Re: [ClusterLabs] Antw: Re: Question on permissions for pcsd ghost files
Dne 23. 04. 19 v 13:26 Ulrich Windl napsal(a):
Tomas Jelinek schrieb am 23.04.2019 um 12:36 in
Nachricht
:
The files are listed as ghost files in order to let rpm know they belong
to pcs but are not distributed in rpm packages. Those files are created
by pcsd in runtime. I guess the 000 permissions come from the fact those
files are not present in rpm packages.
My guess it's just bad packing: I have an RPM myself that introduces a %ghost,
and it has permissions:
%ghost %config(missingok) %verify(not md5 mtime size) %attr(0644,root,root)
/etc/%{name}.conf
We'll fix that in the next pcs build, then.
Thanks!
Tomas
Regards,
Ulrich
The real permissions you have look OK to me as long as /var/lib/pcsd has
700. Files pcsd.cookiesecret, pcsd.crt and pcsd.key should not be
executable but it does not matter that much. We fixed it pcs‑0.9.165.
The fix doesn't change permissions of existing files, though.
Regards,
Tomas
Dne 19. 04. 19 v 21:20 Hayden,Robert napsal(a):
Working through an audit and need to determine what the expected
permissions are for the following files.
[root@techval13]# rpm ‑V pcs
.M... c /var/lib/pcsd/pcs_settings.conf
.M... c /var/lib/pcsd/pcs_users.conf
.M... c /var/lib/pcsd/pcsd.cookiesecret
.M... c /var/lib/pcsd/pcsd.crt
.M... c /var/lib/pcsd/pcsd.key
.M... c /var/lib/pcsd/tokens
Looking at the RPM spec, these appear to be ghost files with permissions
set to 000 in the spec.
[root@techval13]# rpm ‑q ‑‑dump pcs | grep /var/lib/pcsd/pcs_settings.conf
/var/lib/pcsd/pcs_settings.conf 0 1541089158
010
root root 1 0 0 X
Currently, the permissions after a normal installation are listed in the
“first” column from my custom report output. The second column is the
“expected” permissions from the RPM spec.
644 | 000 | /var/lib/pcsd/pcs_settings.conf |
pcs‑0.9.165‑6.0.1.el7.x86_64
644 | 000 | /var/lib/pcsd/pcs_users.conf | pcs‑0.9.165‑6.0.1.el7.x86_64
700 | 000 | /var/lib/pcsd/pcsd.cookiesecret |
pcs‑0.9.165‑6.0.1.el7.x86_64
700 | 000 | /var/lib/pcsd/pcsd.crt | pcs‑0.9.165‑6.0.1.el7.x86_64
700 | 000 | /var/lib/pcsd/pcsd.key | pcs‑0.9.165‑6.0.1.el7.x86_64
600 | 000 | /var/lib/pcsd/tokens | pcs‑0.9.165‑6.0.1.el7.x86_64
Any help or guidance would be greatly appreciated.
Thanks
Robert
CONFIDENTIALITY NOTICE This message and any included attachments are
from Cerner Corporation and are intended only for the addressee. The
information contained in this message is confidential and may constitute
inside or non‑public information under international, federal, or state
securities laws. Unauthorized forwarding, printing, copying,
distribution, or use of such information is strictly prohibited and may
be unlawful. If you are not the addressee, please promptly delete this
message and notify the sender of the delivery error by e‑mail or you may
call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1)
(816)221‑1024.
___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
[ClusterLabs] Antw: Re: Question on permissions for pcsd ghost files
>>> Tomas Jelinek schrieb am 23.04.2019 um 12:36 in
Nachricht
:
> The files are listed as ghost files in order to let rpm know they belong
> to pcs but are not distributed in rpm packages. Those files are created
> by pcsd in runtime. I guess the 000 permissions come from the fact those
> files are not present in rpm packages.
My guess it's just bad packing: I have an RPM myself that introduces a %ghost,
and it has permissions:
%ghost %config(missingok) %verify(not md5 mtime size) %attr(0644,root,root)
/etc/%{name}.conf
Regards,
Ulrich
>
> The real permissions you have look OK to me as long as /var/lib/pcsd has
> 700. Files pcsd.cookiesecret, pcsd.crt and pcsd.key should not be
> executable but it does not matter that much. We fixed it pcs‑0.9.165.
> The fix doesn't change permissions of existing files, though.
>
>
> Regards,
> Tomas
>
>
> Dne 19. 04. 19 v 21:20 Hayden,Robert napsal(a):
>> Working through an audit and need to determine what the expected
>> permissions are for the following files.
>>
>> [root@techval13]# rpm ‑V pcs
>>
>> .M... c /var/lib/pcsd/pcs_settings.conf
>>
>> .M... c /var/lib/pcsd/pcs_users.conf
>>
>> .M... c /var/lib/pcsd/pcsd.cookiesecret
>>
>> .M... c /var/lib/pcsd/pcsd.crt
>>
>> .M... c /var/lib/pcsd/pcsd.key
>>
>> .M... c /var/lib/pcsd/tokens
>>
>> Looking at the RPM spec, these appear to be ghost files with permissions
>> set to 000 in the spec.
>>
>> [root@techval13]# rpm ‑q ‑‑dump pcs | grep /var/lib/pcsd/pcs_settings.conf
>>
>> /var/lib/pcsd/pcs_settings.conf 0 1541089158
>> 010
>> root root 1 0 0 X
>>
>> Currently, the permissions after a normal installation are listed in the
>> “first” column from my custom report output. The second column is the
>> “expected” permissions from the RPM spec.
>>
>>644 | 000 | /var/lib/pcsd/pcs_settings.conf |
>> pcs‑0.9.165‑6.0.1.el7.x86_64
>>
>>644 | 000 | /var/lib/pcsd/pcs_users.conf | pcs‑0.9.165‑6.0.1.el7.x86_64
>>
>>700 | 000 | /var/lib/pcsd/pcsd.cookiesecret |
>> pcs‑0.9.165‑6.0.1.el7.x86_64
>>
>>700 | 000 | /var/lib/pcsd/pcsd.crt | pcs‑0.9.165‑6.0.1.el7.x86_64
>>
>>700 | 000 | /var/lib/pcsd/pcsd.key | pcs‑0.9.165‑6.0.1.el7.x86_64
>>
>>600 | 000 | /var/lib/pcsd/tokens | pcs‑0.9.165‑6.0.1.el7.x86_64
>>
>> Any help or guidance would be greatly appreciated.
>>
>>
>> Thanks
>>
>> Robert
>>
>> CONFIDENTIALITY NOTICE This message and any included attachments are
>> from Cerner Corporation and are intended only for the addressee. The
>> information contained in this message is confidential and may constitute
>> inside or non‑public information under international, federal, or state
>> securities laws. Unauthorized forwarding, printing, copying,
>> distribution, or use of such information is strictly prohibited and may
>> be unlawful. If you are not the addressee, please promptly delete this
>> message and notify the sender of the delivery error by e‑mail or you may
>> call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1)
>> (816)221‑1024.
>>
>>
>> ___
>> Manage your subscription:
>> https://lists.clusterlabs.org/mailman/listinfo/users
>>
>> ClusterLabs home: https://www.clusterlabs.org/
>>
> ___
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
>
> ClusterLabs home: https://www.clusterlabs.org/
___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
