Merge "Apply PAM security limits by running daemons through su"
This commit is contained in:
commit
e90940fcff
@ -1,3 +1,5 @@
|
||||
# Raising open file limit for OpenStack services
|
||||
# Raising open file limit for OpenStack services
|
||||
root soft nofile 102400
|
||||
root hard nofile 112640
|
||||
* soft nofile 102400
|
||||
* hard nofile 112640
|
||||
|
@ -201,7 +201,7 @@ dnsmasq_start()
|
||||
fi
|
||||
|
||||
# run the dnsmasq binary
|
||||
ocf_run ${COMMAND} ${OCF_RESKEY_extraconf} --conf-file=${CONF_FILE} --pid-file="${PIDFILE}"
|
||||
ocf_run_as_root ${COMMAND} ${OCF_RESKEY_extraconf} --conf-file=${CONF_FILE} --pid-file="${PIDFILE}"
|
||||
if [ $? -ne 0 ]; then
|
||||
ocf_log err "Error. dnsmasq daemon returned error $?."
|
||||
return $OCF_ERR_GENERIC
|
||||
|
@ -440,7 +440,7 @@ haproxy_start()
|
||||
fi
|
||||
|
||||
# run the haproxy binary
|
||||
ocf_run ${COMMAND} ${OCF_RESKEY_extraconf} -f "${CONF_FILE}" -p "${PIDFILE}"
|
||||
ocf_run_as_root ${COMMAND} ${OCF_RESKEY_extraconf} -f "${CONF_FILE}" -p "${PIDFILE}"
|
||||
if [ $? -ne 0 ]; then
|
||||
ocf_log err "Error. haproxy daemon returned error $?."
|
||||
return $OCF_ERR_GENERIC
|
||||
@ -472,7 +472,7 @@ haproxy_reload()
|
||||
ocf_log warn "Cannot block all SYN for the Haproxy reload operation!"
|
||||
fi
|
||||
# reload haproxy binary replacing the old process
|
||||
ocf_run ${COMMAND} ${OCF_RESKEY_extraconf} -f "${CONF_FILE}" -p "${PIDFILE}" -sf "${PID}"
|
||||
ocf_run_as_root ${COMMAND} ${OCF_RESKEY_extraconf} -f "${CONF_FILE}" -p "${PIDFILE}" -sf "${PID}"
|
||||
rc=$?
|
||||
unblock_client_access
|
||||
ocf_log info "Unblocked all SYN for the Haproxy reload operation"
|
||||
|
@ -191,7 +191,7 @@ ntp_start()
|
||||
fi
|
||||
|
||||
# run the ntp binary
|
||||
ocf_run ${COMMAND} ${OCF_RESKEY_extraconf} -u ntp:ntp -p "${PIDFILE}" -4 -g -c "${CONF_FILE}"
|
||||
ocf_run_as_root ${COMMAND} ${OCF_RESKEY_extraconf} -u ntp:ntp -p "${PIDFILE}" -4 -g -c "${CONF_FILE}"
|
||||
if [ "${?}" -ne "0" ]; then
|
||||
ocf_log err "Error. ntp daemon returned error $?."
|
||||
return "${OCF_ERR_GENERIC}"
|
||||
|
@ -179,3 +179,19 @@ proc_stop()
|
||||
ocf_log info "${LH} Stopped ${service_name}"
|
||||
return "${OCF_SUCCESS}"
|
||||
}
|
||||
|
||||
###########################################################
|
||||
# Runs a process as root via su to get the whole PAM stack
|
||||
# executed.
|
||||
#
|
||||
# Globals:
|
||||
# none
|
||||
# Arguments:
|
||||
# $* - ocf_run arguments
|
||||
# Returns:
|
||||
# Return code of the ocf_run invocation.
|
||||
###########################################################
|
||||
ocf_run_as_root()
|
||||
{
|
||||
ocf_run su - root -c "$(printf '%q ' "$@")"
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user