191 lines
5.4 KiB
Diff
191 lines
5.4 KiB
Diff
From 0c21cb71efd5f81164c67f493f6070714ff3c287 Mon Sep 17 00:00:00 2001
|
|
From: gaohuatao <gaohuatao@huawei.com>
|
|
Date: Wed, 21 Oct 2020 09:19:45 -0400
|
|
Subject: [PATCH 09/28] add non root group
|
|
|
|
Signed-off-by: gaohuatao <gaohuatao@huawei.com>
|
|
---
|
|
src/cmd/isulad/main.c | 20 ++++++++++++-----
|
|
src/common/constants.h | 2 ++
|
|
src/daemon/config/isulad_config.c | 31 +-------------------------
|
|
src/utils/cutils/utils_file.c | 36 +++++++++++++++++++++++++++++++
|
|
src/utils/cutils/utils_file.h | 2 ++
|
|
5 files changed, 56 insertions(+), 35 deletions(-)
|
|
|
|
diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c
|
|
index 7a932b6..9297aad 100644
|
|
--- a/src/cmd/isulad/main.c
|
|
+++ b/src/cmd/isulad/main.c
|
|
@@ -81,20 +81,30 @@ static int create_client_run_path(const char *group)
|
|
{
|
|
int ret = 0;
|
|
const char *rundir = "/var/run/isula";
|
|
+
|
|
if (group == NULL) {
|
|
return -1;
|
|
}
|
|
- ret = util_mkdir_p(rundir, DEFAULT_SECURE_DIRECTORY_MODE);
|
|
- if (ret < 0) {
|
|
+
|
|
+ if (util_mkdir_p(rundir, ISULA_CLIENT_DIRECTORY_MODE) < 0) {
|
|
ERROR("Unable to create client run directory %s.", rundir);
|
|
- return ret;
|
|
+ ret = -1;
|
|
+ goto out;
|
|
}
|
|
|
|
- ret = chmod(rundir, DEFAULT_SECURE_DIRECTORY_MODE);
|
|
- if (ret < 0) {
|
|
+ if (chmod(rundir, ISULA_CLIENT_DIRECTORY_MODE) < 0) {
|
|
ERROR("Failed to chmod for client run path: %s", rundir);
|
|
+ ret = -1;
|
|
+ goto out;
|
|
}
|
|
|
|
+ if (util_set_file_group(rundir, group) != 0) {
|
|
+ ERROR("set group of the path: %s failed", rundir);
|
|
+ ret = -1;
|
|
+ goto out;
|
|
+ }
|
|
+
|
|
+out:
|
|
return ret;
|
|
}
|
|
|
|
diff --git a/src/common/constants.h b/src/common/constants.h
|
|
index 420ac92..52bb0a8 100644
|
|
--- a/src/common/constants.h
|
|
+++ b/src/common/constants.h
|
|
@@ -26,6 +26,8 @@ extern "C" {
|
|
|
|
#define DEFAULT_SECURE_DIRECTORY_MODE 0750
|
|
|
|
+#define ISULA_CLIENT_DIRECTORY_MODE 0770
|
|
+
|
|
#define USER_REMAP_DIRECTORY_MODE 0751
|
|
|
|
#define ROOTFS_MNT_DIRECTORY_MODE 0640
|
|
diff --git a/src/daemon/config/isulad_config.c b/src/daemon/config/isulad_config.c
|
|
index c79c6a1..4832985 100644
|
|
--- a/src/daemon/config/isulad_config.c
|
|
+++ b/src/daemon/config/isulad_config.c
|
|
@@ -13,7 +13,6 @@
|
|
* Description: provide container configure definition
|
|
******************************************************************************/
|
|
#include <unistd.h>
|
|
-#include <grp.h>
|
|
#include <sys/stat.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
@@ -1157,34 +1156,6 @@ out:
|
|
return ret;
|
|
}
|
|
|
|
-/* set path group */
|
|
-static int set_path_group(const char *rpath, const char *group)
|
|
-{
|
|
- struct group *grp = NULL;
|
|
- gid_t gid;
|
|
-
|
|
- grp = getgrnam(group);
|
|
-
|
|
- if (grp != NULL) {
