[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Linux-cluster] [PATCH] Fix ccsd /etc/cluster/cluster.conf file permissions



Hi guys,
 not too long ago i found that ccsd was writing /etc/cluster/cluster.conf with 0666 permissions,
making the file r/w for all users. While it is still difficult for a user to inject the modified
configuration into the cluster, there is still an open window in which that might happen.

The patch in attachment (against RHEL4U1 branch, but it should apply clean allover) changes this
behavior to set proper permissions on the file.

Note that the use of open is required to set the proper permissions at file creation time.
The use of fopen has been changed to fdopen (to use the filedescriptor from open) since
xmlDocDump still requires a FILE *f as first argument.

Another note: i am not claiming this is the best solution/patch. it works here so review and
comments are appreciated.

How to reproduce:

A new node is added to the cluster. the new node does not have a cluster.conf and
as soon as ccsd is started, the configuration is fetched from the other nodes.
The resulting file has 0666 file permissions.

Thanks
Fabio

--
no signature file found.
Index: cluster_mgr.c
===================================================================
RCS file: /cvs/cluster/cluster/ccs/daemon/cluster_mgr.c,v
retrieving revision 1.10.2.5
diff -u -r1.10.2.5 cluster_mgr.c
--- cluster_mgr.c	18 Jan 2005 16:53:06 -0000	1.10.2.5
+++ cluster_mgr.c	9 Jun 2005 06:23:11 -0000
@@ -86,6 +86,7 @@
 static int handle_cluster_message(int fd){
   int error = 0;
   int afd= -1;
+  int cfd= NULL;
   FILE *fp = NULL;
   int unlock=0;
   char *buffer = NULL;
@@ -154,9 +155,15 @@
       goto fail;
     }

-    fp = fopen("/etc/cluster/cluster.conf-update", "w");
+    cfd = open("/etc/cluster/cluster.conf-update", O_RDWR|O_CREAT, S_IRUSR|S_IWUSR|S_IRGRP);
+    if(!cfd){
+      log_sys_err("Unable to open file /etc/cluster/cluster.conf-update");
+      error = -errno;
+      goto fail;
+    }
+    fp = fdopen(cfd, "w");
     if(!fp){
-      log_sys_err("Unable to open /etc/cluster/cluster.conf-update");
+      log_sys_err("Unable to open stream /etc/cluster/cluster.conf-update");
       error = -errno;
       goto fail;
     }
@@ -204,9 +211,15 @@
       goto fail;
     }

-    fp = fopen("/etc/cluster/.cluster.conf", "w");
+    cfd = open("/etc/cluster/cluster.conf-update", O_RDWR|O_CREAT, S_IRUSR|S_IWUSR|S_IRGRP);
+    if(!cfd){
+      log_sys_err("Unable to open file /etc/cluster/cluster.conf-update");
+      error = -errno;
+      goto fail;
+    }
+    fp = fdopen(cfd, "w");
     if(!fp){
-      log_sys_err("Unable to open /etc/cluster/.cluster.conf");
+      log_sys_err("Unable to open stream /etc/cluster/.cluster.conf");
       error = -errno;
       goto fail;
     }
@@ -231,6 +244,9 @@
   if(fp){
     fclose(fp);
   }
+  if(fd){
+    close(fd);
+  }
   if(afd >= 0){
     msg_close(afd);
   }
Index: cnx_mgr.c
===================================================================
RCS file: /cvs/cluster/cluster/ccs/daemon/cnx_mgr.c,v
retrieving revision 1.24.2.6.2.2
diff -u -r1.24.2.6.2.2 cnx_mgr.c
--- cnx_mgr.c	26 May 2005 16:55:37 -0000	1.24.2.6.2.2
+++ cnx_mgr.c	9 Jun 2005 06:23:11 -0000
@@ -154,6 +154,8 @@
   fd_set rset;
   struct timeval tv;
   xmlDocPtr tmp_doc = NULL;
+  int cfd = NULL;
+  FILE *f = NULL;

   ENTER("broadcast_for_doc");

@@ -411,7 +413,6 @@

   if(write_to_disk){
     struct stat stat_buf;
-    FILE *f;
     /* We did not have a copy available or we found a newer one, so write it out */

     /* ATTENTION -- its bad if we fail here, because we have an in-memory version **
@@ -427,21 +428,27 @@
       error = -ENOTDIR;
       goto fail;
     }
-    f = fopen("/etc/cluster/cluster.conf", "w");
+    cfd = open("/etc/cluster/cluster.conf", O_RDWR|O_CREAT, S_IRUSR|S_IWUSR|S_IRGRP);
+    if(!cfd){
+      log_sys_err("Unable to open file /etc/cluster/cluster.conf");
+      error = -errno;
+      goto fail;
+    }
+    f = fdopen(cfd, "w");
     if(!f){
-      log_sys_err("Unable to open /etc/cluster/cluster.conf");
+      log_sys_err("Unable to open stream /etc/cluster/cluster.conf");
       error = -errno;
       goto fail;
     }
     if(xmlDocDump(f, master_doc->od_doc) < 0){
       error = -EIO;
-      fclose(f);
       goto fail;
     }
-    fclose(f);
   }

  fail:
+  if(f) fclose(f);
+  if(cfd) close(cfd);
   if(ch) free(ch);
   if(bdoc) free(bdoc);
   if(tmp_doc) xmlFreeDoc(tmp_doc);

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]