Re: [ClusterLabs] Antw: Re: Question on permissions for pcsd ghost files
Dne 23. 04. 19 v 13:26 Ulrich Windl napsal(a): Tomas Jelinek schrieb am 23.04.2019 um 12:36 in Nachricht : The files are listed as ghost files in order to let rpm know they belong to pcs but are not distributed in rpm packages. Those files are created by pcsd in runtime. I guess the 000 permissions come from the fact those files are not present in rpm packages. My guess it's just bad packing: I have an RPM myself that introduces a %ghost, and it has permissions: %ghost %config(missingok) %verify(not md5 mtime size) %attr(0644,root,root) /etc/%{name}.conf We'll fix that in the next pcs build, then. Thanks! Tomas Regards, Ulrich The real permissions you have look OK to me as long as /var/lib/pcsd has 700. Files pcsd.cookiesecret, pcsd.crt and pcsd.key should not be executable but it does not matter that much. We fixed it pcs‑0.9.165. The fix doesn't change permissions of existing files, though. Regards, Tomas Dne 19. 04. 19 v 21:20 Hayden,Robert napsal(a): Working through an audit and need to determine what the expected permissions are for the following files. [root@techval13]# rpm ‑V pcs .M... c /var/lib/pcsd/pcs_settings.conf .M... c /var/lib/pcsd/pcs_users.conf .M... c /var/lib/pcsd/pcsd.cookiesecret .M... c /var/lib/pcsd/pcsd.crt .M... c /var/lib/pcsd/pcsd.key .M... c /var/lib/pcsd/tokens Looking at the RPM spec, these appear to be ghost files with permissions set to 000 in the spec. [root@techval13]# rpm ‑q ‑‑dump pcs | grep /var/lib/pcsd/pcs_settings.conf /var/lib/pcsd/pcs_settings.conf 0 1541089158 010 root root 1 0 0 X Currently, the permissions after a normal installation are listed in the “first” column from my custom report output. The second column is the “expected” permissions from the RPM spec. 644 | 000 | /var/lib/pcsd/pcs_settings.conf | pcs‑0.9.165‑6.0.1.el7.x86_64 644 | 000 | /var/lib/pcsd/pcs_users.conf | pcs‑0.9.165‑6.0.1.el7.x86_64 700 | 000 | /var/lib/pcsd/pcsd.cookiesecret | pcs‑0.9.165‑6.0.1.el7.x86_64 700 | 000 | /var/lib/pcsd/pcsd.crt | pcs‑0.9.165‑6.0.1.el7.x86_64 700 | 000 | /var/lib/pcsd/pcsd.key | pcs‑0.9.165‑6.0.1.el7.x86_64 600 | 000 | /var/lib/pcsd/tokens | pcs‑0.9.165‑6.0.1.el7.x86_64 Any help or guidance would be greatly appreciated. Thanks Robert CONFIDENTIALITY NOTICE This message and any included attachments are from Cerner Corporation and are intended only for the addressee. The information contained in this message is confidential and may constitute inside or non‑public information under international, federal, or state securities laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e‑mail or you may call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1) (816)221‑1024. ___ Manage your subscription: https://lists.clusterlabs.org/mailman/listinfo/users ClusterLabs home: https://www.clusterlabs.org/ ___ Manage your subscription: https://lists.clusterlabs.org/mailman/listinfo/users ClusterLabs home: https://www.clusterlabs.org/ ___ Manage your subscription: https://lists.clusterlabs.org/mailman/listinfo/users ClusterLabs home: https://www.clusterlabs.org/ ___ Manage your subscription: https://lists.clusterlabs.org/mailman/listinfo/users ClusterLabs home: https://www.clusterlabs.org/
[ClusterLabs] Antw: Re: Question on permissions for pcsd ghost files
>>> Tomas Jelinek schrieb am 23.04.2019 um 12:36 in Nachricht : > The files are listed as ghost files in order to let rpm know they belong > to pcs but are not distributed in rpm packages. Those files are created > by pcsd in runtime. I guess the 000 permissions come from the fact those > files are not present in rpm packages. My guess it's just bad packing: I have an RPM myself that introduces a %ghost, and it has permissions: %ghost %config(missingok) %verify(not md5 mtime size) %attr(0644,root,root) /etc/%{name}.conf Regards, Ulrich > > The real permissions you have look OK to me as long as /var/lib/pcsd has > 700. Files pcsd.cookiesecret, pcsd.crt and pcsd.key should not be > executable but it does not matter that much. We fixed it pcs‑0.9.165. > The fix doesn't change permissions of existing files, though. > > > Regards, > Tomas > > > Dne 19. 04. 19 v 21:20 Hayden,Robert napsal(a): >> Working through an audit and need to determine what the expected >> permissions are for the following files. >> >> [root@techval13]# rpm ‑V pcs >> >> .M... c /var/lib/pcsd/pcs_settings.conf >> >> .M... c /var/lib/pcsd/pcs_users.conf >> >> .M... c /var/lib/pcsd/pcsd.cookiesecret >> >> .M... c /var/lib/pcsd/pcsd.crt >> >> .M... c /var/lib/pcsd/pcsd.key >> >> .M... c /var/lib/pcsd/tokens >> >> Looking at the RPM spec, these appear to be ghost files with permissions >> set to 000 in the spec. >> >> [root@techval13]# rpm ‑q ‑‑dump pcs | grep /var/lib/pcsd/pcs_settings.conf >> >> /var/lib/pcsd/pcs_settings.conf 0 1541089158 >> 010 >> root root 1 0 0 X >> >> Currently, the permissions after a normal installation are listed in the >> “first” column from my custom report output. The second column is the >> “expected” permissions from the RPM spec. >> >>644 | 000 | /var/lib/pcsd/pcs_settings.conf | >> pcs‑0.9.165‑6.0.1.el7.x86_64 >> >>644 | 000 | /var/lib/pcsd/pcs_users.conf | pcs‑0.9.165‑6.0.1.el7.x86_64 >> >>700 | 000 | /var/lib/pcsd/pcsd.cookiesecret | >> pcs‑0.9.165‑6.0.1.el7.x86_64 >> >>700 | 000 | /var/lib/pcsd/pcsd.crt | pcs‑0.9.165‑6.0.1.el7.x86_64 >> >>700 | 000 | /var/lib/pcsd/pcsd.key | pcs‑0.9.165‑6.0.1.el7.x86_64 >> >>600 | 000 | /var/lib/pcsd/tokens | pcs‑0.9.165‑6.0.1.el7.x86_64 >> >> Any help or guidance would be greatly appreciated. >> >> >> Thanks >> >> Robert >> >> CONFIDENTIALITY NOTICE This message and any included attachments are >> from Cerner Corporation and are intended only for the addressee. The >> information contained in this message is confidential and may constitute >> inside or non‑public information under international, federal, or state >> securities laws. Unauthorized forwarding, printing, copying, >> distribution, or use of such information is strictly prohibited and may >> be unlawful. If you are not the addressee, please promptly delete this >> message and notify the sender of the delivery error by e‑mail or you may >> call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1) >> (816)221‑1024. >> >> >> ___ >> Manage your subscription: >> https://lists.clusterlabs.org/mailman/listinfo/users >> >> ClusterLabs home: https://www.clusterlabs.org/ >> > ___ > Manage your subscription: > https://lists.clusterlabs.org/mailman/listinfo/users > > ClusterLabs home: https://www.clusterlabs.org/ ___ Manage your subscription: https://lists.clusterlabs.org/mailman/listinfo/users ClusterLabs home: https://www.clusterlabs.org/