diff options
author | Lou Berger <lberger@labn.net> | 2016-09-06 16:52:31 +0200 |
---|---|---|
committer | Donald Sharp <sharpd@cumulusnetworks.com> | 2016-09-09 22:06:59 +0200 |
commit | a008f49a85c3891eb4ac469346bec24036fd0e87 (patch) | |
tree | bb58434396b8de8df2ec5c31c53cbaec158fc548 | |
parent | bgpd: Fix startup a bit more (diff) | |
download | frr-a008f49a85c3891eb4ac469346bec24036fd0e87.tar.xz frr-a008f49a85c3891eb4ac469346bec24036fd0e87.zip |
bgpd: Add flag to not change e{u,g}id on startup and run as unprivileged user
* bgp_main.c: add -S / --skip_runas flag to not change effective user/group
on start up. Enables bgpd to be run by unprivileged user.
-rw-r--r-- | bgpd/bgp_main.c | 19 | ||||
-rw-r--r-- | doc/bgpd.8 | 5 |
2 files changed, 20 insertions, 4 deletions
diff --git a/bgpd/bgp_main.c b/bgpd/bgp_main.c index 54e732977..5ef8154fa 100644 --- a/bgpd/bgp_main.c +++ b/bgpd/bgp_main.c @@ -68,6 +68,7 @@ static const struct option longopts[] = { "no_kernel", no_argument, NULL, 'n'}, { "user", required_argument, NULL, 'u'}, { "group", required_argument, NULL, 'g'}, + { "skip_runas", no_argument, NULL, 'S'}, { "version", no_argument, NULL, 'v'}, { "dryrun", no_argument, NULL, 'C'}, { "help", no_argument, NULL, 'h'}, @@ -163,6 +164,7 @@ redistribution between different routing protocols.\n\n\ -n, --no_kernel Do not install route to kernel.\n\ -u, --user User to run as\n\ -g, --group Group to run as\n\ +-S, --skip_runas Skip user and group run as\n\ -v, --version Print program version\n\ -C, --dryrun Check configuration for validity and exit\n\ -h, --help Display this help and exit\n\ @@ -200,9 +202,12 @@ sigint (void) zlog_notice ("Terminating on signal"); if (! retain_mode) - bgp_terminate (); + { + bgp_terminate (); + if (bgpd_privs.user) /* NULL if skip_runas flag set */ + zprivs_terminate (&bgpd_privs); + } - zprivs_terminate (&bgpd_privs); bgp_exit (0); exit (0); @@ -408,6 +413,7 @@ main (int argc, char **argv) char *progname; struct thread thread; int tmp_port; + int skip_runas = 0; /* Set umask before anything for security */ umask (0027); @@ -421,7 +427,7 @@ main (int argc, char **argv) /* Command line argument treatment. */ while (1) { - opt = getopt_long (argc, argv, "df:i:z:hp:l:A:P:rnu:g:vC", longopts, 0); + opt = getopt_long (argc, argv, "df:i:z:hp:l:A:P:rnu:g:vCS", longopts, 0); if (opt == EOF) break; @@ -479,6 +485,9 @@ main (int argc, char **argv) case 'g': bgpd_privs.group = optarg; break; + case 'S': /* skip run as = override bgpd_privs */ + skip_runas = 1; + break; case 'v': print_version (progname); exit (0); @@ -497,7 +506,11 @@ main (int argc, char **argv) zlog_default = openzlog (progname, ZLOG_BGP, 0, LOG_CONS|LOG_NDELAY|LOG_PID, LOG_DAEMON); + + if (skip_runas) + memset (&bgpd_privs, 0, sizeof (bgpd_privs)); zprivs_init (&bgpd_privs); + #if defined(HAVE_CUMULUS) zlog_set_level (NULL, ZLOG_DEST_SYSLOG, zlog_default->default_lvl); #endif diff --git a/doc/bgpd.8 b/doc/bgpd.8 index 67143c2c5..7e90eaec5 100644 --- a/doc/bgpd.8 +++ b/doc/bgpd.8 @@ -6,7 +6,7 @@ software .SH SYNOPSIS .B bgpd [ -.B \-dhrv +.B \-dhrSv ] [ .B \-f .I config-file @@ -74,6 +74,9 @@ Specify the user to run as. Default is \fIquagga\fR. \fB\-r\fR, \fB\-\-retain\fR When the program terminates, retain routes added by \fBbgpd\fR. .TP +\fB\-S\fR, \fB\-\-skip_runas\fR +Skip setting the process effective user and group. +.TP \fB\-v\fR, \fB\-\-version\fR Print the version and exit. .SH FILES |