[ovs-dev] [additional --user changes v4 1/3] lib: simplify daemon_become_new_user__()

Wed Nov 11 22:13:47 UTC 2015

A global variable 'switch_user' was used to make sure
we switch process's current user only once. This logic is now
simplified by testing for uid directly; if switch process has
taken place, the current uid will be not be zero.

Signed-off-by: Andy Zhou <azhou at nicira.com>

---
v1->v2:  add a log in case --user is specified but not switched.
v2->v3:  remove the log and assert. allow "root" in --user option.
         update man page.
---
 lib/daemon-unix.c | 14 +++-----------
 lib/daemon.man    |  7 ++++---
 2 files changed, 7 insertions(+), 14 deletions(-)

diff --git a/lib/daemon-unix.c b/lib/daemon-unix.c
index 868e2c9..0125745 100644
--- a/lib/daemon-unix.c
+++ b/lib/daemon-unix.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc.
+ * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2015 Nicira, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -84,7 +84,6 @@ static bool monitor;
 /* --user: Only root can use this option. Switch to new uid:gid after
  * initially running as root.  */
 static bool switch_user = false;
-static bool non_root_user = false;
 static uid_t uid;
 static gid_t gid;
 static char *user = NULL;
@@ -445,11 +444,6 @@ daemonize_start(bool access_datapath)
         switch_user = false;
     }
 
-    /* If --user is specified, make sure user switch has completed by now.  */
-    if (non_root_user) {
-        ovs_assert(geteuid() && getuid());
-    }
-
     if (detach) {
         pid_t pid;
 
@@ -875,9 +869,7 @@ daemon_become_new_user(bool access_datapath)
     assert_single_threaded();
     if (switch_user) {
         daemon_become_new_user__(access_datapath);
-
-        /* Make sure daemonize_start() will not switch
-         * user again. */
+        /* daemonize_start() should not switch user again. */
         switch_user = false;
     }
 }
@@ -1041,5 +1033,5 @@ daemon_set_new_user(const char *user_spec)
         }
     }
 
-    switch_user = non_root_user = true;
+    switch_user = true;
 }
diff --git a/lib/daemon.man b/lib/daemon.man
index 039a0c4..ff0b157 100644
--- a/lib/daemon.man
+++ b/lib/daemon.man
@@ -53,15 +53,16 @@ This option has no effect when \fB\-\-detach\fR is not specified.
 .
 .TP
 \fB\-\-user\fR
-Causes \fB\*(PN\fR to run as a non root user specified in "user:group", thus
-dropping all root privileges. Short forms "user" and ":group" are also
+Causes \fB\*(PN\fR to run as a different user specified in "user:group", thus
+dropping most of the root privileges. Short forms "user" and ":group" are also
 allowed, with current user or group are assumed respectively. Only daemons
 started by the root user accepts this argument.
 .IP
 On Linux, daemons will be granted CAP_IPC_LOCK and CAP_NET_BIND_SERVICES
 before dropping root privileges. Daemons interact with datapath,
 such as ovs-vswitchd, will be granted two additional capabilities, namely
-CAP_NET_ADMIN and CAP_NET_RAW.
+CAP_NET_ADMIN and CAP_NET_RAW. The capability change will apply even if
+new user is "root".
 .IP
 On Windows, this option is not currently supported. For security reasons,
 specifying this option will cause the daemon process not to start.
-- 
1.9.1


