Qnetd: Execute qnetd as non root user

Signed-off-by: Jan Friesse <jfriesse@redhat.com>

Makefile.am

@@ -80,13 +80,13 @@ install-exec-local:
 	$(INSTALL) -d $(DESTDIR)/${localstatedir}/lib/corosync
 	$(INSTALL) -d $(DESTDIR)/${localstatedir}/log/cluster
 if BUILD_QNETD
-	$(INSTALL) -m 750 -d $(DESTDIR)/${localstatedir}/run/corosync-qnetd
-	$(INSTALL) -m 750 -d $(DESTDIR)/${COROSYSCONFDIR}/qnetd
+	$(INSTALL) -m 770 -d $(DESTDIR)/${localstatedir}/run/corosync-qnetd
+	$(INSTALL) -m 770 -d $(DESTDIR)/${COROSYSCONFDIR}/qnetd
 endif
 if BUILD_QDEVICES
-	$(INSTALL) -m 750 -d $(DESTDIR)/${localstatedir}/run/corosync-qdevice
+	$(INSTALL) -m 770 -d $(DESTDIR)/${localstatedir}/run/corosync-qdevice
 	$(INSTALL) -d $(DESTDIR)/${COROSYSCONFDIR}/qdevice/
-	$(INSTALL) -m 750 -d $(DESTDIR)/${COROSYSCONFDIR}/qdevice/net
+	$(INSTALL) -m 770 -d $(DESTDIR)/${COROSYSCONFDIR}/qdevice/net
 endif
 
 uninstall-local:

corosync.spec.in

@@ -16,6 +16,7 @@
 %bcond_with xmlconf
 %bcond_with runautogen
 %bcond_with qdevices
+%bcond_with qnetd
 
 %global gitver %{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}
 %global gittarver %{?numcomm:.%{numcomm}}%{?alphatag:-%{alphatag}}%{?dirty:-%{dirty}}
@@ -66,9 +67,12 @@ Requires(postun): systemd
 %if %{with xmlconf}
 Requires: libxslt
 %endif
-%if %{with qdevices}
+%if %{with qdevices} || %{with qnetd}
 Requires: nss-tools
 %endif
+%if %{with qnetd}
+BuildRequires: sed
+%endif
 
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
@@ -116,6 +120,9 @@ export rdmacm_LIBS=-lrdmacm \
 %endif
 %if %{with qdevices}
 	--enable-qdevices \
+%endif
+%if %{with qnetd}
+	--enable-qnetd \
 %endif
 	--with-initddir=%{_initrddir} \
 	--with-systemddir=%{_unitdir} \
@@ -147,6 +154,19 @@ install -m 644 tools/corosync-notifyd.sysconfig.example \
 install -m 644 init/corosync.sysconfig.example \
    %{buildroot}%{_sysconfdir}/sysconfig/corosync
 
+%if %{with qnetd}
+# /etc/sysconfig/corosync-qnetd
+install -m 644 init/corosync-qnetd.sysconfig.example \
+   %{buildroot}%{_sysconfdir}/sysconfig/corosync-qnetd
+%if %{with systemd}
+sed -i -e 's/^#User=/User=/' \
+   %{buildroot}%{_unitdir}/corosync-qnetd.service
+%else
+sed -i -e 's/^COROSYNC_QNETD_RUNAS=""$/COROSYNC_QNETD_RUNAS="coroqnetd"/' \
+   %{buildroot}%{_sysconfdir}/sysconfig/corosync-qnetd
+%endif
+%endif
+
 %clean
 rm -rf %{buildroot}
 
@@ -384,6 +404,9 @@ fi
 
 %files -n corosync-qdevice
 %defattr(-,root,root,-)
+%dir %{_sysconfdir}/corosync/qdevice
+%dir %config(noreplace) %{_sysconfdir}/corosync/qdevice/net
+%dir %{_localstatedir}/run/corosync-qdevice
 %{_sbindir}/corosync-qdevice
 %{_sbindir}/corosync-qdevice-net-certutil
 %{_sbindir}/corosync-qdevice-tool
@@ -395,10 +418,17 @@ fi
 %{_initrddir}/corosync-qdevice
 %endif
 
+%endif
+
+# optional qnetd
+#
+%if %{with qnetd}
+
 %package -n corosync-qnetd
 Summary: The Corosync Cluster Engine Qdevice Network Daemon
 Group: System Environment/Base
 Requires: nss-tools
+Requires(pre): shadow-utils
 
 %if %{with systemd}
 Requires(post): systemd
@@ -410,6 +440,12 @@ Requires(postun): systemd
 This package contains the Corosync Cluster Engine Qdevice Network Daemon, script for creating
 NSS certificates and an init script.
 
