[ovs-dev] [additional --user changes v4 2/3] vlog: change log file owner when switching user
Ansis Atteka
ansisatteka at gmail.com
Wed Nov 11 22:48:58 UTC 2015
On 11 November 2015 at 14:13, Andy Zhou <azhou at nicira.com> wrote:
> vlog log file can be created when parsing --log-file option, before
> switching user, in case the --user option is also specified. While this
> does not directly cause errors for the running daemons, it can
> leave the log files on the disk as created under the "root" user.
> This patch fix the log file ownership to the user specified with --user.
>
> Signed-off-by: Andy Zhou <azhou at nicira.com>
>
> ---
> v1->v2: Add a comment on vlog_change_owner return code.
> v2->v3: no change
> v3->v4: Reword the commit message. change vlog_change_owner() to void.
> ---
> include/openvswitch/vlog.h | 1 +
> lib/daemon-unix.c | 6 +++++-
> lib/vlog.c | 22 +++++++++++++++++++++-
> 3 files changed, 27 insertions(+), 2 deletions(-)
>
> diff --git a/include/openvswitch/vlog.h b/include/openvswitch/vlog.h
> index f6bb3ab..bc16590 100644
> --- a/include/openvswitch/vlog.h
> +++ b/include/openvswitch/vlog.h
> @@ -143,6 +143,7 @@ void vlog_set_verbosity(const char *arg);
> void vlog_set_pattern(enum vlog_destination, const char *pattern);
> int vlog_set_log_file(const char *file_name);
> int vlog_reopen_log_file(void);
> +void vlog_change_owner(uid_t, gid_t);
>
> /* Configure method how vlog should send messages to syslog server. */
> void vlog_set_syslog_method(const char *method);
> diff --git a/lib/daemon-unix.c b/lib/daemon-unix.c
> index 0125745..e69517a 100644
> --- a/lib/daemon-unix.c
> +++ b/lib/daemon-unix.c
> @@ -739,7 +739,7 @@ daemon_switch_group(gid_t real, gid_t effective,
> {
> if ((setresgid(real, effective, saved) == -1) ||
> !gid_verify(real, effective, saved)) {
> - VLOG_FATAL("%s: fail to switch group to gid as %d, aborting",
> + VLOG_FATAL("%s: failed to switch group to gid as %d, aborting",
> pidfile, gid);
> }
> }
> @@ -847,6 +847,10 @@ daemon_become_new_user_linux(bool access_datapath
> OVS_UNUSED)
> static void
> daemon_become_new_user__(bool access_datapath)
> {
> + /* If vlog file has been created, change its owner to the non-root
> user
> + * as specifed by the --user option. */
> + vlog_change_owner(uid, gid);
> +
> if (LINUX) {
> if (LIBCAPNG) {
> daemon_become_new_user_linux(access_datapath);
> diff --git a/lib/vlog.c b/lib/vlog.c
> index da31e6f..ade0a45 100644
> --- a/lib/vlog.c
> +++ b/lib/vlog.c
> @@ -105,7 +105,7 @@ DEFINE_STATIC_PER_THREAD_DATA(unsigned int, msg_num,
> 0);
> * All of the following is protected by 'log_file_mutex', which nests
> inside
> * pattern_rwlock. */
> static struct ovs_mutex log_file_mutex = OVS_MUTEX_INITIALIZER;
> -static char *log_file_name OVS_GUARDED_BY(log_file_mutex);
> +static char *log_file_name = NULL OVS_GUARDED_BY(log_file_mutex);
> static int log_fd OVS_GUARDED_BY(log_file_mutex) = -1;
> static struct async_append *log_writer OVS_GUARDED_BY(log_file_mutex);
> static bool log_async OVS_GUARDED_BY(log_file_mutex);
> @@ -430,6 +430,26 @@ vlog_reopen_log_file(void)
> }
> }
>
> +/* In case a log file exists, change its owner to new 'user' and 'group'.
> + *
> + * This is useful for handling cases where the --log-file option is
> + * specified ahead of the --user option. */
> +void
> +vlog_change_owner(uid_t user, gid_t group)
> +{
> + int error = 0;
> +
> + if (log_file_name) {
> + ovs_mutex_lock(&log_file_mutex);
> + error = chown(log_file_name, user, group);
> + ovs_mutex_unlock(&log_file_mutex);
> + }
> +
> + if (error) {
> + VLOG_FATAL("Failed to change log file ownership.");
>
I would print errno value here and the file name you are actually trying to
change the ownership for. It would simply provide a hint to the users on
what was actually wrong, if it failed.
VLOG_FATAL("Failed to change %s ownership: %s", log_file_name,
ovs_strerror(errno));
And early return from function if log_file_name is NULL to make code look
better.
+ }
> +}
> +
>
Otherwise, Acked-by: Ansis Atteka <aatteka at nicira.com>
Thanks for working on this, Andy.
More information about the dev
mailing list