From patchwork Sat Oct 10 00:13:23 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andy Zhou <azhou@nicira.com>
X-Patchwork-Id: 528468
Return-Path: <dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from archives.nicira.com (unknown
	[IPv6:2600:3c00::f03c:91ff:fe6e:bdf7])
	by ozlabs.org (Postfix) with ESMTP id CBE4F1402B4
	for <incoming@patchwork.ozlabs.org>;
	Sat, 10 Oct 2015 11:13:53 +1100 (AEDT)
Received: from archives.nicira.com (localhost [127.0.0.1])
	by archives.nicira.com (Postfix) with ESMTP id 35569109E3;
	Fri,  9 Oct 2015 17:13:49 -0700 (PDT)
X-Original-To: dev@openvswitch.org
Delivered-To: dev@openvswitch.org
Received: from mx1e3.cudamail.com (mx1.cudamail.com [69.90.118.67])
	by archives.nicira.com (Postfix) with ESMTPS id 68D661056D
	for <dev@openvswitch.org>; Fri,  9 Oct 2015 17:13:48 -0700 (PDT)
Received: from bar5.cudamail.com (localhost [127.0.0.1])
	by mx1e3.cudamail.com (Postfix) with ESMTPS id C5B01420277
	for <dev@openvswitch.org>; Fri,  9 Oct 2015 18:13:47 -0600 (MDT)
X-ASG-Debug-ID: 1444436027-09eadd141556be90001-byXFYA
Received: from mx1-pf2.cudamail.com ([192.168.24.2]) by bar5.cudamail.com
	with
	ESMTP id AmCFviIO6ohyfuoY (version=TLSv1 cipher=DHE-RSA-AES256-SHA
	bits=256 verify=NO) for <dev@openvswitch.org>;
	Fri, 09 Oct 2015 18:13:47 -0600 (MDT)
X-Barracuda-Envelope-From: azhou@nicira.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.2
Received: from unknown (HELO mail-pa0-f51.google.com) (209.85.220.51)
	by mx1-pf2.cudamail.com with ESMTPS (RC4-SHA encrypted);
	10 Oct 2015 00:13:47 -0000
Received-SPF: unknown (mx1-pf2.cudamail.com: Multiple SPF records returned)
X-Barracuda-RBL-Trusted-Forwarder: 209.85.220.51
Received: by padhy16 with SMTP id hy16so99698408pad.1
	for <dev@openvswitch.org>; Fri, 09 Oct 2015 17:13:46 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=FQXBRxw/lla6nKlLBkib1nGgesDpQ7AfCp72ej8osl4=;
	b=JqJ7pOAOn1+HUCNWqRwIEq2gASa5qgnh1+6z7HfsPhlkCgZ7UAWgV2F4SFbYYrEPcB
	y967qXQg3PIMJ3j0Aj1I/OA4tMRTwRygYrPD5svS+fD8czWrtOIsncIqLsDvxYUv6XFo
	rgRalb01oXPfCAexluM/5nLqCb9OUgbDNP+aIYypOF74TA+7wNpg2Cg62jYSHT77Zh/N
	uSblJb0UpyK6BQ4+eoX9X0WyPBGPLf5aqJxcINto9DkoglXf62G867PHOITxbwQ2XO1G
	1XN/S5rCRHiZVm26ha8zGMyB22RcJ87+97BcqSs/UEWArU79I7wHpPjFOCdRSJjQ8rRP
	cQew==
X-Gm-Message-State: 
 ALoCoQlNz0WZJcCza3ukC/UUDNaL1QjBY8TZDMEluN5aAnEhyUE5RJNe2uPbkrihyj4kb/Jjd1Ax
X-Received: by 10.67.22.34 with SMTP id hp2mr9553093pad.92.1444436026748;
	Fri, 09 Oct 2015 17:13:46 -0700 (PDT)
Received: from ubuntu.localdomain ([208.91.1.34])
	by smtp.gmail.com with ESMTPSA id
	be3sm4595005pbc.88.2015.10.09.17.13.45
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Fri, 09 Oct 2015 17:13:46 -0700 (PDT)
X-CudaMail-Envelope-Sender: azhou@nicira.com
X-Barracuda-Apparent-Source-IP: 208.91.1.34
From: Andy Zhou <azhou@nicira.com>
To: dev@openvswitch.org
X-CudaMail-Whitelist-To: dev@openvswitch.org
X-CudaMail-MID: CM-E2-1008103909
X-CudaMail-DTE: 100915
X-CudaMail-Originating-IP: 209.85.220.51
Date: Fri,  9 Oct 2015 17:13:23 -0700
X-ASG-Orig-Subj: [##CM-E2-1008103909##][Debian-non-root v2 3/4] ovs-ctl: add
	--no-run-as-root option
Message-Id: <1444436004-25557-3-git-send-email-azhou@nicira.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1444436004-25557-1-git-send-email-azhou@nicira.com>
References: <1444436004-25557-1-git-send-email-azhou@nicira.com>
X-Barracuda-Connect: UNKNOWN[192.168.24.2]
X-Barracuda-Start-Time: 1444436027
X-Barracuda-Encrypted: DHE-RSA-AES256-SHA
X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi
X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?=
X-Virus-Scanned: by bsmtpd at cudamail.com
X-Barracuda-BRTS-Status: 1
Subject: [ovs-dev] [Debian-non-root v2 3/4] ovs-ctl: add --no-run-as-root
	option
X-BeenThere: dev@openvswitch.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: <dev.openvswitch.org>
List-Unsubscribe: <http://openvswitch.org/mailman/options/dev>,
	<mailto:dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://openvswitch.org/pipermail/dev>
List-Post: <mailto:dev@openvswitch.org>
List-Help: <mailto:dev-request@openvswitch.org?subject=help>
List-Subscribe: <http://openvswitch.org/mailman/listinfo/dev>,
	<mailto:dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: dev-bounces@openvswitch.org
Sender: "dev" <dev-bounces@openvswitch.org>

