On 13-Apr-17 7:27 PM, Carroll, James R wrote:
Hi,
I am using openSAF 5.0, and it appears that some of the openSAF (amfnd) daemons
are hard-coded to run as root.
Is there any way to disable this feature, so that I do not have to run the
daemon as root?
I see the following note in the README documentation:
Only two processes are running as root, amfnd and smfnd. Reason is that amfnd
need todo that for backwards
compatible reasons and the programs it starts might be designed to require root
access.
We are trying to run all of our programs as non-root. Regarding the
documentation noted above, if we can start all our programs as non-root, then
we would not need to run the opensaf as root.
As of now, it is hard-coded in amfnd to run as root.
Attached are patches on default and 5.0 branch to enable amfnd to start
as non-root.
After installation of OpenSAF, uncomment "#AMFND_NON_ROOT=1" line in
amfnd.conf to enable amfnd to run as a user as mentioned in amfnd.conf.
By default it will run as root.
Thanks
Praveen
Thank you.
Jim
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=Lehk1PZKwfDQtYJXNyUKbPAqrw5O--SlPRAF9DIEps4&m=QFElQWRNnjpJoqOheAQc7PDO6jAFjy5q7HOJomurNZE&s=nY_vsN70CKwqwIlS34gWKhLNnNkPaSMV75OBafExYPA&e=
_______________________________________________
Opensaf-users mailing list
[email protected]
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_opensaf-2Dusers&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=Lehk1PZKwfDQtYJXNyUKbPAqrw5O--SlPRAF9DIEps4&m=QFElQWRNnjpJoqOheAQc7PDO6jAFjy5q7HOJomurNZE&s=ZpBOi3XksEgiXJdc4pu5qQZP1e7Dgze-S1CTAN9auyc&e=
diff --git a/osaf/services/saf/amf/amfnd/main.cc
b/osaf/services/saf/amf/amfnd/main.cc
--- a/osaf/services/saf/amf/amfnd/main.cc
+++ b/osaf/services/saf/amf/amfnd/main.cc
@@ -160,6 +160,7 @@ static void new_handler()
int main(int argc, char *argv[])
{
uint32_t error;
+ char *val;
// function to be called if new fails. The alternative of using catch
of std::bad_alloc
// will unwind the stack and thus no call chain will be available.
@@ -172,8 +173,13 @@ int main(int argc, char *argv[])
avnd_failed_state_file_location());
goto done;
}
-
- daemonize_as_user("root", argc, argv);
+ if ((val = getenv("AMFND_NON_ROOT")) != nullptr) {
+ daemonize(argc, argv);
+ TRACE("AMFND will run as non-root");
+ } else {
+ daemonize_as_user("root", argc, argv);
+ TRACE("AMFND will run as root");
+ }
if (__init_avnd() != NCSCC_RC_SUCCESS) {
syslog(LOG_ERR, "__init_avd() failed");
diff --git a/osaf/services/saf/amf/config/amfnd.conf
b/osaf/services/saf/amf/config/amfnd.conf
--- a/osaf/services/saf/amf/config/amfnd.conf
+++ b/osaf/services/saf/amf/config/amfnd.conf
@@ -20,3 +20,6 @@ export AVND_PM_MONITORING_RATE=1000
# Uncomment the next line to enable info level logging
#args="--loglevel=info"
+
+#AMFND run as root. Uncomment next line to run as a user mentioned in nid.conf.
+#AMFND_NON_ROOT=1
diff --git a/src/amf/amfnd/amfnd.conf b/src/amf/amfnd/amfnd.conf
--- a/src/amf/amfnd/amfnd.conf
+++ b/src/amf/amfnd/amfnd.conf
@@ -20,3 +20,6 @@ export AVND_PM_MONITORING_RATE=1000
# Uncomment the next line to enable info level logging
#args="--loglevel=info"
+
+#AMFND run as root. Uncomment next line to run as a user mentioned in nid.conf.
+#AMFND_NON_ROOT=1
diff --git a/src/amf/amfnd/main.cc b/src/amf/amfnd/main.cc
--- a/src/amf/amfnd/main.cc
+++ b/src/amf/amfnd/main.cc
@@ -160,6 +160,7 @@ static void new_handler() {
int main(int argc, char *argv[]) {
uint32_t error;
+ char *val;
// function to be called if new fails. The alternative of using catch of
// std::bad_alloc will unwind the stack and thus no call chain will be
@@ -175,7 +176,13 @@ int main(int argc, char *argv[]) {
goto done;
}
- daemonize_as_user("root", argc, argv);
+ if ((val = getenv("AMFND_NON_ROOT")) != nullptr) {
+ daemonize(argc, argv);
+ TRACE("AMFND will run as non-root");
+ } else {
+ daemonize_as_user("root", argc, argv);
+ TRACE("AMFND will run as root");
+ }
// Enable long DN
if (setenv("SA_ENABLE_EXTENDED_NAMES", "1", 1) != 0) {
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Opensaf-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/opensaf-users
