Non Root Gluster CLI access

schaffung
schaffung
Oct 27 · 2 min read

Glusterfs binaries and files, if one had to explore will fall under the root user. In nix everything is a file. Thereby it is only the owner of a file and people in the allowed group who can execute a binary. Does that mean non root user cannot run Glusterfs?

If one were to work in a system wherein the default user is say ant which is not a part of the sudoers file. This implies that they won’t be able to access ( be it opening the file or telling the system to execute the contents of that file ) the files in the file system which are not in their group or falling under ant user.

If ant were to run a gluster command say

# gluster vol status

They’d be greeted with a sweet response of

ERROR: failed to create logfile "/var/log/glusterfs/cli.log" (Permission denied)
ERROR: failed to open logfile /var/log/glusterfs/cli.log

The reason being ant doesn’t have the necessary privileges to run the gluster cli commands. Now there are various workarounds to this..

  1. Adding ant to sudoers group and running the commands with sudo
  2. Setting the setuid bit of the binary.

The path 1 is pretty straightforward so we won’t look into it and also, this begs the question as to what if the sys admin is pretty adamant as to not to provide sudo privileges to ant.

So, enter setuid bit…

The setuid bit is a special permission present in nix wherein certain files ( again, everything is a file!!) can be accessed by a user who in a normal instance should not even be accessing the said file but is able to as the file has a bit set. This bit is what allows a non root user to run files with extended privileges ( another way of saying, the same privileges as that the owner of the file ).

So, root is the owner of the gluster binaries and to allow ant to run gluster cli commands, the /usr/sbin/gluster ( assuming we are just talking about the gluster cli ) binary will require a bit, to be set.

# chmod u+s /usr/sbin/gluster

on doing a ls on that we see that..

-rwsr-xr-x. 1 root root 511312 Oct 23 12:07 gluster

So, we have a s here which indicates that the setuid permissions have been given. Now if the ant were to run the gluster vol status command, the desired output will be received.

To revert back to the old state, one can use the same chmod command with a slight change,

# chmod u-s /usr/sbin/gluster

With greater privileges comes more threats… setuid has to be used after much thought and discussion with your sys admin ( well he is the one who can anyhow give the permission :p ) and considering the executable or the file to which you are providing this privilege.

One can explore the colourful past of setuid and how people were able to use it as a vector for attacking the whole system.

Dev Genius

Coding, Tutorials, News, UX, UI and much more related to development

Sign up for Best Stories

By Dev Genius

The best stories sent monthly to your email. Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

schaffung

Written by

schaffung

Recursive…

Dev Genius

Coding, Tutorials, News, UX, UI and much more related to development

schaffung

Written by

schaffung

Recursive…

Dev Genius

Coding, Tutorials, News, UX, UI and much more related to development

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store