Jan Pokorný
Jan Pokorný
On 23/11/17 09:01 +0000, Kristoffer Grönlund wrote: > The main benefit as I see it would be enabling the sysadmin to add > their own agents on top of a...
Thinking about that, `/etc/ocf` should indeed be subdir-namespaced per resource-manager, possibly reserving a chosen name (`ANY`?) to apply for all.
On 27/11/17 11:23 +0000, Kristoffer Grönlund wrote: >> The other practical value is that administrator would (one wants to >> say, finally) gain power to defuse OCF-based resources > >...
On 18/02/19 17:04 +0000, Ken Gaillot wrote: >On 18/02/19 15:27 +0100, Jan Pokorný wrote: >> On 15/02/19 09:30 -0800, Ken Gaillot wrote: >>> CAP_SETGID is required to use initgroups(). Given...
On 27/11/17 18:18 +0000, Kristoffer Grönlund wrote: > Yeah, I think I follow what you're saying. Of course the `apache` > agent might not be the best example to allow...
Btw. thanks for `pscap` tip, but it doesn't look that SELinux and the respective logic (like pretend as if `dac_override` doesn't exist unless permitted with SELinux explictly for a root-level...
On 27/11/17 18:52 +0000, Ken Gaillot wrote: >> There's a bunch of executable glue scripts already (including >> /etc/rc.d/init.d ones for non-systemd systems), which is exactly >> what resource agents...
On 28/11/17 00:17 +0000, Ken Gaillot wrote: >> Also, this is a security risk, not a mitigation. Being able to write >> a script into /etc that is automatically run...
> Perhaps you mean custom daemons that don't have any SELinux > labelling? But that's no different than running such a daemon > without a cluster on a SELinux-enabled host....
> Except that some IPC sockets do not have any group permissions. Looks like that's a consequence of a shoddy usage of `umask` in pacemaker where opening files with particular...