+%pre -n corosync-qnetd
+getent group coroqnetd >/dev/null || groupadd -r coroqnetd
+getent passwd coroqnetd >/dev/null || \
+    useradd -r -g coroqnetd -d / -s /sbin/nologin -c "User for corosync-qnetd" coroqnetd
+exit 0
+
 %post -n corosync-qnetd
 %if %{with systemd} && 0%{?systemd_post:1}
 %systemd_post corosync-qnetd.service
@@ -436,9 +472,12 @@ fi
 
 %files -n corosync-qnetd
 %defattr(-,root,root,-)
-%{_sbindir}/corosync-qnetd
-%{_sbindir}/corosync-qnetd-certutil
-%{_sbindir}/corosync-qnetd-tool
+%dir %config(noreplace) %attr(770, coroqnetd, coroqnetd) %{_sysconfdir}/corosync/qnetd
+%dir %attr(770, coroqnetd, coroqnetd) %{_localstatedir}/run/corosync-qnetd
+%{_bindir}/corosync-qnetd
+%{_bindir}/corosync-qnetd-certutil
+%{_bindir}/corosync-qnetd-tool
+%config(noreplace) %{_sysconfdir}/sysconfig/corosync-qnetd
 %if %{with systemd}
 %{_unitdir}/corosync-qnetd.service
 %dir %{_datadir}/corosync

init/Makefile.am

@@ -48,11 +48,19 @@ endif
 initscript_SCRIPTS  = corosync corosync-notifyd
 
 if BUILD_QDEVICES
-initscript_SCRIPTS  += corosync-qnetd corosync-qdevice
-EXTRA_DIST          += corosync-qnetd.sysconfig.example corosync-qnetd.in corosync-qdevice.in \
-                       corosync-qnetd.service.in corosync-qdevice.service.in
+initscript_SCRIPTS  += corosync-qdevice
+EXTRA_DIST          += corosync-qdevice.in corosync-qdevice.service.in
 if INSTALL_SYSTEMD
-systemdconf_DATA   += corosync-qnetd.service corosync-qdevice.service
+systemdconf_DATA   += corosync-qdevice.service
+endif
+endif
+
+if BUILD_QNETD
+initscript_SCRIPTS  += corosync-qnetd
+EXTRA_DIST          += corosync-qnetd.sysconfig.example corosync-qnetd.in \
+                       corosync-qnetd.service.in
+if INSTALL_SYSTEMD
+systemdconf_DATA   += corosync-qnetd.service
 endif
 endif
 
@@ -65,6 +73,7 @@ endif
 	rm -f $@-t $@
 	cat $< | sed \
 		-e 's#@''SBINDIR@#$(sbindir)#g' \
+		-e 's#@''BINDIR@#$(bindir)#g' \
 		-e 's#@''SYSCONFDIR@#$(sysconfdir)#g' \
 		-e 's#@''INITDDIR@#$(INITDDIR)#g' \
 		-e 's#@''INITWRAPPERSDIR@#$(INITWRAPPERSDIR)#g' \

init/corosync-qnetd.in

@@ -95,7 +95,11 @@ start()
 	if status $prog > /dev/null 2>&1; then
 		success
 	else
-		$prog $COROSYNC_QNETD_OPTIONS > /dev/null 2>&1
+		if [ -z "$COROSYNC_QNETD_RUNAS" ];then
+			$prog $COROSYNC_QNETD_OPTIONS > /dev/null 2>&1
+		else
+			runuser -s @BASHPATH@ $COROSYNC_QNETD_RUNAS -c "$prog $COROSYNC_QNETD_OPTIONS > /dev/null 2>&1"
+		fi
 
