timeout" && exit 3
> ip=$1
> timeout=$2
> /usr/bin/sudo /usr/sbin/arping -U $ip -w $timeout
> 
> $ cat pg_ifconfig
> #!/bin/bash
> [ $# -ne 4 ] && echo "$0 interface ip.add.re.ss netmask [up|down]" && exit 3
> iface=$1
> ip=$2
> netmask=$3
> action=$4
> /usr/bin/sudo /sbin/ifconfig $iface inet $ip netmask $netmask $action
> 
> 
> FYI to get this working I simply removed the code I didn't like, but I'm not a huge fan of this either:
> 
> main.c:
> 
>                         /* check root
>                         if (geteuid() != 0)
>                         {
>                                 pool_error("watchdog must be started under the privileged user ID to up/down virtual network interface.");
>                                 pool_shmem_exit(1);
>                                 exit(1);
>                         } */
> 
> --kyleo
> _______________________________________________
> pgpool-general mailing list
> pgpool-general at pgpool.net
> http://www.pgpool.net/mailman/listinfo/pgpool-general

More information about the pgpool-general mailing list