diff options
| author | Arne H Juul <arnej27959@users.noreply.github.com> | 2018-03-13 16:23:27 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-03-13 16:23:27 +0100 |
| commit | 6efe23abadd6a6c2ed26ae30cee0c87e1c320b1c (patch) | |
| tree | a55b1982c226d1dac991c1d0ee89104b04970b44 | |
| parent | a4c426e7121405a024bd7dcc82950e7a82af9eca (diff) | |
| parent | 319ed3f9435d1dc4d530f0e3ae4ff4df66185411 (diff) | |
Merge pull request #5288 from vespa-engine/toregge/unprivileged-vespa-try2
Changes to allow unprivileged vespa.
| -rw-r--r-- | build_settings.cmake | 5 | ||||
| -rw-r--r-- | configd/src/apps/su/main.cpp | 9 | ||||
| -rwxr-xr-x | configserver/src/main/sh/start-configserver | 4 | ||||
| -rw-r--r-- | vespabase/conf/default-env.txt.in | 1 | ||||
| -rwxr-xr-x | vespabase/src/common-env.sh | 4 | ||||
| -rwxr-xr-x | vespabase/src/rhel-prestart.sh | 12 |
6 files changed, 26 insertions, 9 deletions
diff --git a/build_settings.cmake b/build_settings.cmake index 7616ff63ad9..547e8ca2985 100644 --- a/build_settings.cmake +++ b/build_settings.cmake @@ -86,6 +86,11 @@ else() set(VESPA_USER "vespa") endif() +if(VESPA_UNPRIVILEGED) +else() + set(VESPA_UNPRIVILEGED "no") +endif() + if(EXTRA_INCLUDE_DIRECTORY) include_directories(SYSTEM ${EXTRA_INCLUDE_DIRECTORY}) endif() diff --git a/configd/src/apps/su/main.cpp b/configd/src/apps/su/main.cpp index ceecc71ae5a..abef5c69036 100644 --- a/configd/src/apps/su/main.cpp +++ b/configd/src/apps/su/main.cpp @@ -28,17 +28,20 @@ int main(int argc, char** argv) gid_t g = p->pw_gid; uid_t u = p->pw_uid; - if (setgid(g) != 0) { + gid_t oldg = getgid(); + uid_t oldu = getuid(); + + if (g != oldg && setgid(g) != 0) { perror("FATAL error: could not change group id"); exit(1); } size_t listsize = 1; gid_t grouplist[1] = { g }; - if (setgroups(listsize, grouplist) != 0) { + if ((g != oldg || u != oldu) && setgroups(listsize, grouplist) != 0) { perror("FATAL error: could not setgroups"); exit(1); } - if (setuid(u) != 0) { + if (u != oldu && setuid(u) != 0) { perror("FATAL error: could not change user id"); exit(1); } diff --git a/configserver/src/main/sh/start-configserver b/configserver/src/main/sh/start-configserver index d3c6a17b207..eed616cfe35 100755 --- a/configserver/src/main/sh/start-configserver +++ b/configserver/src/main/sh/start-configserver @@ -62,7 +62,7 @@ cd ${VESPA_HOME} || { echo "Cannot cd to ${VESPA_HOME}" 1>&2; exit 1; } fixfile () { if [ -f $1 ]; then - if [ "${VESPA_USER}" ]; then + if [ "${VESPA_USER}" ] && [ "${VESPA_UNPRIVILEGED}" != yes ]; then chown ${VESPA_USER} $1 fi chmod 644 $1 @@ -74,7 +74,7 @@ fixddir () { echo "Creating data directory $1" mkdir -p $1 || exit 1 fi - if [ "${VESPA_USER}" ]; then + if [ "${VESPA_USER}" ] && [ "${VESPA_UNPRIVILEGED}" != yes ]; then chown ${VESPA_USER} $1 fi chmod 755 $1 diff --git a/vespabase/conf/default-env.txt.in b/vespabase/conf/default-env.txt.in index 3551cec9945..374bbd020dd 100644 --- a/vespabase/conf/default-env.txt.in +++ b/vespabase/conf/default-env.txt.in @@ -1,3 +1,4 @@ # Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. fallback VESPA_HOME @CMAKE_INSTALL_PREFIX@ override VESPA_USER @VESPA_USER@ +override VESPA_UNPRIVILEGED @VESPA_UNPRIVILEGED@ diff --git a/vespabase/src/common-env.sh b/vespabase/src/common-env.sh index 76f5d69b3a4..8dfcf8d2c4c 100755 --- a/vespabase/src/common-env.sh +++ b/vespabase/src/common-env.sh @@ -145,6 +145,10 @@ consider_fallback VESPA_USE_NO_VESPAMALLOC $(get_var "no_vespamalloc_list") fixlimits () { + # Cannot bump limits when not root (for testing) + if [ "${VESPA_UNPRIVILEGED}" = yes ]; then + return 0 + fi # number of open files: if varhasvalue file_descriptor_limit; then ulimit -n ${file_descriptor_limit} || exit 1 diff --git a/vespabase/src/rhel-prestart.sh b/vespabase/src/rhel-prestart.sh index ebe9fe16938..2523446639b 100755 --- a/vespabase/src/rhel-prestart.sh +++ b/vespabase/src/rhel-prestart.sh @@ -71,8 +71,10 @@ fixdir () { exit 1 fi mkdir -p "$4" - chown $1 "$4" - chgrp $2 "$4" + if [ "${VESPA_UNPRIVILEGED}" != yes ]; then + chown $1 "$4" + chgrp $2 "$4" + fi chmod $3 "$4" } @@ -103,8 +105,10 @@ fixdir ${VESPA_USER} wheel 755 var/vespa/bundlecache fixdir ${VESPA_USER} wheel 755 var/vespa/bundlecache/configserver fixdir ${VESPA_USER} wheel 755 var/vespa/cache/config/ -chown -hR ${VESPA_USER} logs/vespa -chown -hR ${VESPA_USER} var/db/vespa +if [ "${VESPA_UNPRIVILEGED}" != yes ]; then + chown -hR ${VESPA_USER} logs/vespa + chown -hR ${VESPA_USER} var/db/vespa +fi # END directory fixups |