Add support for running ovsdb-server as a non-root user, specified by the --user option. If specified, all I/O access and all sub-processes will be perfromed as the new user.
VMware-BZ: #1499254 Signed-off-by: Andy Zhou <az...@nicira.com> --- NEWS | 1 + lib/daemon.man | 8 ++++++++ ovsdb/ovsdb-server.c | 6 +++++- 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index ca22c8e..5192ac1 100644 --- a/NEWS +++ b/NEWS @@ -21,6 +21,7 @@ Post-v2.4.0 targets to run a new system testsuite. These tests can be run inside a Vagrant box. See INSTALL.md for details - Dropped support for GRE64 tunnel. + - Added --user option to ovsdb-server. v2.4.0 - 20 Aug 2015 diff --git a/lib/daemon.man b/lib/daemon.man index 4ab9823..d7e2968 100644 --- a/lib/daemon.man +++ b/lib/daemon.man @@ -50,3 +50,11 @@ core dumps into the current working directory and the root directory is not a good directory to use. .IP This option has no effect when \fB\-\-detach\fR is not specified. +. +.TP +\fB\-\-user\fR +Causes \fB\*(PN\fR to run as a new user specified in "user:group". Short +forms "user" and ":group" are also allowed, with current user or group +are assumed respectively. Only root process accepts this argument. +.IP +Currently only ovsdb-server actually implements this option. diff --git a/ovsdb/ovsdb-server.c b/ovsdb/ovsdb-server.c index 4088d85..fdeecd2 100644 --- a/ovsdb/ovsdb-server.c +++ b/ovsdb/ovsdb-server.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc. +/* Copyright (c) 2009, 2010, 2011, 2012, 2013, 2014, 2015 Nicira, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -221,6 +221,10 @@ main(int argc, char *argv[]) process_init(); parse_options(&argc, &argv, &remotes, &unixctl_path, &run_command); + /* Drop root privileges and become the new user as soon as possible. + * OVSDB server does not need root privileges. If --user option is + * not specified, the following function is essentially no-op. */ + daemon_become_new_user(); /* Create and initialize 'config_tmpfile' as a temporary file to hold * ovsdb-server's most basic configuration, and then save our initial -- 1.9.1 _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev