[Cluster-devel] [PATCH 6/6] rgmanager: ra2rng.xsl: script-file: try to prevent cluster's services

Jan Pokorný jpokorny at redhat.com
Tue Dec 3 18:26:18 UTC 2013 

Note that, AFAIK, "file" parameter to "script" can be arbitrary string
with a logical limitation to be something (builtins, aliases, etc. not
excluded) that will run when pasted verbatim to the bash prompt (with
no quotes added) followed by the desired action and when fired it will
eventually proceed something.  Hence any leading/trailing whitespace
really does not matter.  The restriction being added establishes this
automatically by using "token" datatype, but unfortunately libxml2
currently contains a bug leading to not dropping such whitespace
correctly before applying additional facet checking (here: pattern) [1].
Until libxml2 is fixed, the restriction will miss cases where "file"
starts/ends with balast whitespace.

Also note that this restriction can be easily bypassed by, e.g., using
":; /etc/init.d/cman", but it's purpose is to prevent from random
mis-writing "cman" instead of the desired service.

[1] https://mail.gnome.org/archives/xml/2013-November/msg00024.html

Signed-off-by: Jan Pokorný <jpokorny at redhat.com>
---
 rgmanager/src/resources/ra2rng.xsl | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/rgmanager/src/resources/ra2rng.xsl b/rgmanager/src/resources/ra2rng.xsl
index b4944e7..e64ac06 100644
--- a/rgmanager/src/resources/ra2rng.xsl
+++ b/rgmanager/src/resources/ra2rng.xsl
@@ -71,6 +71,19 @@
 
 <int:agent-parameter-specialization>
     <!-- int:agent @name="..." > int:parameter @name="..." > PATTERN -->
+    <!-- SCRIPT -->
+    <int:agent name="script">
+        <int:parameter name="file">
+            <data type="token">
+                <except>
+                    <data type="token">
+                        <!-- disallow cluster to control its own core services through a "script" RA -->
+                        <param name="pattern">/etc/(rc\.d/)?init\.d/(cman|modclusterd|rgmanager|ricci)(\s.*|)</param>
+                    </data>
+                </except>
+            </data>
+        </int:parameter>
+    </int:agent>
 </int:agent-parameter-specialization>
 
 <xsl:variable name="SP" select="' '"/>
-- 
1.8.1.4

More information about the Cluster-devel mailing list