 		if [ "$?" != 0 ]; then
 			failure

init/corosync-qnetd.service.in

@@ -5,9 +5,12 @@ Requires=network-online.target
 After=network-online.target
 
 [Service]
-ExecStart=@INITWRAPPERSDIR@/corosync-qnetd start
-ExecStop=@INITWRAPPERSDIR@/corosync-qnetd stop
-Type=forking
+EnvironmentFile=@SYSCONFDIR@/sysconfig/corosync-qnetd
+ExecStart=@BINDIR@/corosync-qnetd -f $COROSYNC_QNETD_OPTIONS
+Type=simple
+Restart=on-abnormal
+# Uncomment and set user who should be used for executing qnetd
+#User=coroqnetd
 
 [Install]
 WantedBy=multi-user.target

init/corosync-qnetd.sysconfig.example

@@ -4,3 +4,10 @@
 # (default is no options).
 # See "man corosync-qnetd" for detailed descriptions of the options.
 COROSYNC_QNETD_OPTIONS=""
+
+# COROSYNC_QNETD_RUNAS specifies user under which qnetd daemon should be running
+# (not set or empty is default and means "user who executes init script")
+# Make sure to set correct owner of directories /etc/corosync/qnetd and
+# /var/run/corosync-qnetd
+# This has no effect if systemd unit is used (you have to change unit file)
+COROSYNC_QNETD_RUNAS=""

qdevices/Makefile.am

@@ -35,6 +35,7 @@ SUBDIRS			=
 
 bin_PROGRAMS		=
 sbin_PROGRAMS		=
+bin_SCRIPTS		=
 sbin_SCRIPTS		=
 EXTRA_DIST		=
 
@@ -42,7 +43,7 @@ if BUILD_QNETD
 
 bin_PROGRAMS		+= corosync-qnetd corosync-qnetd-tool
 
-sbin_SCRIPTS            += corosync-qnetd-certutil
+bin_SCRIPTS             += corosync-qnetd-certutil
 
 EXTRA_DIST		+= corosync-qnetd-certutil.sh
 

qdevices/corosync-qdevice-net-certutil.sh

@@ -94,7 +94,7 @@ create_new_noise_file() {
         (ps -elf; date; w) | sha1sum | (read sha_sum rest; echo $sha_sum) > "$noise_file"
 
         chown root:root "$noise_file"
-        chmod 600 "$noise_file"
+        chmod 660 "$noise_file"
     else
         echo "Using existing noise file $noise_file"
     fi
@@ -105,6 +105,8 @@ get_serial_no() {
 
     if ! [ -f "$SERIAL_NO_FILE" ];then
         echo "100" > $SERIAL_NO_FILE
+        chown root:root "$DB_DIR"
+        chmod 660 "$SERIAL_NO_FILE"
     fi
     serial_no=`cat $SERIAL_NO_FILE`
     serial_no=$((serial_no+1))
@@ -123,14 +125,16 @@ init_node_ca() {
         echo "Creating $DB_DIR"
         mkdir -p "$DB_DIR"
         chown root:root "$DB_DIR"
-        chmod 700 "$DB_DIR"
+        chmod 770 "$DB_DIR"
     fi
 
     echo "Creating new key and cert db"
     echo -n "" > "$PWD_FILE"
+    chown root:root "$PWD_FILE"
+    chmod 660 "$PWD_FILE"
     certutil -N -d "$DB_DIR" -f "$PWD_FILE"
     chown root:root "$DB_DIR/key3.db" "$DB_DIR/cert8.db" "$DB_DIR/secmod.db"
-    chmod 600 "$DB_DIR/key3.db" "$DB_DIR/cert8.db" "$DB_DIR/secmod.db"
+    chmod 660 "$DB_DIR/key3.db" "$DB_DIR/cert8.db" "$DB_DIR/secmod.db"
 
     create_new_noise_file "$NOISE_FILE"
 
