[ovs-dev] [v3 01/10] lib/daemon: add function to switch daemon user at run time

Mon, 14 Sep 2015 15:54:50 -0700 

Added functions to drop daemon's root privileges at run time by
allowing it to run as a different user. Daemons all start
running as root, then drop to the user by invoking
daemon_become_new_user() function when they are ready to drop
root privileges.

Future patch will make use of this function.

Signed-off-by: Andy Zhou <az...@nicira.com>

---
v2 : fix typos and white spaces
v3 : switching to user getresuid/gid for better portability.
---
 lib/daemon-unix.c | 96 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 lib/daemon.h      | 10 +++++-
 2 files changed, 104 insertions(+), 2 deletions(-)

diff --git a/lib/daemon-unix.c b/lib/daemon-unix.c
index eb95521..f175037 100644
--- a/lib/daemon-unix.c
+++ b/lib/daemon-unix.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc.
+ * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2015 Nicira, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,6 +19,7 @@
 #include "daemon-private.h"
 #include <errno.h>
 #include <fcntl.h>
+#include <grp.h>
 #include <signal.h>
 #include <stdlib.h>
 #include <string.h>
@@ -64,6 +65,13 @@ static int daemonize_fd = -1;
  * it dies due to an error signal? */
 static bool monitor;
 
+/* --user: Only root can use this option. Switch to new uid:gid after
+ * initially running as root.  */
+static bool switch_to_new_user = false;
+static uid_t uid;
+static gid_t gid;
+static char *user = NULL;
+
 static void check_already_running(void);
 static int lock_pidfile(FILE *, int command);
 static pid_t fork_and_clean_up(void);
@@ -684,3 +692,89 @@ should_service_stop(void)
 {
     return false;
 }
+
+
+static bool
+gid_equal(const gid_t expected, const gid_t value)
+{
+    return (expected == -1) ? true : expected == value;
+}
+
+static bool
+gid_verify(const gid_t real, const gid_t effecitve, const gid_t saved)
+{
+    gid_t r, e, s;
+
+    getresgid(&r, &e, &s);
+    return (gid_equal(real, r) &&
+            gid_equal(effecitve, e) && gid_equal(saved, s));
+}
+
+static void
+daemon_switch_group(const gid_t real, const gid_t effective,
+                    const gid_t saved)
+{
+    if ((setresgid(real, effective, saved) == -1) ||
+        !gid_verify(real, effective, saved)) {
+        VLOG_FATAL("%s: fail to switch group to gid as %d, aborting",
+                   pidfile, gid);
+    }
+}
+
+static bool
+uid_equal(const uid_t expected, const uid_t value)
+{
+    return (expected == -1) ? true : expected == value;
+}
+
+static bool
+uid_verify(const uid_t real, const uid_t effective, const uid_t saved)
+{
+    uid_t r, e, s;
+
+    getresuid(&r, &e, &s);
+    return (uid_equal(real, r) &&
+            uid_equal(effective, e) && uid_equal(saved, s));
+}
+
+static void
+daemon_switch_user(const uid_t real, const uid_t effective, const uid_t saved,
+                   const char *user)
+{
+    if ((setresuid(real, effective, saved) == -1) ||
+        !uid_verify(real, effective, saved)) {
+        VLOG_FATAL("%s: fail to switch user to %s, aborting",
+                   pidfile, user);
+    }
+}
+
+void
+daemon_become_new_user(void)
+{
+    /* "Setuid Demystified" by Hao Chen, etc outlines some caveats of
+     * around unix system call setuid() and friends. This implementation
+     * mostly follow the advice given by the paper.  The paper is
+     * published in 2002, so things could have changed.  */
+
+    /* Change both real and effective uid and gid will permanently
+     * drop the process' privilege.  "Setuid Demystified" suggested
+     * that calling getuid() after each setuid() call to verify they
+     * are actually set, because checking return code alone is not
+     * sufficient.
+     *
+     * Linux also has per process file system uid, i.e. fsuid. Without
+     * explicitly setting it, it follows the process' effective uid.
+     * This implementation does not explicitly set fsuid for better
+     * portability.  (Although setresuid() is not available on Solaris,
+     * according to the paper above.)   */
+
+    if (switch_to_new_user) {
+        daemon_switch_group(gid, gid, gid);
+
+        if (user && initgroups(user, gid) == -1) {
+            VLOG_FATAL("%s: fail to add supplementary group gid %d, aborting",
+                       pidfile, gid);
+        }
+        daemon_switch_user(uid, uid, uid, user);
+    }
+}
diff --git a/lib/daemon.h b/lib/daemon.h
index 959341d..fdd7b6a 100644
--- a/lib/daemon.h
+++ b/lib/daemon.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008, 2009, 2010, 2011, 2012 Nicira, Inc.
+ * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2015 Nicira, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -76,6 +76,7 @@ void set_detach(void);
 void daemon_set_monitor(void);
 void set_no_chdir(void);
 void ignore_existing_pidfile(void);
+void daemon_become_new_user(void);
 pid_t read_pidfile(const char *name);
 #else
 #define DAEMON_OPTION_ENUMS                    \
@@ -117,6 +118,13 @@ pid_t read_pidfile(const char *name);
 
 void control_handler(DWORD request);
 void set_pipe_handle(const char *pipe_handle);
+
+static inline void
+daemon_become_new_user(void)
+{
+    /* Not implemented. */
+}
+
 #endif /* _WIN32 */
 
 bool get_detach(void);
-- 
1.9.1

_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Reply via email to