SLES 11 SP4 HAE: problems with login to HAWK

SLES High Availability Extension
1

Hi,

i just have created a two node cluster with SLES 11 SP4. I have problems with the login to HAWK.
Logging in as root, who is a member of the group haclient, gives me the error: Error invoking /usr/sbin/cibadmin -Ql: ERROR: Thou shalt not become root.
Ok. I should not login as root, i know. But i always login as root, it’s a server and not a desktop.
A normal user account does not make sense. But ok. I created a user and put him i the group haclient. Login with this account does not throw an error.

Now i created some ressources, but starting these throw errors. If i click on one of the links of the error messages
(e.g. Failed op: node=ha-idg-1, resource=prim_sbd_stonith, call-id=17, operation=start, rc-code=1, exit-reason=), i get the message:
Error: Permission denied for user ‘bernd’. Umpf.

What can i do ? I have problems with both accounts.

Thanks.

Bernd

2

Per the documentation:

https://www.suse.com/documentation/sle-ha-12/install-quick/data/install-quick.html#sec_ha_inst_quick_setup_1st-node

The default username/password is hacluster/linux so trying those may help.

Please understand I mean this next part as a help, not a critique, but you
should not normally login to any old system as ‘root’; doing so gives
Linux the same disadvantages inherent in insecure platforms like windows
where everything you do has historically needed escalated privileges.
Every mistake can impact the whole system, every bit of malware has its
run of everything, including the kernel, every mountpoint is at risk even
if currently unmounted.

If you need to do something privileged, because after all it’s a server
(or really, even on a desktop), then do the steps to authorize that, and
thereby know what is happening. Otherwise there is no warning that you’re
about to not only nuke your home directory, but that organization-powering
database over in /var which should be system-only.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

3

Hi,

thanks for your answer. User hacluster works fine.

I don’t understand it as a critique. I had this discussion already several time, once on an Ubuntu ML.
I see your point, but i don’t agree.
When i login to one of our servers, this happens because i have administrative stuff to do. If i don’t have administrative stuff to, i don’t login in our servers.
Why should i ?
To edit configuration files, restart services, read logs like /var/log/messages i always need root rights.
Of course, i can logon as peterpan, and issue sudo for every command i execute. But where is the gain of security, if i issue a “sudo rm -rfv /etc” to doing the same being root
and not using sudo ?
In both cases i have to be cautious and know what i’m doing.
I try to be as cautious as i can be. In 12 years of administrating linux servers i made one severe mistake (i deleted /etc on a server).
But that happened not because i forgot that i am root, but because i forgot in which folder i resides.
Using sudo, i would have done the same mistake.

Bernd

4

On 01/25/2017 10:14 AM, berndgsflinux wrote:[color=blue]

thanks for your answer. User hacluster works fine.[/color]

Glad to hear it. Thanks for posting back your result.
[color=blue]

I don’t understand it as a critique. I had this discussion already
several time, once on an Ubuntu ML.
I see your point, but i don’t agree.
When i login to one of our servers, this happens because i have
administrative stuff to do. If i don’t have administrative stuff to, i
don’t login in our servers.
Why should i ?[/color]

Perhaps we do different things on servers; a lot of things that I do never
require ‘root’, such as verifying that services are up, modifying non-root
services (many things on servers do not run as ‘root’ such as DNS, Apache
httpd, Apache Tomcat, eDirectory, various proprietary applications, etc.)
so going all the way to ‘root’, vs. the specific account I need (I may be
a group, or I may ‘sudo’ to become that user) is overkill.
[color=blue]

To edit configuration files, restart services, read logs like
/var/log/messages i always need root rights.[/color]

Yes, for these three things you likely would, though you could probably
remove the last one with a filesystem ACL (FACL) defined once and maybe
also perpetuated via a small change to a logrotate configuration file.
[color=blue]

Of course, i can logon as peterpan, and issue sudo for every command i
execute. But where is the gain of security, if i issue a “sudo rm -rfv
/etc” to doing the same being root
and not using sudo ?[/color]

Yes, you would. In my case, anytime I use ‘sudo’ it means one of two
things for my own process:

  1. I try it without root and make sure that the error is what I expect,
    such as an error about permissions for the thing I want to
    create/change/modify.

  2. After typing the command I stop and look at it to be sure it’s really
    what I want. Did I use relative paths? Do those work where I am? Is
    there an absolute path (leading slash) and if so was that intended? Am I
    even on the right box for this operation (when SSH’d into a dozen systems
    and doing a lot of things in sequence)?

From a step back, using ‘sudo’ (or equivalent) explicitly implies a focus
on the task at hand and adherence to the principle of Least Privilege
which is good for security, if not operational stability due to accidents
(nuking /etc would certainly count). Take it or leave it. :slight_smile:


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…