ctdb-common: Only respect CTDB_SOCKET in CTDB_TEST_MODE

ctdb-common: Only respect CTDB_SOCKET in CTDB_TEST_MODE

At the moment CTDB_SOCKET can be used outside of test mode even though
nobody should do this.  So, no longer allow this.

This means ensuring CTDB_TEST_MODE is set in the in the
"clusteredmember" selftest environment, so that CTDB_SOCKET is
respected there..

Details...

The associated use of chown(2) and chmod(2), used to secure the socket
in ctdb_daemon.c:ux_socket_bind(), potentially enables a symlink race
attack.  However, the chown(2) is currently not done in test mode, so
restricting the use of CTDB_SOCKET to test mode solves the potential
security issue.

Also, sprinkle warnings about use of CTDB_TEST_MODE in appropriate
places, just to attempt to limit unwanted behaviour.

An alternative could be to use the socket file descriptor with
fchown(2) and fchmod(2).  However, these system calls are not well
defined on sockets.  Still, this was previously done in CTDB's early
days (using the poorly documented method where they are allowed in
Linux (only?) before calling bind(2)).  It was removed (due to
portability issues, via commits
cf1056df94943ddcc3d547d4533b4bc04f57f265 and
2da3fe1b175a468fdff4aa4f65627facd2c28394) and replaced with the
current post-bind chown(2) and chmod(2).

I would like to remove the CTDB_SOCKET environment variable entirely,
since setting CTDB_TEST_MODE and CTDB_BASE covers all reasonable test
environments.  However, I have a feeling that people use it for
interactive testing, and that can still be done in CTDB_TEST_MODE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15921

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reported-by: *GUIAR OQBA * <techokba@gmail.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Sep 25 09:02:06 UTC 2025 on atb-devel-224