From 977f7fb21f231f1df811533c6cd578d5542e3d6e Mon Sep 17 00:00:00 2001 From: Donald Buczek Date: Thu, 8 Oct 2015 22:39:30 +0200 Subject: [PATCH 1/3] mxqd: allow to be run as as non-root --- mxqd.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/mxqd.c b/mxqd.c index 9ab4fda..0a00e0f 100644 --- a/mxqd.c +++ b/mxqd.c @@ -348,11 +348,6 @@ int server_init(struct mxq_server *server, int argc, char *argv[]) exit(EX_USAGE); } - if (getuid()) { - mx_log_err("Running mxqd as non-root user is not supported at the moment."); - exit(EX_USAGE); - } - memset(server, 0, sizeof(*server)); res = mx_mysql_initialize(&(server->mysql)); @@ -411,6 +406,10 @@ int server_init(struct mxq_server *server, int argc, char *argv[]) } } + if (getuid()) { + mx_log_notice("Running mxqd as non-root user."); + } + res = mx_read_first_line_from_file("/proc/sys/kernel/random/boot_id", &str_bootid); assert(res == 36); assert(str_bootid); From 71a8239de5b65697304888a7044af13e32dc62f2 Mon Sep 17 00:00:00 2001 From: Donald Buczek Date: Wed, 14 Oct 2015 14:09:03 +0200 Subject: [PATCH 2/3] mxqd: don't attempt privileged operations when running as non-root --- mxqd.c | 41 ++++++++++++++++++++++------------------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/mxqd.c b/mxqd.c index 0a00e0f..32fbf29 100644 --- a/mxqd.c +++ b/mxqd.c @@ -875,27 +875,30 @@ static int init_child_process(struct mxq_group_list *group, struct mxq_job *j) g->user_name, g->user_uid, g->group_id, j->job_id); } - res = initgroups(passwd->pw_name, g->user_gid); - if (res == -1) { - mx_log_err("job=%s(%d):%lu:%lu initgroups() failed: %m", - g->user_name, g->user_uid, g->group_id, j->job_id); - return 0; - } + if(getuid()==0) { - res = setregid(g->user_gid, g->user_gid); - if (res == -1) { - mx_log_err("job=%s(%d):%lu:%lu setregid(%d, %d) failed: %m", - g->user_name, g->user_uid, g->group_id, j->job_id, - g->user_gid, g->user_gid); - return 0; - } + res = initgroups(passwd->pw_name, g->user_gid); + if (res == -1) { + mx_log_err("job=%s(%d):%lu:%lu initgroups() failed: %m", + g->user_name, g->user_uid, g->group_id, j->job_id); + return 0; + } - res = setreuid(g->user_uid, g->user_uid); - if (res == -1) { - mx_log_err("job=%s(%d):%lu:%lu setreuid(%d, %d) failed: %m", - g->user_name, g->user_uid, g->group_id, j->job_id, - g->user_uid, g->user_uid); - return 0; + res = setregid(g->user_gid, g->user_gid); + if (res == -1) { + mx_log_err("job=%s(%d):%lu:%lu setregid(%d, %d) failed: %m", + g->user_name, g->user_uid, g->group_id, j->job_id, + g->user_gid, g->user_gid); + return 0; + } + + res = setreuid(g->user_uid, g->user_uid); + if (res == -1) { + mx_log_err("job=%s(%d):%lu:%lu setreuid(%d, %d) failed: %m", + g->user_name, g->user_uid, g->group_id, j->job_id, + g->user_uid, g->user_uid); + return 0; + } } res = chdir(j->job_workdir); From 55a81dcfbfd47114c9aef5dfad57bf2859681973 Mon Sep 17 00:00:00 2001 From: Donald Buczek Date: Wed, 14 Oct 2015 17:58:13 +0200 Subject: [PATCH 3/3] mxqd: require compiletime flag to run as non-root --- mxqd.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/mxqd.c b/mxqd.c index 32fbf29..cda23e8 100644 --- a/mxqd.c +++ b/mxqd.c @@ -407,7 +407,12 @@ int server_init(struct mxq_server *server, int argc, char *argv[]) } if (getuid()) { +#ifdef RUNASNORMALUSER mx_log_notice("Running mxqd as non-root user."); +#else + mx_log_err("Running mxqd as non-root user is not supported at the moment."); + exit(EX_USAGE); +#endif } res = mx_read_first_line_from_file("/proc/sys/kernel/random/boot_id", &str_bootid);