[Pacemaker] worl-writeable files in /var/lib/heartbeat/crm
Mario Penners
mario.penners at gmail.com
Wed Feb 20 11:17:34 UTC 2013
Hello,
during a security audit, our customer was wondering about the files in
directory /var/lib/heartbeat/crm, for example:
-rw-rw-rw- 1 hacluster root 32 Feb 13 18:59 cib-40.raw.sig
-rw------- 1 hacluster root 6716 Feb 13 18:59 cib-41.raw
-rw-rw-rw- 1 hacluster root 32 Feb 13 18:59 cib-41.raw.sig
-rw------- 1 hacluster root 6716 Feb 13 18:59 cib-42.raw
The files contain an XML section of the configs as applied by "crm
configure" (.raw) commands and some hash/checksum (.raw.sig). We are
running pacemaker with user permissions like this:
root 5610 1 0 Feb13 ? 00:11:40 corosync
498 5616 5610 0 Feb13 ? 00:01:54 /usr/libexec/pacemaker/cib
root 5617 5610 0 Feb13 ? 00:01:02 /usr/libexec/pacemaker/stonithd
root 5618 5610 0 Feb13 ? 00:01:33 /usr/lib64/heartbeat/lrmd
498 5619 5610 0 Feb13 ? 00:00:44 /usr/libexec/pacemaker/attrd
498 5620 5610 0 Feb13 ? 00:00:25 /usr/libexec/pacemaker/pengine
498 5621 5610 0 Feb13 ? 00:01:07 /usr/libexec/pacemaker/crmd
(mind:
hacluster:x:498:499:heartbeatuser:/var/lib/heartbeat/cores/hacluster:/sbin/nologin
)
Our customer is asking, if we can remove the world-writeable bit for the
files in /var/lib/heartbeat/crm, and if/how they are used (i.e. what is
the long term result if we simply remove them)
Can anyone easily answer this?
Thanks & Cheers!
Mario
pacemaker-cli-1.1.7-6.el6.x86_64
pacemaker-1.1.7-6.el6.x86_64
pacemaker-libs-1.1.7-6.el6.x86_64
pacemaker-cluster-libs-1.1.7-6.el6.x86_64
corosynclib-1.4.1-7.el6.x86_64
corosync-1.4.1-7.el6.x86_64
More information about the Pacemaker
mailing list