Do not use -T option on perl command line. On Wed, Sep 10, 2008 at 11:15 AM, Knight, Doug <[EMAIL PROTECTED]> wrote: > Is there a way to control this behavior (force matching real and > effective user IDs), at least for the lrmd? We've encountered an issue > with some perl script HA resources. It seems that when a process that > does not have matching real and effective user IDs starts a perl script, > perl automatically enables data "tainting", with a similar security > purpose in mind. The data that first goes into our scripts which comes > in tainted when run from under HA control goes through a global pattern > match, triggering a known bug in perl. According to the perl docs it can > cause an infinite loop, memory leaks, etc. We have a work-around we're > implementing in our scripts, but I wanted to explore the possibility of > altering the behavior coming out of heartbeat. > > Doug > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dejan > Muhamedagic > Sent: Wednesday, September 10, 2008 12:24 PM > To: General Linux-HA mailing list > Subject: Re: [Linux-HA] Real vs Effective userids for heartbeat > processes > > On Wed, Sep 10, 2008 at 10:39:43AM -0400, Knight, Doug wrote: >> All, >> >> Why do certain heartbeat processes run with a real user ID of root, > but >> an effective user ID of nobody? > > It was introduced before I got here, but I'm sure that it was for > security reasons. The less code runs as root, the less potential > vulnerabilities. > > Thanks, > > Dejan > >> The specific processes on our system >> that run this way are FIFO reader, write: bcast eth1, read:bcast eth1, >> write: ucast eth1, read: ucast eth1 lrmd, and stonithd. The other >> processes run either as root:root (master control process and mgmtd) > or >> as 24:24 (ccm, cib, attrd, and crmd). >> >> >> >> Thanks, >> >> Doug Knight >> >> WSI Corp >> >> _______________________________________________ >> Linux-HA mailing list >> [email protected] >> http://lists.linux-ha.org/mailman/listinfo/linux-ha >> See also: http://linux-ha.org/ReportingProblems > _______________________________________________ > Linux-HA mailing list > [email protected] > http://lists.linux-ha.org/mailman/listinfo/linux-ha > See also: http://linux-ha.org/ReportingProblems > > _______________________________________________ > Linux-HA mailing list > [email protected] > http://lists.linux-ha.org/mailman/listinfo/linux-ha > See also: http://linux-ha.org/ReportingProblems >
-- Serge Dubrouski. _______________________________________________ Linux-HA mailing list [email protected] http://lists.linux-ha.org/mailman/listinfo/linux-ha See also: http://linux-ha.org/ReportingProblems
