summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArne H Juul <arnej27959@users.noreply.github.com>2018-03-13 16:23:27 +0100
committerGitHub <noreply@github.com>2018-03-13 16:23:27 +0100
commit6efe23abadd6a6c2ed26ae30cee0c87e1c320b1c (patch)
treea55b1982c226d1dac991c1d0ee89104b04970b44
parenta4c426e7121405a024bd7dcc82950e7a82af9eca (diff)
parent319ed3f9435d1dc4d530f0e3ae4ff4df66185411 (diff)
Merge pull request #5288 from vespa-engine/toregge/unprivileged-vespa-try2
Changes to allow unprivileged vespa.
-rw-r--r--build_settings.cmake5
-rw-r--r--configd/src/apps/su/main.cpp9
-rwxr-xr-xconfigserver/src/main/sh/start-configserver4
-rw-r--r--vespabase/conf/default-env.txt.in1
-rwxr-xr-xvespabase/src/common-env.sh4
-rwxr-xr-xvespabase/src/rhel-prestart.sh12
6 files changed, 26 insertions, 9 deletions
diff --git a/build_settings.cmake b/build_settings.cmake
index 7616ff63ad9..547e8ca2985 100644
--- a/build_settings.cmake
+++ b/build_settings.cmake
@@ -86,6 +86,11 @@ else()
set(VESPA_USER "vespa")
endif()
+if(VESPA_UNPRIVILEGED)
+else()
+ set(VESPA_UNPRIVILEGED "no")
+endif()
+
if(EXTRA_INCLUDE_DIRECTORY)
include_directories(SYSTEM ${EXTRA_INCLUDE_DIRECTORY})
endif()
diff --git a/configd/src/apps/su/main.cpp b/configd/src/apps/su/main.cpp
index ceecc71ae5a..abef5c69036 100644
--- a/configd/src/apps/su/main.cpp
+++ b/configd/src/apps/su/main.cpp
@@ -28,17 +28,20 @@ int main(int argc, char** argv)
gid_t g = p->pw_gid;
uid_t u = p->pw_uid;
- if (setgid(g) != 0) {
+ gid_t oldg = getgid();
+ uid_t oldu = getuid();
+
+ if (g != oldg && setgid(g) != 0) {
perror("FATAL error: could not change group id");
exit(1);
}
size_t listsize = 1;
gid_t grouplist[1] = { g };
- if (setgroups(listsize, grouplist) != 0) {
+ if ((g != oldg || u != oldu) && setgroups(listsize, grouplist) != 0) {
perror("FATAL error: could not setgroups");
exit(1);
}
- if (setuid(u) != 0) {
+ if (u != oldu && setuid(u) != 0) {
perror("FATAL error: could not change user id");
exit(1);
}
diff --git a/configserver/src/main/sh/start-configserver b/configserver/src/main/sh/start-configserver
index d3c6a17b207..eed616cfe35 100755
--- a/configserver/src/main/sh/start-configserver
+++ b/configserver/src/main/sh/start-configserver
@@ -62,7 +62,7 @@ cd ${VESPA_HOME} || { echo "Cannot cd to ${VESPA_HOME}" 1>&2; exit 1; }
fixfile () {
if [ -f $1 ]; then
- if [ "${VESPA_USER}" ]; then
+ if [ "${VESPA_USER}" ] && [ "${VESPA_UNPRIVILEGED}" != yes ]; then
chown ${VESPA_USER} $1
fi
chmod 644 $1
@@ -74,7 +74,7 @@ fixddir () {
echo "Creating data directory $1"
mkdir -p $1 || exit 1
fi
- if [ "${VESPA_USER}" ]; then
+ if [ "${VESPA_USER}" ] && [ "${VESPA_UNPRIVILEGED}" != yes ]; then
chown ${VESPA_USER} $1
fi
chmod 755 $1
diff --git a/vespabase/conf/default-env.txt.in b/vespabase/conf/default-env.txt.in
index 3551cec9945..374bbd020dd 100644
--- a/vespabase/conf/default-env.txt.in
+++ b/vespabase/conf/default-env.txt.in
@@ -1,3 +1,4 @@
# Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
fallback VESPA_HOME @CMAKE_INSTALL_PREFIX@
override VESPA_USER @VESPA_USER@
+override VESPA_UNPRIVILEGED @VESPA_UNPRIVILEGED@
diff --git a/vespabase/src/common-env.sh b/vespabase/src/common-env.sh
index 76f5d69b3a4..8dfcf8d2c4c 100755
--- a/vespabase/src/common-env.sh
+++ b/vespabase/src/common-env.sh
@@ -145,6 +145,10 @@ consider_fallback VESPA_USE_NO_VESPAMALLOC $(get_var "no_vespamalloc_list")
fixlimits () {
+ # Cannot bump limits when not root (for testing)
+ if [ "${VESPA_UNPRIVILEGED}" = yes ]; then
+ return 0
+ fi
# number of open files:
if varhasvalue file_descriptor_limit; then
ulimit -n ${file_descriptor_limit} || exit 1
diff --git a/vespabase/src/rhel-prestart.sh b/vespabase/src/rhel-prestart.sh
index ebe9fe16938..2523446639b 100755
--- a/vespabase/src/rhel-prestart.sh
+++ b/vespabase/src/rhel-prestart.sh
@@ -71,8 +71,10 @@ fixdir () {
exit 1
fi
mkdir -p "$4"
- chown $1 "$4"
- chgrp $2 "$4"
+ if [ "${VESPA_UNPRIVILEGED}" != yes ]; then
+ chown $1 "$4"
+ chgrp $2 "$4"
+ fi
chmod $3 "$4"
}
@@ -103,8 +105,10 @@ fixdir ${VESPA_USER} wheel 755 var/vespa/bundlecache
fixdir ${VESPA_USER} wheel 755 var/vespa/bundlecache/configserver
fixdir ${VESPA_USER} wheel 755 var/vespa/cache/config/
-chown -hR ${VESPA_USER} logs/vespa
-chown -hR ${VESPA_USER} var/db/vespa
+if [ "${VESPA_UNPRIVILEGED}" != yes ]; then
+ chown -hR ${VESPA_USER} logs/vespa
+ chown -hR ${VESPA_USER} var/db/vespa
+fi
# END directory fixups