From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Gibson To: passt-dev@passt.top Subject: [PATCH 01/10] Don't store UID & GID persistently in the context structure Date: Wed, 07 Sep 2022 11:45:00 +1000 Message-ID: <20220907014509.3480812-2-david@gibson.dropbear.id.au> In-Reply-To: <20220907014509.3480812-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4151143095646160184==" --===============4151143095646160184== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit c->uid and c->gid are first set in conf(), and last used in check_root() itself called from conf(). Therefore these don't need to be fields in the long lived context structure and can instead be locals in conf(). Signed-off-by: David Gibson --- conf.c | 8 +++++--- passt.h | 5 ----- util.c | 12 ++++++------ util.h | 2 +- 4 files changed, 12 insertions(+), 15 deletions(-) diff --git a/conf.c b/conf.c index 2edb4ae..0fe5266 100644 --- a/conf.c +++ b/conf.c @@ -1086,6 +1086,8 @@ void conf(struct ctx *c, int argc, char **argv) uint32_t *dns4 = c->ip4.dns; int name, ret, mask, b, i; unsigned int ifi = 0; + uid_t uid = 0; + gid_t gid = 0; if (c->mode == MODE_PASTA) c->no_dhcp_dns = c->no_dhcp_dns_search = 1; @@ -1208,12 +1210,12 @@ void conf(struct ctx *c, int argc, char **argv) c->trace = c->debug = c->foreground = 1; break; case 12: - if (c->uid || c->gid) { + if (uid || gid) { err("Multiple --runas options given"); usage(argv[0]); } - if (conf_runas(optarg, &c->uid, &c->gid)) { + if (conf_runas(optarg, &uid, &gid)) { err("Invalid --runas option: %s", optarg); usage(argv[0]); } @@ -1497,7 +1499,7 @@ void conf(struct ctx *c, int argc, char **argv) } } while (name != -1); - check_root(c); + check_root(&uid, &gid); if (c->mode == MODE_PASTA) { if (*netns && optind != argc) { diff --git a/passt.h b/passt.h index 347e7c1..3035430 100644 --- a/passt.h +++ b/passt.h @@ -144,8 +144,6 @@ struct ip6_ctx { * @sock_path: Path for UNIX domain socket * @pcap: Path for packet capture file * @pid_file: Path to PID file, empty string if not configured - * @uid: UID we should drop to, if started as root - * @gid: GID we should drop to, if started as root * @pasta_netns_fd: File descriptor for network namespace in pasta mode * @pasta_userns_fd: Descriptor for user namespace to join, -1 once joined * @netns_only: In pasta mode, don't join or create a user namespace @@ -198,9 +196,6 @@ struct ctx { char pcap[PATH_MAX]; char pid_file[PATH_MAX]; - uid_t uid; - uid_t gid; - int pasta_netns_fd; int pasta_userns_fd; int netns_only; diff --git a/util.c b/util.c index 7e10deb..b2ccb3d 100644 --- a/util.c +++ b/util.c @@ -485,7 +485,7 @@ void drop_caps(void) /** * check_root() - Check if root in init ns, exit if we can't drop to user */ -void check_root(struct ctx *c) +void check_root(uid_t *uid, gid_t *gid) { const char root_uid_map[] = " 0 0 4294967295"; struct passwd *pw; @@ -506,7 +506,7 @@ void check_root(struct ctx *c) close(fd); - if (!c->uid) { + if (!*uid) { fprintf(stderr, "Don't run as root. Changing to nobody...\n"); #ifndef GLIBC_NO_STATIC_NSS pw = getpwnam("nobody"); @@ -515,17 +515,17 @@ void check_root(struct ctx *c) exit(EXIT_FAILURE); } - c->uid = pw->pw_uid; - c->gid = pw->pw_gid; + *uid = pw->pw_uid; + *gid = pw->pw_gid; #else (void)pw; /* Common value for 'nobody', not really specified */ - c->uid = c->gid = 65534; + *uid = *gid = 65534; #endif } - if (!setgroups(0, NULL) && !setgid(c->gid) && !setuid(c->uid)) + if (!setgroups(0, NULL) && !setgid(*gid) && !setuid(*uid)) return; fprintf(stderr, "Can't change user/group, exiting"); diff --git a/util.h b/util.h index 8297bec..58312fb 100644 --- a/util.h +++ b/util.h @@ -234,7 +234,7 @@ char *line_read(char *buf, size_t len, int fd); void procfs_scan_listen(struct ctx *c, uint8_t proto, int ip_version, int ns, uint8_t *map, uint8_t *exclude); void drop_caps(void); -void check_root(struct ctx *c); +void check_root(uid_t *uid, gid_t *gid); int ns_enter(const struct ctx *c); void write_pidfile(int fd, pid_t pid); int __daemon(int pidfile_fd, int devnull_fd); -- 2.37.3 --===============4151143095646160184==--