[Pacemaker] worl-writeable files in /var/lib/heartbeat/crm

Andrew Beekhof andrew at beekhof.net
Wed Feb 20 23:29:11 UTC 2013 

On Wed, Feb 20, 2013 at 10:17 PM, Mario Penners <mario.penners at gmail.com> wrote:
> Hello,
>
> during a security audit, our customer was wondering about the files in
> directory /var/lib/heartbeat/crm, for example:
>
> -rw-rw-rw- 1 hacluster root   32 Feb 13 18:59 cib-40.raw.sig
> -rw------- 1 hacluster root 6716 Feb 13 18:59 cib-41.raw
> -rw-rw-rw- 1 hacluster root   32 Feb 13 18:59 cib-41.raw.sig
> -rw------- 1 hacluster root 6716 Feb 13 18:59 cib-42.raw
>
>
> The files contain an XML section of the configs as applied by "crm
> configure" (.raw) commands and some hash/checksum (.raw.sig). We are
> running pacemaker with user permissions like this:
> root      5610     1  0 Feb13 ? 00:11:40 corosync
> 498       5616  5610  0 Feb13 ? 00:01:54 /usr/libexec/pacemaker/cib
> root      5617  5610  0 Feb13 ? 00:01:02 /usr/libexec/pacemaker/stonithd
> root      5618  5610  0 Feb13 ? 00:01:33 /usr/lib64/heartbeat/lrmd
> 498       5619  5610  0 Feb13 ? 00:00:44 /usr/libexec/pacemaker/attrd
> 498       5620  5610  0 Feb13 ? 00:00:25 /usr/libexec/pacemaker/pengine
> 498       5621  5610  0 Feb13 ? 00:01:07 /usr/libexec/pacemaker/crmd
> (mind:
> hacluster:x:498:499:heartbeatuser:/var/lib/heartbeat/cores/hacluster:/sbin/nologin
> )
>
>
> Our customer is asking, if we can remove the world-writeable bit for the
> files in /var/lib/heartbeat/crm,

Yes. They shouldn't be set in the first place. I'll investigate.

> and if/how they are used (i.e. what is
> the long term result if we simply remove them)

Not much. Normally they will never be needed.  They're archive copies
of previous configurations.
The pacemaker will only read them if the primary copy is
lost/corrupted, but admins could also reload them manually to undo a
change.

>
> Can anyone easily answer this?
>
> Thanks & Cheers!
> Mario
>
> pacemaker-cli-1.1.7-6.el6.x86_64
> pacemaker-1.1.7-6.el6.x86_64
> pacemaker-libs-1.1.7-6.el6.x86_64
> pacemaker-cluster-libs-1.1.7-6.el6.x86_64
> corosynclib-1.4.1-7.el6.x86_64
> corosync-1.4.1-7.el6.x86_64
>
>
>
> _______________________________________________
> Pacemaker mailing list: Pacemaker at oss.clusterlabs.org
> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
>
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org

More information about the Pacemaker mailing list