At the moment CTDB_SOCKET can be used outside of test mode even though
nobody should do this. So, no longer allow this.
This means ensuring CTDB_TEST_MODE is set in the in the
"clusteredmember" selftest environment, so that CTDB_SOCKET is
respected there..
Details...
The associated use of chown(2) and chmod(2), used to secure the socket
in ctdb_daemon.c:ux_socket_bind(), potentially enables a symlink race
attack. However, the chown(2) is currently not done in test mode, so
restricting the use of CTDB_SOCKET to test mode solves the potential
security issue.
Also, sprinkle warnings about use of CTDB_TEST_MODE in appropriate
places, just to attempt to limit unwanted behaviour.
An alternative could be to use the socket file descriptor with
fchown(2) and fchmod(2). However, these system calls are not well
defined on sockets. Still, this was previously done in CTDB's early
days (using the poorly documented method where they are allowed in
Linux (only?) before calling bind(2)). It was removed (due to
portability issues, via commits
cf1056df94943ddcc3d547d4533b4bc04f57f265 and
2da3fe1b175a468fdff4aa4f65627facd2c28394) and replaced with the
current post-bind chown(2) and chmod(2).
I would like to remove the CTDB_SOCKET environment variable entirely,
since setting CTDB_TEST_MODE and CTDB_BASE covers all reasonable test
environments. However, I have a feeling that people use it for
interactive testing, and that can still be done in CTDB_TEST_MODE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15921
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reported-by: *GUIAR OQBA * <techokba@gmail.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Sep 25 09:02:06 UTC 2025 on atb-devel-224
(cherry picked from commit
7e2358fcf7be177d6e5de6e26f9d7c5af4acbb0c)
Autobuild-User(v4-23-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-23-test): Fri Sep 26 13:32:06 UTC 2025 on atb-devel-224
{
const char *t = NULL;
+ /*
+ * Do not use CTDB_TEST_MODE outside a test environment to
+ * attempt to (for example) improve installation flexibility.
+ * This is unsupported, may cause unwanted security issues and
+ * may break in future releases.
+ */
t = getenv("CTDB_TEST_MODE");
if (t == NULL) {
return;
char *path_socket(TALLOC_CTX *mem_ctx, const char *daemon)
{
- if (strcmp(daemon, "ctdbd") == 0) {
- const char *t = getenv("CTDB_SOCKET");
+ path_set_test_mode();
+ if (ctdb_paths.test_mode) {
+ if (strcmp(daemon, "ctdbd") == 0) {
+ const char *t = getenv("CTDB_SOCKET");
- if (t != NULL) {
- return talloc_strdup(mem_ctx, t);
+ if (t != NULL) {
+ return talloc_strdup(mem_ctx, t);
+ }
}
}
* Logging setup/options
*/
+
+ /*
+ * Do not use CTDB_TEST_MODE outside a test environment to
+ * attempt to (for example) improve installation flexibility.
+ * This is unsupported, may cause unwanted security issues and
+ * may break in future releases.
+ */
test_mode = getenv("CTDB_TEST_MODE");
/* Log to stderr (ignoring configuration) when running as interactive */
PID file relative to CTDB_BASE.
When testing with multiple local daemons on a single
- machine this does 3 extra things:
+ machine this does some extra things:
* Disables checks related to public IP addresses
* Disables real-time scheduling
+ * Allows the CTDB_SOCKET environment variable to be used to
+ specify ctdbd's Unix domain socket location.
+
+ Do not use this variable outside a test environment to
+ attempt to (for example) improve installation flexibility.
+ This is unsupported, may cause unwanted security issues and
+ may break in future releases.
+
CTDB_DEBUG_HUNG_SCRIPT_LOGFILE=FILENAME
FILENAME specifies where log messages should go when
debugging hung eventscripts. This is a testing option. See
"RESOLV_WRAPPER_HOSTS",
# ctdb stuff
+ "CTDB_TEST_MODE",
"CTDB_PREFIX",
"NUM_NODES",
"CTDB_BASE",
$ret{"CTDB_IFACE_IP_NODE${i}"} = $ip;
}
+ $ret{CTDB_TEST_MODE} = "yes";
$ret{CTDB_BASE} = $ret{CTDB_BASE_NODE0};
$ret{CTDB_SOCKET} = $ret{CTDB_SOCKET_NODE0};
$ret{CTDB_SERVER_NAME} = $ret{CTDB_SERVER_NAME_NODE0};
projects / thirdparty / samba.git / commitdiff