Add option to ovs-ctl script to specify whether to start the daemons as
root user or ovs user.  The default is 'run-as-root', which preserves
the script's current behavior.

Signed-off-by: Andy Zhou <azhou@nicira.com>
---
 utilities/ovs-ctl.in | 13 +++++++++++--
 utilities/ovs-lib.in |  9 ++++++++-
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in
index c9d75df..191631c 100755
--- a/utilities/ovs-ctl.in
+++ b/utilities/ovs-ctl.in
@@ -13,8 +13,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-OVS_USER=root         # Default user.
-OVS_GROUP=root        # Default group.
+OVS_USER=ovs         # Default user.
+OVS_GROUP=$OVS_USER  # Default group.
 
 case $0 in
     */*) dir0=`echo "$0" | sed 's,/[^/]*$,,'` ;;
@@ -101,6 +101,7 @@ set_system_ids () {
             else
                 log_failure_msg "missing uuidgen, could not generate system ID"
             fi
+            chown "$OVS_USER":"$OVS_GROUP" $id_file
             ;;
 
         '')
@@ -505,6 +506,7 @@ set_defaults () {
 
     DAEMON_CWD=/
     FORCE_COREFILES=yes
+    RUN_AS_ROOT=yes
     MLOCKALL=yes
     OVSDB_SERVER_PRIORITY=-10
     OVS_VSWITCHD_PRIORITY=-10
@@ -573,6 +575,7 @@ Less important options for "start", "restart" and "force-reload-kmod":
   --daemon-cwd=DIR               set working dir for OVS daemons (default: $DAEMON_CWD)
   --no-force-corefiles           do not force on core dumps for OVS daemons
   --no-mlockall                  do not lock all of ovs-vswitchd into memory
+  --no-run-as-root               run ovs daemons as the OVS user
   --ovsdb-server-priority=NICE   set ovsdb-server's niceness (default: $OVSDB_SERVER_PRIORITY)
   --ovs-vswitchd-priority=NICE   set ovs-vswitchd's niceness (default: $OVS_VSWITCHD_PRIORITY)
 
@@ -685,6 +688,12 @@ do
             ;;
     esac
 done
+
+if test X"$RUN_AS_ROOT" = Xyes; then
+     OVS_USER=root
+     OVS_GROUP=root
+fi
+
 case $command in
     start)
         start_ovsdb || exit 1
diff --git a/utilities/ovs-lib.in b/utilities/ovs-lib.in
index da52284..2045a16 100644
--- a/utilities/ovs-lib.in
+++ b/utilities/ovs-lib.in
@@ -149,10 +149,15 @@ start_daemon () {
     set "$@" --log-file="$logdir/$daemon.log"
 
     # pidfile and monitoring
-    test -d "$rundir" || install -d -m 755 -o "$OVS_USER" -g "OVS_GROUP" "$rundir"
+    test -d "$rundir" || install -d -m 770 -o "$OVS_USER" -g "$OVS_GROUP" "$rundir"
     set "$@" --pidfile="$rundir/$daemon.pid"
     set "$@" --detach --monitor
 
+    # non root user
+    if test X"$RUN_AS_ROOT" != Xyes; then
+        set "$@" --user="$OVS_USER":"$OVS_GROUP"
+    fi
+
     # wrapper
     case $wrapper in
         valgrind)
@@ -376,4 +381,6 @@ upgrade_db () {
             create_db "$DB_FILE" "$DB_SCHEMA"
         fi
     fi
+
+    chown -R "$OVS_USER":"$OVS_GROUP" `dirname $DB_FILE`
 }