Hi, On Tue, Jul 06, 2010 at 08:52:12PM +0200, Lars Ellenberg wrote: > On Tue, Jul 06, 2010 at 06:36:14PM +0200, Dejan Muhamedagic wrote: > > Hi Yuusuke-san, > > > > On Wed, Jun 30, 2010 at 08:00:18PM +0900, Yuusuke IIDA wrote: > > > Hi, > > > > > > For anything RA, I revised it with some function addition. > > > > > > The list of the change is as follows. > > > * I added the option which could choose whether you used a login shell > > > to want > > > to let a command inherit an environment variable of Resource Agent. > > > > OK, I assume that this may be useful at times. Though I'm not > > very happy with the new parameter name, I couldn't come up with > > another one. The big difference is, I guess, that the .profile > > files are sourced. Perhaps to name it just "login_shell"? > > the difference is that su - user clears the environment first > (and then re-populates it from where that user usually gets his environment), > su user (no dash) does not clear, but inherit the current environment.
OK. > > > * I revised it to handle an escape character in character string set by > > > cmdline_options such as follows adequately. > > > --- for example: --- > > > primitive AAAAA ocf:heartbeat:anything \ > > > params \ > > > binfile="XXXXX" \ > > > cmdline_options="-V -c \"openssl des-ede3 -d -base64 -k 'yy y'\" > > > -i" \ > > > --- --- > > > > Uh, this escaping gives me headache. > > should this not be much easier by doing > - cmd="su -c \"$variables\"" > + cmd="su -c '$variables'" > ? > no escaping by sed necessary, > except maybe (if you are paranoid) > escaping of ' itself: > sed -e "s/'/'\\\\''/" Good, I'd really rather avoid trying to escape stuff in the user data if possible. Yuusuke-san, can you please test and see if this works for you. Then we can perhaps advise accordingly in the meta-data. > As long as we do cmd="su -c \"$variable\"", it is not sufficient to > escape \ (as the proposed patch by Yuusuke-san does), actually you'd > need to escape ` and $ and various other things as well. > Unless you consider it a feature that these would be > expanded already in the context of the eval running as root, > not in the context of the su $user nohup. > Which is (as it is now) a potential "root exploit", > once you start taking "cib admin != cluster root" serious. > which is not really sensible to do IMO, anyways. But I digres. > > Hm. Maybe we should move the eval into that context, anyways? > sort of > cmd="eval '${supposedly_properly_escaped_variable}'" > su ... -c "$cmd" ? Hmm, I hope that the users could skip the acrobatics and do the processing elsewhere if absolutely needed. > But, for the record: > > > The line says: > > > > +cmdline_options=`... | sed 's/\\\/\\\\\\\/g' | ...` > > > > How does the left side expand? Shouldn't that be an even number > > of backslashes? The right side also has 7 backslashes. > > the first "stripping" of \ is done by the shell, > before feeding the whole thing to the `` subshell. > And the \ quoting within `` is subtle: > backslash retains its literal meaning except when followed by $, `, or \ > so those \/ combinations could have been written as \\/ as well > (if only to reduce the headache of the reader, slightly) > but need not be. BTW, that is one of the differences between `` and $() ... > yep, its not pretty, but "correct", though not necessarily consistent > between various shells and versions :( > > god, I hate it when I know these useless facts from the top of my head, > I wish I had done less shell coding ;-) :) Cheers, Dejan > > > * Strip off the trailing clone marker. > > > - quotations from the following. > > > http://hg.clusterlabs.org/pacemaker/stable-1.0/file/94515b3503b5/extra/resources/Dummy#l143 > > > > OK. > > > > Can you please split the patch in three parts, so that we have > > unrelated changes in signel patches. > > Yes, please ;-) > > -- > : Lars Ellenberg > : LINBIT | Your Way to High Availability > : DRBD/HA support and consulting http://www.linbit.com > > DRBD® and LINBIT® are registered trademarks of LINBIT, Austria. > _______________________________________________________ > Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org > http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev > Home Page: http://linux-ha.org/ _______________________________________________________ Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev Home Page: http://linux-ha.org/