Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-66179

ACLs: User with read-only permissions can perform write operations

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • rhel-10.0
    • rhel-10.0
    • pacemaker
    • None
    • Yes
    • Critical
    • rhel-sst-high-availability
    • 13
    • 20
    • 5
    • Dev ack
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Release Note Not Required
    • This issue was not in a released build
    • Proposed
    • None

      What were you trying to do that didn't work?

      Set read-only permissions for local user by using ACLs, then try to perform a write action, as create a resource as the local user.

      Please provide the package NVR for which the bug is seen:

      pacemaker-3.0.0-1.el10.1.x86_64

      How reproducible is this bug?:

      always

      Steps to reproduce

       

      [root@virt-024 ~]# adduser rouser
      [root@virt-024 ~]# usermod -a -G haclient rouser
      [root@virt-024 ~]# pcs acl enable
      [root@virt-024 ~]# pcs acl role create read-only description="Read access to cluster" read xpath /cib
      [root@virt-024 ~]# pcs acl user create rouser read-only
      [root@virt-024 ~]# pcs acl
      ACLs are enabled
      User: rouser
        Roles: read-only
      Role: read-only
        Description: Read access to cluster
        Permission: read xpath /cib (read-only-read)
      [root@virt-024 ~]# passwd rouser
      New password: 
      BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word
      Retype new password: 
      passwd: password updated successfully
      [root@virt-024 ~]# su rouser
      [rouser@virt-024 root]$ pcs client local-auth
      Username: rouser
      Password: 
      localhost: Authorized
      [rouser@virt-024 root]$ pcs resource create d1 ocf:heartbeat:Dummy
      Warning: Validating resource options using the resource agent itself is enabled by default and produces warnings. In a future version, this might be changed to errors. Specify --agent-validation to switch to the future behavior.
      Warning: Validation result from agent:
        touch: cannot touch '/run/resource-agents/20531': Permission denied
        ocf-exit-reason:State file "/run/resource-agents/Dummy-test.state" is not writable
      [rouser2@virt-024 root]$ echo $?
      0
      [rouser2@virt-024 root]$ pcs resource status d1
        * d1    (ocf:heartbeat:Dummy):     Started virt-024
      

       

      Expected results

      Local user with read-only permissions can't perform a write action (as for example create a resource).

      Actual results

      The read-only user successfully performed a write action - created a resource.

      Additional info

      This wasn't happening in version pacemaker-2.1.8-3.el10.x86_64

       

      [rouser@virt-495 root]$ rpm -q pacemaker
      pacemaker-2.1.8-3.el10.x86_64
      [rouser@virt-495 root]$ pcs resource create d1 ocf:heartbeat:Dummy
      Warning: Validating resource options using the resource agent itself is enabled by default and produces warnings. In a future version, this might be changed to errors. Specify --agent-validation to switch to the future behavior.
      Warning: Validation result from agent:
        touch: cannot touch '/run/resource-agents/911287': Permission denied
        ocf-exit-reason:State file "/run/resource-agents/Dummy-test.state" is not writable
      Error: Unable to update cib
      Call cib_apply_diff failed: Permission denied
      
      [rouser@virt-495 root]$ echo $?
      1
      [rouser@virt-495 root]$ pcs resource status d1
      Error: resource or tag id 'd1' not found
      

       

              kgaillot@redhat.com Kenneth Gaillot
              mmazoure Michal Mazourek
              Kenneth Gaillot Kenneth Gaillot
              Marketa Smazova Marketa Smazova
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: