[ovs-dev,v2,3/3] ovsdb-server: support --user option
diff mbox

Message ID 1441754258-9868-3-git-send-email-azhou@nicira.com
State Changes Requested
Headers show

Commit Message

Andy Zhou Sept. 8, 2015, 11:17 p.m. UTC
Add support for running ovsdb-server as a non-root user, specified
by the --user option. If specified, all I/O access and all
sub-processes will be perfromed as the new user.

Signed-off-by: Andy Zhou <azhou@nicira.com>
---
v2: rewording the man page.
---
 NEWS                 | 1 +
 lib/daemon.man       | 9 +++++++++
 ovsdb/ovsdb-server.c | 6 +++++-
 3 files changed, 15 insertions(+), 1 deletion(-)

Patch
diff mbox

diff --git a/NEWS b/NEWS
index ca22c8e..5192ac1 100644
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,7 @@  Post-v2.4.0
      targets to run a new system testsuite.  These tests can be run inside
      a Vagrant box.  See INSTALL.md for details
    - Dropped support for GRE64 tunnel.
+   - Added --user option to ovsdb-server.
 
 
 v2.4.0 - 20 Aug 2015
diff --git a/lib/daemon.man b/lib/daemon.man
index 4ab9823..78d3d38 100644
--- a/lib/daemon.man
+++ b/lib/daemon.man
@@ -50,3 +50,12 @@  core dumps into the current working directory and the root directory
 is not a good directory to use.
 .IP
 This option has no effect when \fB\-\-detach\fR is not specified.
+.
+.TP
+\fB\-\-user\fR
+Causes \fB\*(PN\fR to run as a non-root user specified in "user:group".
+Short forms "user" and ":group" are also allowed, with current user or group
+assumed respectively. The process must be started by root to make use
+of this option.
+.IP
+Currently only ovsdb-server actually implements this option.
diff --git a/ovsdb/ovsdb-server.c b/ovsdb/ovsdb-server.c
index 4088d85..fdeecd2 100644
--- a/ovsdb/ovsdb-server.c
+++ b/ovsdb/ovsdb-server.c
@@ -1,4 +1,4 @@ 
-/* Copyright (c) 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc.
+/* Copyright (c) 2009, 2010, 2011, 2012, 2013, 2014, 2015 Nicira, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -221,6 +221,10 @@  main(int argc, char *argv[])
     process_init();
 
     parse_options(&argc, &argv, &remotes, &unixctl_path, &run_command);
+    /* Drop root privileges and become the new user as soon as possible.
+     * OVSDB server does not need root privileges. If --user option is
+     * not specified, the following function is essentially no-op.  */
+    daemon_become_new_user();
 
     /* Create and initialize 'config_tmpfile' as a temporary file to hold
      * ovsdb-server's most basic configuration, and then save our initial