Aaron Conole <[email protected]> writes:
> Ben Pfaff <[email protected]> writes:
>
>> Well, is it ever useful to be able to drop unneeded capabilities while
>> retaining the same uid/gid? It certainly sounds like a reasonable thing
>> to want to do. I'm reluctant to apply this without at least considering
>> that possibility.
>
> Let me think about it a bit more. When I originally suggested shunting
> the setuid code-path, I didn't consider this case. There could be an
> alternative.
>
> I suggested this in response to the original proposal (add CAP_SYS_ADMIN
> to the list of retained privs). Certainly, I don't want to allow
> CAP_SYS_ADMIN to be retained (after all, with CAP_NET_ADMIN and
> CAP_SYS_ADMIN, there's really not much reason to change uid from root at
> all - for all functional purposes the process will be root).
>
> Maybe there's a way to see that the user will be root from the
> systemd scripts and not pass the "--user=XXX:YYY" option.
Is the following patch a workable solution? If so, I can post it
formally. Marcos, please confirm that this resolves your issue?
---
diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
index c6d9aa1b8..889740f1a 100644
--- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
+++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
@@ -13,17 +13,18 @@ Restart=on-failure
Environment=HOME=/var/run/openvswitch
EnvironmentFile=/etc/openvswitch/default.conf
EnvironmentFile=-/etc/sysconfig/openvswitch
+EnvironmentFile=-/run/openvswitch/useropts
@begin_dpdk@
-ExecStartPre=-/usr/bin/chown :hugetlbfs /dev/hugepages
+ExecStartPre=-/bin/sh -c '/usr/bin/chown :${OVS_USER_ID##*:} /dev/hugepages'
ExecStartPre=-/usr/bin/chmod 0775 /dev/hugepages
@end_dpdk@
ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
--no-ovsdb-server --no-monitor --system-id=random \
- --ovs-user=${OVS_USER_ID} \
+ ${OVSUSER} \
start $OPTIONS
ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server stop
ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server \
--no-monitor --system-id=random \
- --ovs-user=${OVS_USER_ID} \
+ ${OVSUSER} \
restart $OPTIONS
TimeoutSec=300
diff --git a/rhel/usr_lib_systemd_system_ovsdb-server.service
b/rhel/usr_lib_systemd_system_ovsdb-server.service
index 234d39355..e05742d87 100644
--- a/rhel/usr_lib_systemd_system_ovsdb-server.service
+++ b/rhel/usr_lib_systemd_system_ovsdb-server.service
@@ -11,13 +11,15 @@ Restart=on-failure
EnvironmentFile=/etc/openvswitch/default.conf
EnvironmentFile=-/etc/sysconfig/openvswitch
ExecStartPre=/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch
+ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch/useropts; if [
"${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo
"OVSUSER=--ovs-user=${OVS_USER_ID}" > /run/openvswitch/useropts; fi'
+EnvironmentFile=-/run/openvswitch/useropts
ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
--no-ovs-vswitchd --no-monitor --system-id=random \
- --ovs-user=${OVS_USER_ID} \
+ ${OVSUSER} \
start $OPTIONS
ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd stop
ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd \
- --ovs-user=${OVS_USER_ID} \
+ ${OVSUSER} \
--no-monitor restart $OPTIONS
RuntimeDirectory=openvswitch
RuntimeDirectoryMode=0755
---
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
