From patchwork Wed Nov 11 22:13:48 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Zhou X-Patchwork-Id: 543110 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (unknown [IPv6:2600:3c00::f03c:91ff:fe6e:bdf7]) by ozlabs.org (Postfix) with ESMTP id E57DF140281 for ; Thu, 12 Nov 2015 09:14:02 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nicira_com.20150623.gappssmtp.com header.i=@nicira_com.20150623.gappssmtp.com header.b=UMv670IK; dkim-atps=neutral Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id 860B122C3C3; Wed, 11 Nov 2015 14:13:59 -0800 (PST) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx3v3.cudamail.com (mx3.cudamail.com [64.34.241.5]) by archives.nicira.com (Postfix) with ESMTPS id 7438722C3C0 for ; Wed, 11 Nov 2015 14:13:58 -0800 (PST) Received: from bar3.cudamail.com (localhost [127.0.0.1]) by mx3v3.cudamail.com (Postfix) with ESMTPS id DE1CB162F73 for ; Wed, 11 Nov 2015 15:13:57 -0700 (MST) X-ASG-Debug-ID: 1447280037-03dd7b695403050001-byXFYA Received: from mx3-pf1.cudamail.com ([192.168.14.2]) by bar3.cudamail.com with ESMTP id kKX71OW3FFAT2zq8 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 11 Nov 2015 15:13:57 -0700 (MST) X-Barracuda-Envelope-From: azhou@nicira.com X-Barracuda-RBL-Trusted-Forwarder: 192.168.14.2 Received: from unknown (HELO mail-pa0-f51.google.com) (209.85.220.51) by mx3-pf1.cudamail.com with ESMTPS (RC4-SHA encrypted); 11 Nov 2015 22:13:57 -0000 Received-SPF: unknown (mx3-pf1.cudamail.com: Multiple SPF records returned) X-Barracuda-RBL-Trusted-Forwarder: 209.85.220.51 Received: by pasz6 with SMTP id z6so44188679pas.2 for ; Wed, 11 Nov 2015 14:13:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nicira_com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=MgVf/niT5LlEZUcEDl3vbxmHyWJeQu7dBrpoPuF87Ao=; b=UMv670IKqeLL4UMYjLsZjcf5+t4fp1r93nYDw7xUhYzILL/0C+sSOdc364hoOgxq1d cZ6UwfxyNGCnyaay57vEYKATQ39I5RPjp4IJsHqg2ELHDI2kdfTSjXK6H9XH7VxFgBTl cNvy3YESZUq24udWOoQbZdfKGPr1FM0PyEzLvAgVwMi4nb3qBm0Jz4qxsXEEMljFMP6Z M5Ev3cmTTXSjK9+klMVniFydT0sC/IEB1gbDhsg1kujSzbMHLt7zFEOAvTcTOpV3dSYU rf7UuxSvA1iTSYZ18eM2Qki4L5CMGbybNDA2J6WlvvHuvqcVznJmrnDI7rxl7n9G3a6u mwQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=MgVf/niT5LlEZUcEDl3vbxmHyWJeQu7dBrpoPuF87Ao=; b=iCcpgSVFyxmXU4Jq3QvAEXRguIi6F5y4zHmdRaGZU/LARZARZxUu8R1LUHhjenYGxo jn1aicKBRSKuU69w87qhq3sA6WGM5SOwFO7XD2L2IfDXJX0f9jJJ4XZU67MEe6jOebbK gbFWShLC47FPW/0EWThPT28VO53/VFgju3CzYdGwKlbW9xfzOZKfo3SehnOVNbIz2Xqe Vnd3lCryUDIjYTf/mzXgDdTzlBnkE4XEseZss4rib8TSPj1Ejkw+6i670vdcTIdbBHLe jjKvJXVTcpShzD0Qiw37dx8bDxuZlfqCYRyLr9Lplg4yLDKcbkR3v5BdKJEJlH5WPZCl qYBw== X-Gm-Message-State: ALoCoQk/KElchPpslM2KLxt3Ai+bjOf2vnm5oGRs9gyuYoLMnhGMm8b2CHs/GxgZldJUP/d/r/co X-Received: by 10.66.243.3 with SMTP id wu3mr17902421pac.135.1447280036475; Wed, 11 Nov 2015 14:13:56 -0800 (PST) Received: from ubuntu.localdomain ([208.91.1.34]) by smtp.gmail.com with ESMTPSA id ea1sm11101672pbb.76.2015.11.11.14.13.55 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 11 Nov 2015 14:13:55 -0800 (PST) X-CudaMail-Envelope-Sender: azhou@nicira.com X-Barracuda-Apparent-Source-IP: 208.91.1.34 From: Andy Zhou To: dev@openvswitch.org X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-V1-1110055646 X-CudaMail-DTE: 111115 X-CudaMail-Originating-IP: 209.85.220.51 Date: Wed, 11 Nov 2015 14:13:48 -0800 X-ASG-Orig-Subj: [##CM-V1-1110055646##][additional --user changes v4 2/3] vlog: change log file owner when switching user Message-Id: <1447280029-2598-2-git-send-email-azhou@nicira.