File 0001-make-secure-tmp-files.patch of Package resource-agents.20909
From 1191d685b3ac1008af3f45fd8099759efb4de37a Mon Sep 17 00:00:00 2001
From: Peter Varkoly <varkoly@suse.com>
Date: Tue, 24 Mar 2020 18:37:15 +0100
Subject: [PATCH 1/2] Predictable tmp file in sapdb-nosha.sh The name is easily
predicted. Use /var/run instead of /tmp make it secure.
---
heartbeat/sapdb-nosha.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/heartbeat/sapdb-nosha.sh b/heartbeat/sapdb-nosha.sh
index 06aa65c4b..cee1f7f99 100644
--- a/heartbeat/sapdb-nosha.sh
+++ b/heartbeat/sapdb-nosha.sh
@@ -740,5 +740,5 @@ sidadm="`echo $SID | tr '[:upper:]' '[:lower:]'`adm"
}
# Set a tempfile and make sure to clean it up again
-TEMPFILE="/tmp/SAPDatabase.$$.tmp"
-trap trap_handler INT TERM
\ No newline at end of file
+TEMPFILE="/var/run/SAPDatabase.$$.tmp"
+trap trap_handler INT TERM
From c6eb0d5de943a3047c4eec211a366372ad9d8c86 Mon Sep 17 00:00:00 2001
From: Peter Varkoly <varkoly@suse.com>
Date: Wed, 25 Mar 2020 11:16:07 +0100
Subject: [PATCH 2/2] Fix predictable tmp file using in some agents.
---
heartbeat/ClusterMon | 4 ++--
heartbeat/openstack-cinder-volume | 2 +-
heartbeat/sapdb-nosha.sh | 2 +-
rgmanager/src/resources/oradg.sh.in | 10 +++++-----
tools/ocft/caselib.in | 10 +++++-----
5 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/heartbeat/ClusterMon b/heartbeat/ClusterMon
index 1d45ff47e..2bbf87da4 100755
--- a/heartbeat/ClusterMon
+++ b/heartbeat/ClusterMon
@@ -45,8 +45,8 @@
OCF_RESKEY_user_default="root"
OCF_RESKEY_update_default="15000"
OCF_RESKEY_extra_options_default=""
-OCF_RESKEY_pidfile_default="/tmp/ClusterMon_${OCF_RESOURCE_INSTANCE}.pid"
-OCF_RESKEY_htmlfile_default="/tmp/ClusterMon_${OCF_RESOURCE_INSTANCE}.html"
+OCF_RESKEY_pidfile_default="${HA_RSCTMP}/ClusterMon_${OCF_RESOURCE_INSTANCE}.pid"
+OCF_RESKEY_htmlfile_default="${HA_RSCTMP}/ClusterMon_${OCF_RESOURCE_INSTANCE}.html"
: ${OCF_RESKEY_user=${OCF_RESKEY_user_default}}
: ${OCF_RESKEY_update=${OCF_RESKEY_update_default}}
diff --git a/heartbeat/openstack-cinder-volume b/heartbeat/openstack-cinder-volume
index f47570b8b..d8e12c92f 100755
--- a/heartbeat/openstack-cinder-volume
+++ b/heartbeat/openstack-cinder-volume
@@ -35,7 +35,7 @@
# Defaults
OCF_RESKEY_openstackcli_default="/usr/bin/openstack"
-OCF_RESKEY_node_id_cache_file_default="/tmp/node_id"
+OCF_RESKEY_node_id_cache_file_default="${HA_RSCTMP}/node_id"
OCF_RESKEY_volume_local_check_default="true"
export attached_server_id=""
diff --git a/heartbeat/sapdb-nosha.sh b/heartbeat/sapdb-nosha.sh
index cee1f7f99..31b52e7fe 100644
--- a/heartbeat/sapdb-nosha.sh
+++ b/heartbeat/sapdb-nosha.sh
@@ -740,5 +740,5 @@ sidadm="`echo $SID | tr '[:upper:]' '[:lower:]'`adm"
}
# Set a tempfile and make sure to clean it up again
-TEMPFILE="/var/run/SAPDatabase.$$.tmp"
+TEMPFILE="${HA_RSCTMP}/SAPDatabase.$$.tmp"
trap trap_handler INT TERM
diff --git a/rgmanager/src/resources/oradg.sh.in b/rgmanager/src/resources/oradg.sh.in
index 4674fe1b2..955f93e18 100644
--- a/rgmanager/src/resources/oradg.sh.in
+++ b/rgmanager/src/resources/oradg.sh.in
@@ -122,7 +122,7 @@ end;
select database_role, open_mode from v\$database;
set heading off;
set serveroutput off;
-spool /tmp/dgstatus.${ORACLE_SID};
+spool ${HA_RSCTMP}/dgstatus.${ORACLE_SID};
select open_mode from v\$database;
spool off;
EOF
@@ -463,9 +463,9 @@ start_oracle() {
fi
done
- if [ -n "$ORACLE_HOSTNAME" -a -s /tmp/dgstatus.${ORACLE_SID} ]; then
