instances can now start as a !root user

Signed-off-by: John Crispin <blogic@openwrt.org>

diff --git a/service/instance.c b/service/instance.c
index c22e546b945ee9e636ff6b6bf918a601694dcd31..6dfc61b698b4620b66885dcaa7d792a47c374d4e 100644 (file)
--- a/service/instance.c
+++ b/service/instance.c
@@ -19,6 +19,7 @@
 #include <unistd.h>
 #include <stdint.h>
 #include <fcntl.h>
+#include <pwd.h>
 
 #include <libubox/md5.h>
 
@@ -40,6 +41,7 @@ enum {
        INSTANCE_ATTR_LIMITS,
        INSTANCE_ATTR_WATCH,
        INSTANCE_ATTR_ERROR,
+       INSTANCE_ATTR_USER,
        __INSTANCE_ATTR_MAX
 };
 
@@ -55,6 +57,7 @@ static const struct blobmsg_policy instance_attr[__INSTANCE_ATTR_MAX] = {
        [INSTANCE_ATTR_LIMITS] = { "limits", BLOBMSG_TYPE_TABLE },
        [INSTANCE_ATTR_WATCH] = { "watch", BLOBMSG_TYPE_ARRAY },
        [INSTANCE_ATTR_ERROR] = { "error", BLOBMSG_TYPE_ARRAY },
+       [INSTANCE_ATTR_USER] = { "user", BLOBMSG_TYPE_STRING },
 };
 
 struct instance_netdev {
@@ -158,6 +161,10 @@ instance_run(struct service_instance *in)
                if (fd > STDERR_FILENO)
                        close(fd);
        }
+       if (in->uid || in->gid) {
+               setuid(in->uid);
+               setgid(in->gid);
+       }
        execvp(argv[0], argv);
        exit(127);
 }
@@ -291,6 +298,12 @@ instance_config_changed(struct service_instance *in, struct service_instance *in
        if (in->nice != in_new->nice)
                return true;
 
+       if (in->uid != in_new->uid)
+               return true;
+
+       if (in->gid != in_new->gid)
+               return true;
+
        if (!blobmsg_list_equal(&in->limits, &in_new->limits))
                return true;
 
@@ -450,6 +463,14 @@ instance_config_parse(struct service_instance *in)
                        return false;
        }
 
+       if (tb[INSTANCE_ATTR_USER]) {
+               struct passwd *p = getpwnam(blobmsg_get_string(tb[INSTANCE_ATTR_USER]));
+               if (p) {
+                       in->uid = p->pw_uid;
+                       in->gid = p->pw_gid;
+               }
+       }
+
        instance_fill_any(&in->data, tb[INSTANCE_ATTR_DATA]);
 
        if (!instance_fill_array(&in->env, tb[INSTANCE_ATTR_ENV], NULL, false))

diff --git a/service/instance.h b/service/instance.h
index a492f387eaa2bd3d4c8caf8d60e88ae95b602d9a..f76e79573986c2f9b663681e23fd1bb299edb60f 100644 (file)
--- a/service/instance.h
+++ b/service/instance.h
@@ -29,6 +29,9 @@ struct service_instance {
        int8_t nice;
        bool valid;
 
+       uid_t uid;
+       gid_t gid;
+
        bool halt;
        bool restart;
        bool respawn;