<div dir="ltr">Hi,<br><br>I used following method:<br><br>pgpool.conf:<div>...<br><div>ping_path = '/bin'</div><div>ifconfig_path = '/usr/bin'</div><div>if_up_cmd = 'sudo ifconfig eth0:0 inet $_IP_$ netmask 255.255.255.0'<br>
</div><div>if_down_cmd = 'sudo ifconfig eth0:0 down'<br></div><div>arping_path = '/usr/bin'<br></div><div>arping_cmd = 'sudo arping -U $_IP_$ -w 1'<br></div><div>....<br><br></div><div style>and a string in /etc/sudoers. I just don't like this decision but it works. It's better than run daemon as root.<br>
<br>Thanks, Yuriy</div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/4/11 Tatsuo Ishii <span dir="ltr"><<a href="mailto:ishii@postgresql.org" target="_blank">ishii@postgresql.org</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">So your idea is edit /etc/sudoers to allow to execute via sudo arping<br>
and ifconfig without password? I'm not a security expert but this<br>
sounds like a good idea to me.<br>
<div class="im"><br>
> Hi,<br>
><br>
> I am trying to avoid running pgpool as root but it seems it expects you to use a setuid root executable (which I'm not comfortable with). I've come up with a solution which I think should be acceptable but does not currently work because the code will exit based on what it thinks is required.<br>
><br>
> I feel like this should be decided by the administrator via either compile time option and/or command line argument and or configuration param.<br>
<br>
</div>Agreed. Do you think which option is the best?<br>
<div class="HOEnZb"><div class="h5"><br>
> Here's what I've done:<br>
><br>
> ifconfig_path = '/var/lib/postgresql/bin'<br>
> if_up_cmd = 'pg_ifconfig eth0:2 $_IP_$ 255.255.255.0 up'<br>
> if_down_cmd = 'pg_ifconfig eth0:2 $_IP_$ 255.255.255.0 down'<br>
> arping_path = '/var/lib/postgresql/bin' # arping command path<br>
> arping_cmd = 'pg_arping $_IP_$ 1'<br>
><br>
> created 2 scripts (pg_arping/pg_ifconfig) which execute the commands required via sudo:<br>
><br>
> $ cat pg_arping<br>
> #!/bin/bash<br>
> [ $# -ne 2 ] && echo "$0 ip.add.re.ss timeout" && exit 3<br>
> ip=$1<br>
> timeout=$2<br>
> /usr/bin/sudo /usr/sbin/arping -U $ip -w $timeout<br>
><br>
> $ cat pg_ifconfig<br>
> #!/bin/bash<br>
> [ $# -ne 4 ] && echo "$0 interface ip.add.re.ss netmask [up|down]" && exit 3<br>
> iface=$1<br>
> ip=$2<br>
> netmask=$3<br>
> action=$4<br>
> /usr/bin/sudo /sbin/ifconfig $iface inet $ip netmask $netmask $action<br>
><br>
><br>
> FYI to get this working I simply removed the code I didn't like, but I'm not a huge fan of this either:<br>
><br>
> main.c:<br>
><br>
> /* check root<br>
> if (geteuid() != 0)<br>
> {<br>
> pool_error("watchdog must be started under the privileged user ID to up/down virtual network interface.");<br>
> pool_shmem_exit(1);<br>
> exit(1);<br>
> } */<br>
><br>
> --kyleo<br>
> _______________________________________________<br>
> pgpool-general mailing list<br>
> <a href="mailto:pgpool-general@pgpool.net">pgpool-general@pgpool.net</a><br>
> <a href="http://www.pgpool.net/mailman/listinfo/pgpool-general" target="_blank">http://www.pgpool.net/mailman/listinfo/pgpool-general</a><br>
_______________________________________________<br>
pgpool-general mailing list<br>
<a href="mailto:pgpool-general@pgpool.net">pgpool-general@pgpool.net</a><br>
<a href="http://www.pgpool.net/mailman/listinfo/pgpool-general" target="_blank">http://www.pgpool.net/mailman/listinfo/pgpool-general</a><br>
</div></div></blockquote></div><br></div>