mirror of
https://passt.top/passt
synced 2025-06-08 08:35:35 +02:00
conf: Add --runas option, changing to given UID and GID if started as root
On some systems, user and group "nobody" might not be available. The new --runas option allows to override the default "nobody" choice if started as root. Now that we allow this, drop the initgroups() call that was used to add any additional groups for the given user, as that might now grant unnecessarily broad permissions. For instance, several distributions have a "kvm" group to allow regular user access to /dev/kvm, and we don't need that in passt or pasta. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
Stefano Brivio
parent
c318ffcb4c
commit
a951e0b9ef
6 changed files with 135 additions and 46 deletions
5
passt.h
5
passt.h
|
|
@ -106,6 +106,8 @@ enum passt_modes {
|
|||
* @sock_path: Path for UNIX domain socket
|
||||
* @pcap: Path for packet capture file
|
||||
* @pid_file: Path to PID file, empty string if not configured
|
||||
* @uid: UID we should drop to, if started as root
|
||||
* @gid: GID we should drop to, if started as root
|
||||
* @pasta_netns_fd: File descriptor for network namespace in pasta mode
|
||||
* @pasta_userns_fd: Descriptor for user namespace to join, -1 once joined
|
||||
* @netns_only: In pasta mode, don't join or create a user namespace
|
||||
|
|
@ -170,6 +172,9 @@ struct ctx {
|
|||
char pcap[PATH_MAX];
|
||||
char pid_file[PATH_MAX];
|
||||
|
||||
uid_t uid;
|
||||
uid_t gid;
|
||||
|
||||
int pasta_netns_fd;
|
||||
int pasta_userns_fd;
|
||||
int netns_only;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue