[ovs-dev] [PATCH 3/3] ovsdb-server: support --user option

Andy Zhou azhou at nicira.com
Thu Sep 3 23:33:43 UTC 2015 

Add support for running ovsdb-server as a non-root user, specified
by the --user option. If specified, all I/O access and all
sub-processes will be perfromed as the new user.

VMware-BZ: #1499254
Signed-off-by: Andy Zhou <azhou at nicira.com>
---
 NEWS                 | 1 +
 lib/daemon.man       | 8 ++++++++
 ovsdb/ovsdb-server.c | 6 +++++-
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index ca22c8e..5192ac1 100644
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,7 @@ Post-v2.4.0
      targets to run a new system testsuite.  These tests can be run inside
      a Vagrant box.  See INSTALL.md for details
    - Dropped support for GRE64 tunnel.
+   - Added --user option to ovsdb-server.
 
 
 v2.4.0 - 20 Aug 2015
diff --git a/lib/daemon.man b/lib/daemon.man
index 4ab9823..d7e2968 100644
--- a/lib/daemon.man
+++ b/lib/daemon.man
@@ -50,3 +50,11 @@ core dumps into the current working directory and the root directory
 is not a good directory to use.
 .IP
 This option has no effect when \fB\-\-detach\fR is not specified.
+.
+.TP
+\fB\-\-user\fR
+Causes \fB\*(PN\fR to run as a new user specified in "user:group". Short
+forms "user" and ":group" are also allowed, with current user or group
+are assumed respectively. Only root process accepts this argument.
+.IP
+Currently only ovsdb-server actually implements this option.
diff --git a/ovsdb/ovsdb-server.c b/ovsdb/ovsdb-server.c
index 4088d85..fdeecd2 100644
--- a/ovsdb/ovsdb-server.c
+++ b/ovsdb/ovsdb-server.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc.
+/* Copyright (c) 2009, 2010, 2011, 2012, 2013, 2014, 2015 Nicira, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -221,6 +221,10 @@ main(int argc, char *argv[])
     process_init();
 
     parse_options(&argc, &argv, &remotes, &unixctl_path, &run_command);
+    /* Drop root privileges and become the new user as soon as possible.
+     * OVSDB server does not need root privileges. If --user option is
+     * not specified, the following function is essentially no-op.  */
+    daemon_become_new_user();
 
     /* Create and initialize 'config_tmpfile' as a temporary file to hold
      * ovsdb-server's most basic configuration, and then save our initial
-- 
1.9.1

More information about the dev mailing list