[ovs-dev] [PATCH 3/3] ovsdb-server: support --user option
Andy Zhou
azhou at nicira.com
Thu Sep 3 23:33:43 UTC 2015
Add support for running ovsdb-server as a non-root user, specified
by the --user option. If specified, all I/O access and all
sub-processes will be perfromed as the new user.
VMware-BZ: #1499254
Signed-off-by: Andy Zhou <azhou at nicira.com>
---
NEWS | 1 +
lib/daemon.man | 8 ++++++++
ovsdb/ovsdb-server.c | 6 +++++-
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/NEWS b/NEWS
index ca22c8e..5192ac1 100644
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,7 @@ Post-v2.4.0
targets to run a new system testsuite. These tests can be run inside
a Vagrant box. See INSTALL.md for details
- Dropped support for GRE64 tunnel.
+ - Added --user option to ovsdb-server.
v2.4.0 - 20 Aug 2015
diff --git a/lib/daemon.man b/lib/daemon.man
index 4ab9823..d7e2968 100644
--- a/lib/daemon.man
+++ b/lib/daemon.man
@@ -50,3 +50,11 @@ core dumps into the current working directory and the root directory
is not a good directory to use.
.IP
This option has no effect when \fB\-\-detach\fR is not specified.
+.
+.TP
+\fB\-\-user\fR
+Causes \fB\*(PN\fR to run as a new user specified in "user:group". Short
+forms "user" and ":group" are also allowed, with current user or group
+are assumed respectively. Only root process accepts this argument.
+.IP
+Currently only ovsdb-server actually implements this option.
diff --git a/ovsdb/ovsdb-server.c b/ovsdb/ovsdb-server.c
index 4088d85..fdeecd2 100644
--- a/ovsdb/ovsdb-server.c
+++ b/ovsdb/ovsdb-server.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc.
+/* Copyright (c) 2009, 2010, 2011, 2012, 2013, 2014, 2015 Nicira, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -221,6 +221,10 @@ main(int argc, char *argv[])
process_init();
parse_options(&argc, &argv, &remotes, &unixctl_path, &run_command);
+ /* Drop root privileges and become the new user as soon as possible.
+ * OVSDB server does not need root privileges. If --user option is
+ * not specified, the following function is essentially no-op. */
+ daemon_become_new_user();
/* Create and initialize 'config_tmpfile' as a temporary file to hold
* ovsdb-server's most basic configuration, and then save our initial
--
1.9.1
More information about the dev
mailing list