You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by am...@apache.org on 2011/07/18 22:52:44 UTC
svn commit: r1148048 - in /trafficserver/traffic/trunk:
lib/tsconfig/TsValue.cc mgmt/Main.cc proxy/Main.cc
Author: amc
Date: Mon Jul 18 20:52:43 2011
New Revision: 1148048
URL: http://svn.apache.org/viewvc?rev=1148048&view=rev
Log:
TS-804 - libcap required when running standalone.
Modified:
trafficserver/traffic/trunk/lib/tsconfig/TsValue.cc
trafficserver/traffic/trunk/mgmt/Main.cc
trafficserver/traffic/trunk/proxy/Main.cc
Modified: trafficserver/traffic/trunk/lib/tsconfig/TsValue.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/lib/tsconfig/TsValue.cc?rev=1148048&r1=1148047&r2=1148048&view=diff
==============================================================================
--- trafficserver/traffic/trunk/lib/tsconfig/TsValue.cc (original)
+++ trafficserver/traffic/trunk/lib/tsconfig/TsValue.cc Mon Jul 18 20:52:43 2011
@@ -26,7 +26,8 @@
# include <TsErrataUtil.h>
# include <sys/stat.h>
-# include <malloc.h>
+# include <stdio.h>
+# include <stdlib.h>
# if !defined(_MSC_VER)
# define _fileno fileno
Modified: trafficserver/traffic/trunk/mgmt/Main.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/mgmt/Main.cc?rev=1148048&r1=1148047&r2=1148048&view=diff
==============================================================================
--- trafficserver/traffic/trunk/mgmt/Main.cc (original)
+++ trafficserver/traffic/trunk/mgmt/Main.cc Mon Jul 18 20:52:43 2011
@@ -1225,7 +1225,11 @@ restoreCapabilities() {
int zret = 0; // return value.
cap_t cap_set = cap_get_proc(); // current capabilities
// Make a list of the capabilities we want turned on.
- cap_value_t cap_list[] = { CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, CAP_IPC_LOCK };
+ cap_value_t cap_list[] = {
+ CAP_NET_ADMIN, ///< Set socket transparency.
+ CAP_NET_BIND_SERVICE, ///< Low port (e.g. 80) binding.
+ CAP_IPC_LOCK ///< Lock IPC objects.
+ };
static int const CAP_COUNT = sizeof(cap_list)/sizeof(*cap_list);
cap_set_flag(cap_set, CAP_EFFECTIVE, CAP_COUNT, cap_list, CAP_SET);
@@ -1308,7 +1312,7 @@ runAsUser(char *userName)
}
#if TS_USE_POSIX_CAP
- if (restoreCapabilities()) {
+ if (0 != restoreCapabilities()) {
mgmt_elog(stderr, "[runAsUser] Error: Failed to restore capabilities after switch to user %s.\n", userName);
}
#endif
Modified: trafficserver/traffic/trunk/proxy/Main.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/proxy/Main.cc?rev=1148048&r1=1148047&r2=1148048&view=diff
==============================================================================
--- trafficserver/traffic/trunk/proxy/Main.cc (original)
+++ trafficserver/traffic/trunk/proxy/Main.cc Mon Jul 18 20:52:43 2011
@@ -1556,6 +1556,7 @@ main(int argc, char **argv)
#if TS_HAS_PROFILER
ProfilerStart("/tmp/ts.prof");
#endif
+ bool found_admin_user = false;
NOWARN_UNUSED(argc);
@@ -1634,24 +1635,31 @@ main(int argc, char **argv)
if (!num_task_threads)
TS_ReadConfigInteger(num_task_threads, "proxy.config.task_threads");
- // change the user of the process
- // do this before we start threads so we control the user id of the
- // threads (rather than have it change asynchronously during thread
- // execution). We also need to do this before we fiddle with capabilities
- // as those are thread local and if we change the user id it will
- // modified the capabilities in other threads, breaking things.
const long max_login = sysconf(_SC_LOGIN_NAME_MAX) <= 0 ? _POSIX_LOGIN_NAME_MAX : sysconf(_SC_LOGIN_NAME_MAX);
char *user = (char *)xmalloc(max_login);
*user = '\0';
- if ((TS_ReadConfigString(user, "proxy.config.admin.user_id",
- max_login) == REC_ERR_OKAY) &&
- user[0] != '\0' &&
- strcmp(user, "#-1")) {
+ found_admin_user =
+ (REC_ERR_OKAY ==
+ TS_ReadConfigString(user, "proxy.config.admin.user_id", max_login)
+ )
+ && user[0] != '\0'
+ && 0 != strcmp(user, "#-1")
+ ;
+
+# if TS_USE_POSIX_CAPS
+ // Change the user of the process.
+ // Do this before we start threads so we control the user id of the
+ // threads (rather than have it change asynchronously during thread
+ // execution). We also need to do this before we fiddle with capabilities
+ // as those are thread local and if we change the user id it will
+ // modify the capabilities in other threads, breaking things.
+ if (found_admin_user) {
PreserveCapabilities();
change_uid_gid(user);
RestrictCapabilities();
xfree(user);
}
+# endif
// Can't generate a log message yet, do that right after Diags is
// setup.
@@ -1955,6 +1963,13 @@ main(int argc, char **argv)
run_AutoStop();
}
+# if ! TS_USE_POSIX_CAP
+ if (found_admin_user) {
+ change_uid_gid(user);
+ xfree(user);
+ }
+# endif
+
this_thread()->execute();
}