RepoMirrors/ceph
1
0
Fork 0
mirror of https://github.com/ceph/ceph synced 2025-01-25 04:24:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

global: update HOME environment variable when dropping privileges

Browse Source 
k8s/rook is currently starting daemon pods under root using the
"--setuser" CLI optional to drop priviledges. In the case of
rbd-mirror which creates connections to remote clusters via librados,
the default search path for Ceph config files includes
"$home/.ceph/$cluster.conf", which before this change would evaluate
to "/root/.ceph/..." and then fail with a -EPERM since that directory
is not accessible by the dropped priviledges user.

Signed-off-by: Jason Dillaman <dillaman@redhat.com>
This commit is contained in:
Jason Dillaman 2019-08-21 15:27:48 -04:00
parent dad94db7ae
commit 591fb2bf68
1 changed files with 22 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
src/global/global_init.cc
View File

@ -214,21 +214,30 @@ global_init(const std::map<std::string,std::string> *defaults,
gid_t gid = 0;
std::string uid_string;
std::string gid_string;
std::string home_directory;
if (g_conf()->setuser.length()) {
char buf[4096];
struct passwd pa;
struct passwd *p = 0;
uid = atoi(g_conf()->setuser.c_str());
if (!uid) {
char buf[4096];
struct passwd pa;
struct passwd *p = 0;
if (uid) {
getpwuid_r(uid, &pa, buf, sizeof(buf), &p);
} else {
getpwnam_r(g_conf()->setuser.c_str(), &pa, buf, sizeof(buf), &p);
if (!p) {
if (!p) {
cerr << "unable to look up user '" << g_conf()->setuser << "'"
<< std::endl;
exit(1);
}
uid = p->pw_uid;
gid = p->pw_gid;
uid_string = g_conf()->setuser;
}
uid = p->pw_uid;
gid = p->pw_gid;
uid_string = g_conf()->setuser;
}
if (p && p->pw_dir != nullptr) {
home_directory = std::string(p->pw_dir);
}
}
if (g_conf()->setgroup.length() > 0) {
@ -289,6 +298,10 @@ global_init(const std::map<std::string,std::string> *defaults,
<< std::endl;
exit(1);
}
if (setenv("HOME", home_directory.c_str(), 1) != 0) {
cerr << "warning: unable to set HOME to " << home_directory << ": "
<< cpp_strerror(errno) << std::endl;
}
priv_ss << "set uid:gid to " << uid << ":" << gid << " (" << uid_string << ":" << gid_string << ")";
} else {
priv_ss << "deferred set uid:gid to " << uid << ":" << gid << " (" << uid_string << ":" << gid_string << ")";