aboutgitcodebugslistschat
diff options
context:
space:
mode:
authorDavid Gibson <david@gibson.dropbear.id.au>2022-09-12 22:23:59 +1000
committerStefano Brivio <sbrivio@redhat.com>2022-09-13 05:31:51 +0200
commit7330ae3abfba9722c04e6c52ae6222de47016834 (patch)
tree7fcedad80d3f101ac08247ec4136224cbec4bad8
parente2cae8f1c3651b1237a3042b4ba6211155aa58f1 (diff)
downloadpasst-7330ae3abfba9722c04e6c52ae6222de47016834.tar
passt-7330ae3abfba9722c04e6c52ae6222de47016834.tar.gz
passt-7330ae3abfba9722c04e6c52ae6222de47016834.tar.bz2
passt-7330ae3abfba9722c04e6c52ae6222de47016834.tar.lz
passt-7330ae3abfba9722c04e6c52ae6222de47016834.tar.xz
passt-7330ae3abfba9722c04e6c52ae6222de47016834.tar.zst
passt-7330ae3abfba9722c04e6c52ae6222de47016834.zip
Don't store UID & GID persistently in the context structure
c->uid and c->gid are first set in conf(), and last used in check_root() itself called from conf(). Therefore these don't need to be fields in the long lived context structure and can instead be locals in conf(). Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
-rw-r--r--conf.c8
-rw-r--r--passt.h5
-rw-r--r--util.c12
-rw-r--r--util.h2
4 files changed, 12 insertions, 15 deletions
diff --git a/conf.c b/conf.c
index 2edb4ae..0fe5266 100644
--- a/conf.c
+++ b/conf.c
@@ -1086,6 +1086,8 @@ void conf(struct ctx *c, int argc, char **argv)
uint32_t *dns4 = c->ip4.dns;
int name, ret, mask, b, i;
unsigned int ifi = 0;
+ uid_t uid = 0;
+ gid_t gid = 0;
if (c->mode == MODE_PASTA)
c->no_dhcp_dns = c->no_dhcp_dns_search = 1;
@@ -1208,12 +1210,12 @@ void conf(struct ctx *c, int argc, char **argv)
c->trace = c->debug = c->foreground = 1;
break;
case 12:
- if (c->uid || c->gid) {
+ if (uid || gid) {
err("Multiple --runas options given");
usage(argv[0]);
}
- if (conf_runas(optarg, &c->uid, &c->gid)) {
+ if (conf_runas(optarg, &uid, &gid)) {
err("Invalid --runas option: %s", optarg);
usage(argv[0]);
}
@@ -1497,7 +1499,7 @@ void conf(struct ctx *c, int argc, char **argv)
}
} while (name != -1);
- check_root(c);
+ check_root(&uid, &gid);
if (c->mode == MODE_PASTA) {
if (*netns && optind != argc) {
diff --git a/passt.h b/passt.h
index 347e7c1..3035430 100644
--- a/passt.h
+++ b/passt.h
@@ -144,8 +144,6 @@ struct ip6_ctx {
* @sock_path: Path for UNIX domain socket
* @pcap: Path for packet capture file
* @pid_file: Path to PID file, empty string if not configured
- * @uid: UID we should drop to, if started as root
- * @gid: GID we should drop to, if started as root
* @pasta_netns_fd: File descriptor for network namespace in pasta mode
* @pasta_userns_fd: Descriptor for user namespace to join, -1 once joined
* @netns_only: In pasta mode, don't join or create a user namespace
@@ -198,9 +196,6 @@ struct ctx {
char pcap[PATH_MAX];
char pid_file[PATH_MAX];
- uid_t uid;
- uid_t gid;
-
int pasta_netns_fd;
int pasta_userns_fd;
int netns_only;
diff --git a/util.c b/util.c
index 7e10deb..b2ccb3d 100644
--- a/util.c
+++ b/util.c
@@ -485,7 +485,7 @@ void drop_caps(void)
/**
* check_root() - Check if root in init ns, exit if we can't drop to user
*/
-void check_root(struct ctx *c)
+void check_root(uid_t *uid, gid_t *gid)
{
const char root_uid_map[] = " 0 0 4294967295";
struct passwd *pw;
@@ -506,7 +506,7 @@ void check_root(struct ctx *c)
close(fd);
- if (!c->uid) {
+ if (!*uid) {
fprintf(stderr, "Don't run as root. Changing to nobody...\n");
#ifndef GLIBC_NO_STATIC_NSS
pw = getpwnam("nobody");
@@ -515,17 +515,17 @@ void check_root(struct ctx *c)
exit(EXIT_FAILURE);
}
- c->uid = pw->pw_uid;
- c->gid = pw->pw_gid;
+ *uid = pw->pw_uid;
+ *gid = pw->pw_gid;
#else
(void)pw;
/* Common value for 'nobody', not really specified */
- c->uid = c->gid = 65534;
+ *uid = *gid = 65534;
#endif
}
- if (!setgroups(0, NULL) && !setgid(c->gid) && !setuid(c->uid))
+ if (!setgroups(0, NULL) && !setgid(*gid) && !setuid(*uid))
return;
fprintf(stderr, "Can't change user/group, exiting");
diff --git a/util.h b/util.h
index 8297bec..58312fb 100644
--- a/util.h
+++ b/util.h
@@ -234,7 +234,7 @@ char *line_read(char *buf, size_t len, int fd);
void procfs_scan_listen(struct ctx *c, uint8_t proto, int ip_version, int ns,
uint8_t *map, uint8_t *exclude);
void drop_caps(void);
-void check_root(struct ctx *c);
+void check_root(uid_t *uid, gid_t *gid);
int ns_enter(const struct ctx *c);
void write_pidfile(int fd, pid_t pid);
int __daemon(int pidfile_fd, int devnull_fd);