From patchwork Fri Nov 20 11:33:16 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andy Zhou <azhou@ovn.org>
X-Patchwork-Id: 548426
Return-Path: <dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from archives.nicira.com (unknown
	[IPv6:2600:3c00::f03c:91ff:fe6e:bdf7])
	by ozlabs.org (Postfix) with ESMTP id 920AF1402E2
	for <incoming@patchwork.ozlabs.org>;
	Wed, 25 Nov 2015 19:08:46 +1100 (AEDT)
Received: from archives.nicira.com (localhost [127.0.0.1])
	by archives.nicira.com (Postfix) with ESMTP id 6960910B2C;
	Wed, 25 Nov 2015 00:08:33 -0800 (PST)
X-Original-To: dev@openvswitch.com
Delivered-To: dev@openvswitch.com
Received: from mail-pa0-f49.google.com (mail-pa0-f49.google.com
	[209.85.220.49])
	by archives.nicira.com (Postfix) with ESMTPS id 53DCA10B25
	for <dev@openvswitch.com>; Wed, 25 Nov 2015 00:08:30 -0800 (PST)
Received: by padhx2 with SMTP id hx2so50105498pad.1
	for <dev@openvswitch.com>; Wed, 25 Nov 2015 00:08:29 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=lOxe8l/2XF5vSLLp/XkFT6am7qLmLI/3mJ3H9EfR63E=;
	b=WKJInlwBD+D7Cwp5g1tGrlJ8Z6VxQOXuSKyHK/ERo5JdFCo1OQxRlnTDLJ8nriqZiR
	Qk/aJVxotxstB2RNL8plUEk24WI3DOdqQYEeG9uTmbjiQ9XwJv/J1n9jJvjWJdx1sXGX
	1NYlsxSm7Y+Uc4GT+rkdCzmcYjkqmnedVZptzRauRuxqzrtUfVeVeLgQSSk7x68MeoDl
	LtIb1/ot8THu0HtU71MTFmqrqGD9ONOgl0FjEV0UlHZNaxPez0evyLPW7UDnBVRdak0m
	ilYZLA6v3bPLszktriFQhW7JT0DnqiryDHuWwfqe7fIu/DtVWfI1u+mmZiN67NhDVBTd
	Cqkg==
X-Received: by 10.98.65.135 with SMTP id g7mr29789962pfd.141.1448438909837;
	Wed, 25 Nov 2015 00:08:29 -0800 (PST)
Received: from htb-1n-eng-dhcp261.eng.vmware.com ([208.91.1.34])
	by smtp.gmail.com with ESMTPSA id
	r79sm18939301pfa.61.2015.11.25.00.08.28
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 25 Nov 2015 00:08:28 -0800 (PST)
From: Andy Zhou <azhou@ovn.org>
To: dev@openvswitch.com
Date: Fri, 20 Nov 2015 03:33:16 -0800
Message-Id: <1448019200-87207-3-git-send-email-azhou@ovn.org>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1448019200-87207-1-git-send-email-azhou@ovn.org>
References: <1448019200-87207-1-git-send-email-azhou@ovn.org>
Subject: [ovs-dev] [rhel --user v2 3/7] utilities: add --user option to
	ovs-ctl
X-BeenThere: dev@openvswitch.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: <dev.openvswitch.org>
List-Unsubscribe: <http://openvswitch.org/mailman/options/dev>,
	<mailto:dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://openvswitch.org/pipermail/dev>
List-Post: <mailto:dev@openvswitch.org>
List-Help: <mailto:dev-request@openvswitch.org?subject=help>
List-Subscribe: <http://openvswitch.org/mailman/listinfo/dev>,
	<mailto:dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: dev-bounces@openvswitch.org
Sender: "dev" <dev-bounces@openvswitch.org>

Allow ovs-ctl to take --user=USER[:GROUP] option. When this option
is specified, they will be parsed and set into shell variables
$OVS_USER and $OVS_GROUP, which will be used by other shell functions,
such as start_daemon() to run OVS daemons under the specified user.

Signed-off-by: Andy Zhou <azhou@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>

v1->v2: fix ovs-ctl manpage format, added more content
---
 utilities/ovs-ctl.8  |  5 +++++
 utilities/ovs-ctl.in |  6 ++++++
 utilities/ovs-lib.in | 22 ++++++++++++++++++++++
 3 files changed, 33 insertions(+)

diff --git a/utilities/ovs-ctl.8 b/utilities/ovs-ctl.8
index 6a9a544..7e3c870 100644
--- a/utilities/ovs-ctl.8
+++ b/utilities/ovs-ctl.8
@@ -123,6 +123,11 @@ another string is specified \fBovs\-ctl\fR uses it literally.
 The following options should be specified if the defaults are not
 suitable:
 .
+.IP "\fB\-\-user=\fIuser\fR[\fB:\fIgroup\fR]"
+Run OVS daemons as the user specified. When this options is specified, OVS
+daemons will run with the least privileges necessary, and switch the
+deemon process's real and effective user and group to the ones specified.
+.
 .IP "\fB\-\-system\-type=\fItype\fR"
 .IQ "\fB\-\-system\-version=\fIversion\fR"
 Sets the value to store in the \fBsystem-type\fR and
diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in
index c9d75df..e128889 100755
--- a/utilities/ovs-ctl.in
+++ b/utilities/ovs-ctl.in
@@ -535,6 +535,8 @@ set_defaults () {
         SYSTEM_TYPE=unknown
         SYSTEM_VERSION=unknown
     fi
+
+    USER="root:root"
 }
 
 usage () {
@@ -573,6 +575,7 @@ Less important options for "start", "restart" and "force-reload-kmod":
   --daemon-cwd=DIR               set working dir for OVS daemons (default: $DAEMON_CWD)
   --no-force-corefiles           do not force on core dumps for OVS daemons
   --no-mlockall                  do not lock all of ovs-vswitchd into memory
+  --user=USER[:GROUP]            run ovs daemons as the root user of ovs user (default: $OVS_USER:$OVS_GROUP)
   --ovsdb-server-priority=NICE   set ovsdb-server's niceness (default: $OVSDB_SERVER_PRIORITY)
   --ovs-vswitchd-priority=NICE   set ovs-vswitchd's niceness (default: $OVS_VSWITCHD_PRIORITY)
 
@@ -685,6 +688,9 @@ do
             ;;
     esac
 done
+
+set_ovs_user_group $USER
+
 case $command in
     start)
         start_ovsdb || exit 1
diff --git a/utilities/ovs-lib.in b/utilities/ovs-lib.in
index 34e2041..ad223c0 100644
--- a/utilities/ovs-lib.in
+++ b/utilities/ovs-lib.in
@@ -128,6 +128,28 @@ pid_exists () {
     test -d /proc/"$1"
 }
 
+set_ovs_user_group() {
+    value=$1   # user spec (e.g. ovs:ovs)
+
+    case $value in
+    [a-z]*:*)
+        OVS_USER=`expr X"$value" : 'X\(.*\):.*'`
+        OVS_GROUP=`expr X"$value" : 'X[^:]*:\(.*\)'`
+        if  test X"$OVS_GROUP" = X; then
+           OVS_GROUP=$OVS_USER
+        fi
+        ;;
+    [a-z]*)
+        OVS_USER=`expr X"$value" : 'X\(.*\)'`
+        OVS_GROUP=$OVS_USER
+        ;;
+    *)
+        OVS_USER=root
+        OVS_GROUP=root
+        ;;
+    esac
+}
+
 pid_comm_check () {
     [ "$1" = "`cat /proc/$2/comm`" ]
 }