+ if [ -n "$ORACLE_HOSTNAME" -a -s ${HA_RSCTMP}/dgstatus.${ORACLE_SID} ]; then
# Start DB Console if vhost defined and database_role is READ WRITE
- if cat /tmp/dgstatus.${ORACLE_SID} 2>/dev/null | grep "READ WRITE"; then
+ if cat ${HA_RSCTMP}/dgstatus.${ORACLE_SID} 2>/dev/null | grep "READ WRITE"; then
ocf_log info "Starting Oracle EM DB Console for $ORACLE_SID"
emctl start dbconsole
if [ $? -ne 0 ]; then
@@ -478,7 +478,7 @@ start_oracle() {
ocf_log info "Oracle EM DB Console startup for $ORACLE_SID succeeded"
fi
fi
- rm -f /tmp/dgstatus.${ORACLE_SID}
+ rm -f ${HA_RSCTMP}/dgstatus.${ORACLE_SID}
fi
if [ -n "$LOCKFILE" ]; then
@@ -619,7 +619,7 @@ status_oracle() {
# Data Guard Modification 1 - Debug Logging
case $1 in
stop | start | status | restart | recover | monitor )
-[ $(id -u) = 0 ] && exec > "/tmp/oradg_${ORACLE_SID}_$1.log" 2>&1
+[ $(id -u) = 0 ] && exec > "${HA_RSCTMP}/oradg_${ORACLE_SID}_$1.log" 2>&1
set -x
date
echo $@
diff --git a/tools/ocft/caselib.in b/tools/ocft/caselib.in
index 1857e6381..33ffa72dd 100644
--- a/tools/ocft/caselib.in
+++ b/tools/ocft/caselib.in
@@ -93,7 +93,7 @@ agent_run()
aroot=${__OCFT__MYROOT:-$__OCFT__AGENT_ROOT}
- setsid $aroot/$agent $cmd >/tmp/.ocft_runlog 2>&1 &
+ setsid $aroot/$agent $cmd >${HA_RSCTMP}/.ocft_runlog 2>&1 &
pid=$!
i=0
@@ -111,7 +111,7 @@ agent_run()
kill -SIGKILL -$pid >/dev/null 2>&1
echo -n "${__OCFT__showhost}ERROR: The agent was hanging, killed it, "
echo "maybe you damaged the agent or system's environment, see details below:"
- cat /tmp/.ocft_runlog
+ cat ${HA_RSCTMP}/.ocft_runlog
echo
quit 1
fi
@@ -174,7 +174,7 @@ backbash_start()
fi
ssh root@$host '@BASH_SHELL@ 2>&1
- sed "s/00/001/g" /tmp/.backbash-log
+ sed "s/00/001/g" ${HA_RSCTMP}/.backbash-log
echo 000
echo 1' >$__OCFT__CASES_DIR/${host}_r <$__OCFT__CASES_DIR/${host}_w &
@@ -203,8 +203,8 @@ EOF
cat >&$wfd
cat >&$wfd <<EOF
-} >&/tmp/.backbash-log
-sed 's/00/001/g' /tmp/.backbash-log
+} >&${HA_RSCTMP}/.backbash-log
+sed 's/00/001/g' ${HA_RSCTMP}/.backbash-log
echo 000
echo 0
EOF
From 82d29f5d226712b84aea9b73515a8bd5ebcca674 Mon Sep 17 00:00:00 2001
From: Nick Wang <nwang@suse.com>
Date: Thu, 19 Mar 2020 14:50:42 +0800
Subject: [PATCH 1/2] Correct the output varible of oradg.sh.in
---
rgmanager/src/resources/oradg.sh.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rgmanager/src/resources/oradg.sh.in b/rgmanager/src/resources/oradg.sh.in
index 955f93e18..b55233b96 100644
--- a/rgmanager/src/resources/oradg.sh.in
+++ b/rgmanager/src/resources/oradg.sh.in
@@ -195,7 +195,7 @@ stop_db() {
fi
# If we see 'ORA-' or 'failure' in stdout, we're done.
- if [[ "$startup_stdout" =~ "ORA-" ]] || [[ "$startup_stdout" =~ "failure" ]]; then
+ if [[ "$stop_stdout" =~ "ORA-" ]] || [[ "$stop_stdout" =~ "failure" ]]; then
ocf_log error "Stopping Oracle DB $ORACLE_SID failed, errors in stdout"
return 1
fi
From afb4269626379ade82bd0c155f7a11cd3f0d37b1 Mon Sep 17 00:00:00 2001
From: Nick Wang <nwang@suse.com>
Date: Wed, 18 Mar 2020 22:26:56 +0800
Subject: [PATCH 2/2] ocft drbd.linbit: Make secure tmp file (#1467)
---
tools/ocft/drbd.linbit | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/ocft/drbd.linbit b/tools/ocft/drbd.linbit
index 4cc5519b4..57fa088e9 100644
--- a/tools/ocft/drbd.linbit
+++ b/tools/ocft/drbd.linbit
@@ -7,7 +7,7 @@ CONFIG
HangTimeout 20
VARIABLE
- DRBDCONF=/tmp/ocft_drbd_tmp.conf
+ DRBDCONF=${HA_RSCTMP}/ocft_drbd_tmp.conf
# should be this machine's hostname/ip, please modify it by yourself.
NAME_1=HOSTNAME1
