Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-66179

ACLs: User with read-only permissions can perform write operations

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • rhel-10.0
    • rhel-10.0
    • pacemaker
    • None
    • Yes
    • Critical
    • rhel-sst-high-availability
    • ssg_filesystems_storage_and_HA
    • 13
    • 20
    • 5
    • Dev ack
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Release Note Not Required
    • This issue was not in a released build
    • Proposed
    • None

      What were you trying to do that didn't work?

      Set read-only permissions for local user by using ACLs, then try to perform a write action, as create a resource as the local user.

      Please provide the package NVR for which the bug is seen:

      pacemaker-3.0.0-1.el10.1.x86_64

      How reproducible is this bug?:

      always

      Steps to reproduce

       

      [root@virt-024 ~]# adduser rouser
[root@virt-024 ~]# usermod -a -G haclient rouser
[root@virt-024 ~]# pcs acl enable
[root@virt-024 ~]# pcs acl role create read-only description="Read access to cluster" read xpath /cib
[root@virt-024 ~]# pcs acl user create rouser read-only
[root@virt-024 ~]# pcs acl
ACLs are enabled
User: rouser
  Roles: read-only
Role: read-only
  Description: Read access to cluster
  Permission: read xpath /cib (read-only-read)
[root@virt-024 ~]# passwd rouser
New password: 
BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word
Retype new password: 
passwd: password updated successfully
[root@virt-024 ~]# su rouser
[rouser@virt-024 root]$ pcs client local-auth
Username: rouser
Password: 
localhost: Authorized
[rouser@virt-024 root]$ pcs resource create d1 ocf:heartbeat:Dummy
Warning: Validating resource options using the resource agent itself is enabled by default and produces warnings. In a future version, this might be changed to errors. Specify --agent-validation to switch to the future behavior.
Warning: Validation result from agent:
  touch: cannot touch '/run/resource-agents/20531': Permission denied
  ocf-exit-reason:State file "/run/resource-agents/Dummy-test.state" is not writable
[rouser2@virt-024 root]$ echo $?
0
[rouser2@virt-024 root]$ pcs resource status d1
  * d1    (ocf:heartbeat:Dummy):     Started virt-024

       

      Expected results

      Local user with read-only permissions can't perform a write action (as for example create a resource).

      Actual results

      The read-only user successfully performed a write action - created a resource.

      Additional info

      This wasn't happening in version pacemaker-2.1.8-3.el10.x86_64

       

      [rouser@virt-495 root]$ rpm -q pacemaker
pacemaker-2.1.8-3.el10.x86_64
[rouser@virt-495 root]$ pcs resource create d1 ocf:heartbeat:Dummy
Warning: Validating resource options using the resource agent itself is enabled by default and produces warnings. In a future version, this might be changed to errors. Specify --agent-validation to switch to the future behavior.
Warning: Validation result from agent:
  touch: cannot touch '/run/resource-agents/911287': Permission denied
  ocf-exit-reason:State file "/run/resource-agents/Dummy-test.state" is not writable
Error: Unable to update cib
Call cib_apply_diff failed: Permission denied

[rouser@virt-495 root]$ echo $?
1
[rouser@virt-495 root]$ pcs resource status d1
Error: resource or tag id 'd1' not found

       

              kgaillot@redhat.com Kenneth Gaillot
              mmazoure Michal Mazourek
              Kenneth Gaillot Kenneth Gaillot
              Marketa Smazova Marketa Smazova
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: