From 591fb2bf686be770fc07d7b02d54c4ccff81620f Mon Sep 17 00:00:00 2001 From: Jason Dillaman Date: Wed, 21 Aug 2019 15:27:48 -0400 Subject: [PATCH] global: update HOME environment variable when dropping privileges k8s/rook is currently starting daemon pods under root using the "--setuser" CLI optional to drop priviledges. In the case of rbd-mirror which creates connections to remote clusters via librados, the default search path for Ceph config files includes "$home/.ceph/$cluster.conf", which before this change would evaluate to "/root/.ceph/..." and then fail with a -EPERM since that directory is not accessible by the dropped priviledges user. Signed-off-by: Jason Dillaman --- src/global/global_init.cc | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/src/global/global_init.cc b/src/global/global_init.cc index c6edb93654c..6962f42a543 100644 --- a/src/global/global_init.cc +++ b/src/global/global_init.cc @@ -214,21 +214,30 @@ global_init(const std::map *defaults, gid_t gid = 0; std::string uid_string; std::string gid_string; + std::string home_directory; if (g_conf()->setuser.length()) { + char buf[4096]; + struct passwd pa; + struct passwd *p = 0; + uid = atoi(g_conf()->setuser.c_str()); - if (!uid) { - char buf[4096]; - struct passwd pa; - struct passwd *p = 0; + if (uid) { + getpwuid_r(uid, &pa, buf, sizeof(buf), &p); + } else { getpwnam_r(g_conf()->setuser.c_str(), &pa, buf, sizeof(buf), &p); - if (!p) { + if (!p) { cerr << "unable to look up user '" << g_conf()->setuser << "'" << std::endl; exit(1); - } - uid = p->pw_uid; - gid = p->pw_gid; - uid_string = g_conf()->setuser; + } + + uid = p->pw_uid; + gid = p->pw_gid; + uid_string = g_conf()->setuser; + } + + if (p && p->pw_dir != nullptr) { + home_directory = std::string(p->pw_dir); } } if (g_conf()->setgroup.length() > 0) { @@ -289,6 +298,10 @@ global_init(const std::map *defaults, << std::endl; exit(1); } + if (setenv("HOME", home_directory.c_str(), 1) != 0) { + cerr << "warning: unable to set HOME to " << home_directory << ": " + << cpp_strerror(errno) << std::endl; + } priv_ss << "set uid:gid to " << uid << ":" << gid << " (" << uid_string << ":" << gid_string << ")"; } else { priv_ss << "deferred set uid:gid to " << uid << ":" << gid << " (" << uid_string << ":" << gid_string << ")";