Glusterfs binaries and files, if one had to explore will fall under the root user. In nix everything is a file. Thereby it is only the owner of a file and people in the allowed group who can execute a binary. Does that mean non root user cannot run Glusterfs?
If one were to work in a system wherein the default user is say ant which is not a part of the sudoers file. This implies that they won’t be able to access ( be it opening the file or telling the system to execute the contents of that file ) the files in the file system which are not in their group or falling under ant user.
If ant were to run a gluster command say
# gluster vol status
They’d be greeted with a sweet response of
ERROR: failed to create logfile "/var/log/glusterfs/cli.log" (Permission denied)
ERROR: failed to open logfile /var/log/glusterfs/cli.log
The reason being ant doesn’t have the necessary privileges to run the gluster cli commands. Now there are various workarounds to this..
- Adding ant to sudoers group and running the commands with sudo
- Setting the setuid bit of the binary.
The path 1 is pretty straightforward so we won’t look into it and also, this begs the question as to what if the sys admin is pretty adamant as to not to provide sudo privileges to ant.
So, enter setuid bit…
The setuid bit is a special permission present in nix wherein certain files ( again, everything is a file!!) can be accessed by a user who in a normal instance should not even be accessing the said file but is able to as the file has a bit set. This bit is what allows a non root user to run files with extended privileges ( another way of saying, the same privileges as that the owner of the file ).
So, root is the owner of the gluster binaries and to allow ant to run gluster cli commands, the /usr/sbin/gluster ( assuming we are just talking about the gluster cli ) binary will require a bit, to be set.
# chmod u+s /usr/sbin/gluster
on doing a ls on that we see that..
-rwsr-xr-x. 1 root root 511312 Oct 23 12:07 gluster
So, we have a s here which indicates that the setuid permissions have been given. Now if the ant were to run the gluster vol status command, the desired output will be received.
To revert back to the old state, one can use the same chmod command with a slight change,
# chmod u-s /usr/sbin/gluster
With greater privileges comes more threats… setuid has to be used after much thought and discussion with your sys admin ( well he is the one who can anyhow give the permission :p ) and considering the executable or the file to which you are providing this privilege.
One can explore the colourful past of setuid and how people were able to use it as a vector for attacking the whole system.