|
|
- gid = grp->gr_gid;
|
|
- DEBUG("Group %s found, gid: %d", group, gid);
|
|
- if (chown(rpath, -1, gid) != 0) {
|
|
- DEBUG("Failed to chown %s to gid: %d", rpath, gid);
|
|
- return -1;
|
|
- }
|
|
- } else {
|
|
- if (strcmp(group, "docker") == 0 || strcmp(group, "isula") == 0) {
|
|
- DEBUG("Warning: could not change group %s to %s", rpath, group);
|
|
- } else {
|
|
- ERROR("Group %s not found", group);
|
|
- isulad_set_error_message("Group %s not found", group);
|
|
- return -1;
|
|
- }
|
|
- }
|
|
-
|
|
- return 0;
|
|
-}
|
|
-
|
|
/* set socket group */
|
|
int set_unix_socket_group(const char *socket, const char *group)
|
|
{
|
|
@@ -1205,7 +1176,7 @@ int set_unix_socket_group(const char *socket, const char *group)
|
|
goto out;
|
|
}
|
|
INFO("set socket: %s with group: %s", socket, group);
|
|
- nret = set_path_group(rpath, group);
|
|
+ nret = util_set_file_group(rpath, group);
|
|
if (nret < 0) {
|
|
ERROR("set group of the path: %s failed", rpath);
|
|
ret = -1;
|
|
diff --git a/src/utils/cutils/utils_file.c b/src/utils/cutils/utils_file.c
|
|
index 7a965c0..92e032b 100644
|
|
--- a/src/utils/cutils/utils_file.c
|
|
+++ b/src/utils/cutils/utils_file.c
|
|
@@ -29,6 +29,8 @@
|
|
#include <dirent.h>
|
|
#include <fcntl.h>
|
|
#include <limits.h>
|
|
+#include <sys/types.h>
|
|
+#include <grp.h>
|
|
|
|
#include "constants.h"
|
|
#include "isula_libutils/log.h"
|
|
@@ -1574,3 +1576,37 @@ out:
|
|
free(line);
|
|
return ret;
|
|
}
|
|
+
|
|
+int util_set_file_group(const char *fname, const char *group)
|
|
+{
|
|
+ int ret = 0;
|
|
+ struct group *grp = NULL;
|
|
+ gid_t gid;
|
|
+
|
|
+ if (fname == NULL || group == NULL) {
|
|
+ ERROR("Invalid NULL params");
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ grp = getgrnam(group);
|
|
+ if (grp != NULL) {
|
|
+ gid = grp->gr_gid;
|
|
+ DEBUG("Group %s found, gid: %d", group, gid);
|
|
+ if (chown(fname, -1, gid) != 0) {
|
|
+ ERROR("Failed to chown %s to gid: %d", fname, gid);
|
|
+ ret = -1;
|
|
+ goto out;
|
|
+ }
|
|
+ } else {
|
|
+ if (strcmp(group, "docker") == 0 || strcmp(group, "isula") == 0) {
|
|
+ DEBUG("Warning: could not change group %s to %s", fname, group);
|
|
+ } else {
|
|
+ ERROR("Group %s not found", group);
|
|
+ ret = -1;
|
|
+ goto out;
|
|
+ }
|
|
+ }
|
|
+
|
|
+out:
|
|
+ return ret;
|
|
+}
|
|
diff --git a/src/utils/cutils/utils_file.h b/src/utils/cutils/utils_file.h
|
|
index 1bd2d69..3aff3d6 100644
|
|
--- a/src/utils/cutils/utils_file.h
|
|
+++ b/src/utils/cutils/utils_file.h
|
|
@@ -98,6 +98,8 @@ typedef bool (*read_line_callback_t)(const char *, void *context);
|
|
|
|
int util_proc_file_line_by_line(FILE *fp, read_line_callback_t cb, void *context);
|
|
|
|
+int util_set_file_group(const char *fname, const char *group);
|
|
+
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif
|
|
--
|
|
2.20.1
|
|
|