Thursday, December 30, 2010

Running the RHQ agent as root? Alternatives? ACLs!


Some RHQ plugins require access to some resources that are normally only readable by root or the respective owner. The example I am using here is the postgres plugin. This plugin needs access to $PGDATA/postgresql.conf in order to show the configuration in the UI (and to possibly update it).

Unfortunately postgres requires this file to be owned by user postgres and only be read(-writable) by this user (mode 600) and the directory containing this file ($PGDATA) is also required to be owned by user postgres and only be accessible by user postgres (mode 700).


One way to access the data it to run the RHQ agent as root and be done. But even if the agent does not do any harm, many admins don't feel comfortable with it - especially when using plugins from third parties that they don't have the source for. Or when using the script plugin, which can use shell scripts to do its work.

Luckily there is an easy way to get around this limitation: ACLs

ACL (access control lists) are a posix feature that is implemented in most (all) modern system these days. The way to set and query them are different unfortunately.

On Red HatEnterprise Linux (and Fedora and probably all other Linuxes) you can set them like this ('hrupp' is used as agent user):

postgres$ pwd
postgres$ setfacl -m u:hrupp:rw $PGDATA/postgresql.conf
postgres$ setfactl -m u:hrupp:x $PGDATA

ls shows that there are ACLs enabled:

root# ls -lsa
8 drwx--x---+ 13 postgres postgres 4096 Dec 21 14:04 .
24 -rw-rw----+ 1 postgres postgres 16872 Dec 17 12:11 postgresql.conf

See the little + in the perms? That indicates an active ACL. Those can be queried via getfacl:

root# getfacl .
# file: .
# owner: postgres
# group: postgres


root# getfacl postgresql.conf
# file: postgresql.conf
# owner: postgres
# group: postgres

Also remember that the mount options need to enable ACLs first.:

root# grep acl /etc/fstab
/dev/mapper/VG_data-data1 /var/db ext4 defaults,acl 1 3


On Mac OS X the command to see them in directory listings is 'ls -lea' (shown below). To set an ACL you can use chmod (here 'hrupp' is used as agent user):

postgres$ pwd
postgres$ chmod +a "hrupp allow read,write" postgresql.conf
postgres$ ls -le postgresql.conf
 -rw-------+ 1 postgres  postgres  16759 Jul 22  2009 postgresql.conf
0: user:hrupp allow read,write
postgres$ chmod +a "hrupp allow execute" .
postgres$ ls -lea
drwx------+ 23 postgres  postgres    782 Dec 30 15:00 . 
0: user:hrupp allow search
-rw-------+  1 postgres  postgres  16759 Jul 22  2009 postgresql.conf 
0: user:hrupp allow read,write

The '0:' tells us that this is the first acl on the file. If there were more acls set, they would be enumerated there as well and evaluated in order.


I have been told that recent Windows versions also support POSIX ACLs, so this should work there as well.


This tip was brought to you by the excellent RHCSA training.



Cocoa for Java Developers said...

This is awesome! We still run JON-agent as root and that sucks big time!

leo said...

That's interesting, but PostgreSQL will not start with info in pgstartup.log ... directory has group or world access ... permissions should be u=rwx (700) ...

Heiko W. Rupp said...

Leo, indeed this is interesting. On OS X, the acls do not interfere with the classic rwx bits, but on RHEL 6 they do. When the server is finally running stuff works as described. Solution could be to have a start script that sets the acl after the server is started and which revokes them on shutdown.