@@ -187,8 +191,8 @@ quick_start() {
 
     # Sanity check
     for i in "$master_node" $other_nodes;do
-        if ssh root@$i "[ -d \"$DB_DIR_QNETD\" ] || [ -d \"$DB_DIR_NODE\" ]";then
-            echo "Node $i seems to be already initialized. Please delete $DB_DIR_QNETD and $DB_DIR_NODE" >&2
+        if ssh root@$i "[ -d \"$DB_DIR_NODE\" ]";then
+            echo "Node $i seems to be already initialized. Please delete $DB_DIR_NODE" >&2
 
             exit 1
         fi

qdevices/corosync-qnetd-certutil.sh

@@ -75,7 +75,7 @@ create_new_noise_file() {
         (ps -elf; date; w) | sha1sum | (read sha_sum rest; echo $sha_sum) > "$noise_file"
 
         chown_ref_cfgdir "$noise_file"
-        chmod 600 "$noise_file"
+        chmod 660 "$noise_file"
     else
         echo "Using existing noise file $noise_file"
     fi
@@ -87,7 +87,7 @@ get_serial_no() {
     if ! [ -f "$SERIAL_NO_FILE" ];then
         echo "100" > $SERIAL_NO_FILE
         chown_ref_cfgdir "$SERIAL_NO_FILE"
-        chmod 600 "$SERIAL_NO_FILE"
+        chmod 660 "$SERIAL_NO_FILE"
     fi
     serial_no=`cat $SERIAL_NO_FILE`
     serial_no=$((serial_no+1))
@@ -106,17 +106,17 @@ init_qnetd_ca() {
         echo "Creating $DB_DIR"
         mkdir -p "$DB_DIR"
         chown_ref_cfgdir "$DB_DIR"
-        chmod 700 "$DB_DIR"
+        chmod 770 "$DB_DIR"
     fi
 
     echo "Creating new key and cert db"
     echo -n "" > "$PWD_FILE"
     chown_ref_cfgdir "$PWD_FILE"
-    chmod 600 "$PWD_FILE"
+    chmod 660 "$PWD_FILE"
 
     certutil -N -d "$DB_DIR" -f "$PWD_FILE"
     chown_ref_cfgdir "$DB_DIR/key3.db" "$DB_DIR/cert8.db" "$DB_DIR/secmod.db"
-    chmod 600 "$DB_DIR/key3.db" "$DB_DIR/cert8.db" "$DB_DIR/secmod.db"
+    chmod 660 "$DB_DIR/key3.db" "$DB_DIR/cert8.db" "$DB_DIR/secmod.db"
 
     create_new_noise_file "$NOISE_FILE"
 

qdevices/qnetd-algo-ffsplit.c

@@ -107,6 +107,10 @@ qnetd_algo_ffsplit_is_prefered_partition(const struct qnetd_client *client,
 {
 	uint32_t prefered_node_id;
 	struct node_list_entry *node_entry;
+	int case_processed;
+
+	prefered_node_id = 0;
+	case_processed = 0;
 
 	switch (client->tie_breaker.mode) {
 	case TLV_TIE_BREAKER_MODE_LOWEST:
@@ -119,6 +123,7 @@ qnetd_algo_ffsplit_is_prefered_partition(const struct qnetd_client *client,
 				prefered_node_id = node_entry->node_id;
 			}
 		}
+		case_processed = 1;
 		break;
 	case TLV_TIE_BREAKER_MODE_HIGHEST:
 		node_entry = TAILQ_FIRST(config_node_list);
@@ -130,12 +135,20 @@ qnetd_algo_ffsplit_is_prefered_partition(const struct qnetd_client *client,
 				prefered_node_id = node_entry->node_id;
 			}
 		}
+		case_processed = 1;
 		break;
 	case TLV_TIE_BREAKER_MODE_NODE_ID:
 		prefered_node_id = client->tie_breaker.node_id;
+		case_processed = 1;
 		break;
 	}
 
+	if (!case_processed) {
+		qnetd_log(LOG_CRIT, "qnetd_algo_ffsplit_is_prefered_partition unprocessed "
+		    "tie_breaker.mode");
+		exit(1);
+	}
+
 	return (node_list_find_node_id(membership_node_list, prefered_node_id) != NULL);
 }