From 6a63007b05c45bcb8a2b317d41b5866457304545 Mon Sep 17 00:00:00 2001 From: Nir Soffer Date: Jan 12 2018 15:42:03 +0000 Subject: Add SANLOCK_PRIVILEGED environment variable Setting this variable to 0, sanlock daemon will skip operations that requires privileges. This allows running sanlock daemon as regular user in the tests. When running the daemon, we log a warning if this variable is set to to non default value. Signed-off-by: Nir Soffer --- diff --git a/src/main.c b/src/main.c index 747e4c2..5be949b 100644 --- a/src/main.c +++ b/src/main.c @@ -88,6 +88,7 @@ static struct random_data rand_data; static char rand_state[32]; static pthread_mutex_t rand_mutex = PTHREAD_MUTEX_INITIALIZER; static const char *run_dir = NULL; +static int privileged = 1; static void close_helper(void) { @@ -1428,6 +1429,9 @@ static void setup_limits(void) int rv; struct rlimit rlim = { .rlim_cur = -1, .rlim_max= -1 }; + if (!privileged) + return; + rv = setrlimit(RLIMIT_MEMLOCK, &rlim); if (rv < 0) { log_error("cannot set the limits for memlock %i", errno); @@ -1451,7 +1455,7 @@ static void setup_groups(void) { int rv; - if (!com.uname || !com.gname) + if (!com.uname || !com.gname || !privileged) return; rv = initgroups(com.uname, com.gid); @@ -1464,7 +1468,7 @@ static void setup_uid_gid(void) { int rv; - if (!com.uname || !com.gname) + if (!com.uname || !com.gname || !privileged) return; rv = setgid(com.gid); @@ -1634,6 +1638,7 @@ static int do_daemon(void) int fd, rv; run_dir = env_get(SANLOCK_RUN_DIR, DEFAULT_RUN_DIR); + privileged = env_get_bool(SANLOCK_PRIVILEGED, 1); /* This can take a while so do it before forking. */ setup_groups(); @@ -1671,6 +1676,10 @@ static int do_daemon(void) if (strcmp(run_dir, DEFAULT_RUN_DIR)) log_warn("Using non-standard run directory '%s'", run_dir); + if (!privileged) + log_warn("Running in unprivileged mode"); + + fd = lockfile(run_dir, SANLK_LOCKFILE_NAME, com.uid, com.gid); if (fd < 0) { close_logging(); diff --git a/src/sanlock_internal.h b/src/sanlock_internal.h index 87d8473..047f4db 100644 --- a/src/sanlock_internal.h +++ b/src/sanlock_internal.h @@ -45,6 +45,7 @@ #define SANLOCK_RUN_DIR "SANLOCK_RUN_DIR" #define DEFAULT_RUN_DIR "/var/run/sanlock" +#define SANLOCK_PRIVILEGED "SANLOCK_PRIVILEGED" #define SANLK_LOG_DIR "/var/log" #define SANLK_LOGFILE_NAME "sanlock.log"