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1447280029-2598-1-git-send-email-azhou@nicira.com> References: <1447280029-2598-1-git-send-email-azhou@nicira.com> X-Barracuda-Connect: UNKNOWN[192.168.14.2] X-Barracuda-Start-Time: 1447280037 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 Subject: [ovs-dev] [additional --user changes v4 2/3] vlog: change log file owner when switching user X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" vlog log file can be created when parsing --log-file option, before switching user, in case the --user option is also specified. While this does not directly cause errors for the running daemons, it can leave the log files on the disk as created under the "root" user. This patch fix the log file ownership to the user specified with --user. Signed-off-by: Andy Zhou --- v1->v2: Add a comment on vlog_change_owner return code. v2->v3: no change v3->v4: Reword the commit message. change vlog_change_owner() to void. --- include/openvswitch/vlog.h | 1 + lib/daemon-unix.c | 6 +++++- lib/vlog.c | 22 +++++++++++++++++++++- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/include/openvswitch/vlog.h b/include/openvswitch/vlog.h index f6bb3ab..bc16590 100644 --- a/include/openvswitch/vlog.h +++ b/include/openvswitch/vlog.h @@ -143,6 +143,7 @@ void vlog_set_verbosity(const char *arg); void vlog_set_pattern(enum vlog_destination, const char *pattern); int vlog_set_log_file(const char *file_name); int vlog_reopen_log_file(void); +void vlog_change_owner(uid_t, gid_t); /* Configure method how vlog should send messages to syslog server. */ void vlog_set_syslog_method(const char *method); diff --git a/lib/daemon-unix.c b/lib/daemon-unix.c index 0125745..e69517a 100644 --- a/lib/daemon-unix.c +++ b/lib/daemon-unix.c @@ -739,7 +739,7 @@ daemon_switch_group(gid_t real, gid_t effective, { if ((setresgid(real, effective, saved) == -1) || !gid_verify(real, effective, saved)) { - VLOG_FATAL("%s: fail to switch group to gid as %d, aborting", + VLOG_FATAL("%s: failed to switch group to gid as %d, aborting", pidfile, gid); } } @@ -847,6 +847,10 @@ daemon_become_new_user_linux(bool access_datapath OVS_UNUSED) static void daemon_become_new_user__(bool access_datapath) { + /* If vlog file has been created, change its owner to the non-root user + * as specifed by the --user option. */ + vlog_change_owner(uid, gid); + if (LINUX) { if (LIBCAPNG) { daemon_become_new_user_linux(access_datapath); diff --git a/lib/vlog.c b/lib/vlog.c index da31e6f..ade0a45 100644 --- a/lib/vlog.c +++ b/lib/vlog.c @@ -105,7 +105,7 @@ DEFINE_STATIC_PER_THREAD_DATA(unsigned int, msg_num, 0); * All of the following is protected by 'log_file_mutex', which nests inside * pattern_rwlock. */ static struct ovs_mutex log_file_mutex = OVS_MUTEX_INITIALIZER; -static char *log_file_name OVS_GUARDED_BY(log_file_mutex); +static char *log_file_name = NULL OVS_GUARDED_BY(log_file_mutex); static int log_fd OVS_GUARDED_BY(log_file_mutex) = -1; static struct async_append *log_writer OVS_GUARDED_BY(log_file_mutex); static bool log_async OVS_GUARDED_BY(log_file_mutex); @@ -430,6 +430,26 @@ vlog_reopen_log_file(void) } } +/* In case a log file exists, change its owner to new 'user' and 'group'. + * + * This is useful for handling cases where the --log-file option is + * specified ahead of the --user option. */ +void +vlog_change_owner(uid_t user, gid_t group) +{ + int error = 0; + + if (log_file_name) { + ovs_mutex_lock(&log_file_mutex); + error = chown(log_file_name, user, group); + ovs_mutex_unlock(&log_file_mutex); + } + + if (error) { + VLOG_FATAL("Failed to change log file ownership."); + } +} + /* Set debugging levels. Returns null if successful, otherwise an error * message that the caller must free(). */ char *