-
Notifications
You must be signed in to change notification settings - Fork 3.8k
Description
Environment
- ImmortalWrt 24.10.5 (r33805-7c4e882aaf6f)
- Architecture: x86_64
- Package: keepalived-sync 2.3.1-r1
Problem
In /usr/share/keepalived/scripts/rsync.sh, the mkdir command on the remote peer runs as the keepalived user without sudo, while rsync correctly uses sudo rsync. When the sync target directory (/usr/share/keepalived/rsync/) contains subdirectories owned by root (which is the normal case after sudo rsync -a preserves ownership), the mkdir command fails with:
mkdir: can't create directory '/usr/share/keepalived/rsync/etc/...': Permission denied
Root Cause
In rsync.sh, line ~59:
# Current (broken):
timeout 10 ssh $ssh_options $ssh_remote mkdir -m 755 -p "$dirs_list /tmp" || {
# Should be:
timeout 10 ssh $ssh_options $ssh_remote sudo mkdir -m 755 -p "$dirs_list /tmp" || {The rsync command already uses sudo via --rsync-path="sudo rsync", but mkdir does not. Since rsync -a preserves source file ownership (root:root), the directories on the receiving peer become root-owned after the first sync. Subsequent syncs then fail at the mkdir step because the keepalived user cannot create subdirectories inside root-owned directories.
Additionally
The sudoers file /etc/sudoers.d/keepalived only grants permission for /usr/bin/rsync:
keepalived ALL= NOPASSWD:/usr/bin/rsync
It should also include /bin/mkdir:
keepalived ALL= NOPASSWD:/usr/bin/rsync,/bin/mkdir
Expected
The mkdir command should use sudo like rsync does, and the sudoers configuration should permit it.
Workaround
# Fix rsync.sh (lost on package upgrade)
sed -i 's|ssh_remote mkdir|ssh_remote sudo mkdir|' /usr/share/keepalived/scripts/rsync.sh
# Fix sudoers (preserved on upgrade)
echo 'keepalived ALL= NOPASSWD:/usr/bin/rsync,/bin/mkdir' > /etc/sudoers.d/keepalived