From patchwork Tue Sep 8 23:17:38 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Zhou X-Patchwork-Id: 515636 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (unknown [IPv6:2600:3c00::f03c:91ff:fe6e:bdf7]) by ozlabs.org (Postfix) with ESMTP id 29BFB140180 for ; Wed, 9 Sep 2015 09:17:54 +1000 (AEST) Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id DD99E106AE; Tue, 8 Sep 2015 16:17:49 -0700 (PDT) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx3v1.cudamail.com (mx3.cudamail.com [64.34.241.5]) by archives.nicira.com (Postfix) with ESMTPS id ABC73106B4 for ; Tue, 8 Sep 2015 16:17:48 -0700 (PDT) Received: from bar3.cudamail.com (bar1 [192.168.15.1]) by mx3v1.cudamail.com (Postfix) with ESMTP id 20C2361814D for ; Tue, 8 Sep 2015 17:17:48 -0600 (MDT) X-ASG-Debug-ID: 1441754266-03dd7b55fa0dbd0001-byXFYA Received: from mx3-pf2.cudamail.com ([192.168.14.1]) by bar3.cudamail.com with ESMTP id XdYExWtUZ3R2vqDs (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 08 Sep 2015 17:17:46 -0600 (MDT) X-Barracuda-Envelope-From: azhou@nicira.com X-Barracuda-RBL-Trusted-Forwarder: 192.168.14.1 Received: from unknown (HELO mail-pa0-f41.google.com) (209.85.220.41) by mx3-pf2.cudamail.com with ESMTPS (RC4-SHA encrypted); 8 Sep 2015 23:17:45 -0000 Received-SPF: unknown (mx3-pf2.cudamail.com: Multiple SPF records returned) X-Barracuda-RBL-Trusted-Forwarder: 209.85.220.41 Received: by padhy16 with SMTP id hy16so134744132pad.1 for ; Tue, 08 Sep 2015 16:17:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=RtCWE+zYGkRp6dMr2RRxPaygD+WaDMhDB9IGPYckFgA=; b=JzkJHp474xrOK9yY4X/duZhXGZf6SqzJKdzK1YzU+d3dlx2fanuiS1eEX7NuFxZ8n8 iLEfxjtg2EzV3jbg/jYgr7E//036zUj3npZwq7JbNnjtRkOMdz6xYvLSFZgoHiqbwCUp K2TT/x+IMDvaCcFAUg1of/J5Txc5VZJeujeHLbZhEmgRY25KQu7OiBYVMXerWt5lLuAS p504EJRv2QIsRB9RyzspWQL3u0x5MTHODs3afr/g1gLL1gmO8BrOPZ3uhGRPgKSakn+/ k49dKDU+KjzX8HK0nvonyGmgtLVgs2ktJObywdADFvS/AFkD3xt6flqJvUHLhf6qLGiA BKfg== X-Gm-Message-State: ALoCoQnvAig1uHYEzQevHN5prTJUP/xO/gF/vFhq8YzpMDznBKoOQlbX0w8OQIlcZXUfiCiJ8ZcZ X-Received: by 10.66.122.97 with SMTP id lr1mr53631535pab.76.1441754265454; Tue, 08 Sep 2015 16:17:45 -0700 (PDT) Received: from localhost.localdomain ([208.91.2.3]) by smtp.gmail.com with ESMTPSA id bh16sm4676907pdb.67.2015.09.08.16.17.44 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 08 Sep 2015 16:17:44 -0700 (PDT) X-CudaMail-Envelope-Sender: azhou@nicira.com X-Barracuda-Apparent-Source-IP: 208.91.2.3 From: Andy Zhou To: dev@openvswitch.org X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-V2-907065408 X-CudaMail-DTE: 090815 X-CudaMail-Originating-IP: 209.85.220.41 Date: Tue, 8 Sep 2015 16:17:38 -0700 X-ASG-Orig-Subj: [##CM-V2-907065408##][v2 3/3] ovsdb-server: support --user option Message-Id: <1441754258-9868-3-git-send-email-azhou@nicira.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1441754258-9868-1-git-send-email-azhou@nicira.com> References: <1441754258-9868-1-git-send-email-azhou@nicira.com> X-Barracuda-Connect: UNKNOWN[192.168.14.1] X-Barracuda-Start-Time: 1441754266 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 Subject: [ovs-dev] [v2 3/3] ovsdb-server: support --user option X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" Add support for running ovsdb-server as a non-root user, specified by the --user option. If specified, all I/O access and all sub-processes will be perfromed as the new user. Signed-off-by: Andy Zhou --- v2: rewording the man page. --- NEWS | 1 + lib/daemon.man | 9 +++++++++ ovsdb/ovsdb-server.c | 6 +++++- 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index ca22c8e..5192ac1 100644 --- a/NEWS +++ b/NEWS @@ -21,6 +21,7 @@ Post-v2.4.0 targets to run a new system testsuite. These tests can be run inside a Vagrant box. See INSTALL.md for details - Dropped support for GRE64 tunnel. + - Added --user option to ovsdb-server. v2.4.0 - 20 Aug 2015 diff --git a/lib/daemon.man b/lib/daemon.man index 4ab9823..78d3d38 100644 --- a/lib/daemon.man +++ b/lib/daemon.man @@ -50,3 +50,12 @@ core dumps into the current working directory and the root directory is not a good directory to use. .IP This option has no effect when \fB\-\-detach\fR is not specified. +. +.TP +\fB\-\-user\fR +Causes \fB\*(PN\fR to run as a non-root user specified in "user:group". +Short forms "user" and ":group" are also allowed, with current user or group +assumed respectively. The process must be started by root to make use +of this option. +.IP +Currently only ovsdb-server actually implements this option. diff --git a/ovsdb/ovsdb-server.c b/ovsdb/ovsdb-server.c index 4088d85..fdeecd2 100644 --- a/ovsdb/ovsdb-server.c +++ b/ovsdb/ovsdb-server.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc. +/* Copyright (c) 2009, 2010, 2011, 2012, 2013, 2014, 2015 Nicira, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -221,6 +221,10 @@ main(int argc, char *argv[]) process_init(); parse_options(&argc, &argv, &remotes, &unixctl_path, &run_command); + /* Drop root privileges and become the new user as soon as possible. + * OVSDB server does not need root privileges. If --user option is + * not specified, the following function is essentially no-op. */ + daemon_become_new_user(); /* Create and initialize 'config_tmpfile' as a temporary file to hold * ovsdb-server's most basic configuration, and then save our initial