@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc.
+ * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2015 Nicira, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -84,7 +84,6 @@ static bool monitor;
/* --user: Only root can use this option. Switch to new uid:gid after
* initially running as root. */
static bool switch_user = false;
-static bool non_root_user = false;
static uid_t uid;
static gid_t gid;
static char *user = NULL;
@@ -445,11 +444,6 @@ daemonize_start(bool access_datapath)
switch_user = false;
}
- /* If --user is specified, make sure user switch has completed by now. */
- if (non_root_user) {
- ovs_assert(geteuid() && getuid());
- }
-
if (detach) {
pid_t pid;
@@ -875,9 +869,7 @@ daemon_become_new_user(bool access_datapath)
assert_single_threaded();
if (switch_user) {
daemon_become_new_user__(access_datapath);
-
- /* Make sure daemonize_start() will not switch
- * user again. */
+ /* daemonize_start() should not switch user again. */
switch_user = false;
}
}
@@ -1041,5 +1033,5 @@ daemon_set_new_user(const char *user_spec)
}
}
- switch_user = non_root_user = true;
+ switch_user = true;
}
@@ -53,15 +53,16 @@ This option has no effect when \fB\-\-detach\fR is not specified.
.
.TP
\fB\-\-user\fR
-Causes \fB\*(PN\fR to run as a non root user specified in "user:group", thus
-dropping all root privileges. Short forms "user" and ":group" are also
+Causes \fB\*(PN\fR to run as a different user specified in "user:group", thus
+dropping most of the root privileges. Short forms "user" and ":group" are also
allowed, with current user or group are assumed respectively. Only daemons
started by the root user accepts this argument.
.IP
On Linux, daemons will be granted CAP_IPC_LOCK and CAP_NET_BIND_SERVICES
before dropping root privileges. Daemons interact with datapath,
such as ovs-vswitchd, will be granted two additional capabilities, namely
-CAP_NET_ADMIN and CAP_NET_RAW.
+CAP_NET_ADMIN and CAP_NET_RAW. The capability change will apply even if
+new user is "root".
.IP
On Windows, this option is not currently supported. For security reasons,
specifying this option will cause the daemon process not to start.
A global variable 'switch_user' was used to make sure we switch process's current user only once. This logic is now simplified by testing for uid directly; if switch process has taken place, the current uid will be not be zero. Signed-off-by: Andy Zhou <azhou@nicira.com> --- v1->v2: add a log in case --user is specified but not switched. v2->v3: remove the log and assert. allow "root" in --user option. update man page. --- lib/daemon-unix.c | 14 +++----------- lib/daemon.man | 7 ++++--- 2 files changed, 7 insertions(+), 14 deletions(-)