bgpd: Add flag to not change e{u,g}id on startup and run as unprivileged user
* bgp_main.c: add -S / --skip_runas flag to not change effective user/group
on start up. Enables bgpd to be run by unprivileged user.
diff --git a/bgpd/bgp_main.c b/bgpd/bgp_main.c
index 11c73ce..562afc2 100644
--- a/bgpd/bgp_main.c
+++ b/bgpd/bgp_main.c
@@ -67,6 +67,7 @@
{ "no_kernel", no_argument, NULL, 'n'},
{ "user", required_argument, NULL, 'u'},
{ "group", required_argument, NULL, 'g'},
+ { "skip_runas", no_argument, NULL, 'S'},
{ "version", no_argument, NULL, 'v'},
{ "dryrun", no_argument, NULL, 'C'},
{ "help", no_argument, NULL, 'h'},
@@ -161,6 +162,7 @@
-n, --no_kernel Do not install route to kernel.\n\
-u, --user User to run as\n\
-g, --group Group to run as\n\
+-S, --skip_runas Skip user and group run as\n\
-v, --version Print program version\n\
-C, --dryrun Check configuration for validity and exit\n\
-h, --help Display this help and exit\n\
@@ -200,7 +202,8 @@
if (! retain_mode)
{
bgp_terminate ();
- zprivs_terminate (&bgpd_privs);
+ if (bgpd_privs.user) /* NULL if skip_runas flag set */
+ zprivs_terminate (&bgpd_privs);
}
bgp_exit (0);
@@ -346,6 +349,7 @@
char *progname;
struct thread thread;
int tmp_port;
+ int skip_runas = 0;
/* Set umask before anything for security */
umask (0027);
@@ -362,7 +366,7 @@
/* Command line argument treatment. */
while (1)
{
- opt = getopt_long (argc, argv, "df:i:z:hp:l:A:P:rnu:g:vC", longopts, 0);
+ opt = getopt_long (argc, argv, "df:i:z:hp:l:A:P:rnu:g:vCS", longopts, 0);
if (opt == EOF)
break;
@@ -420,6 +424,9 @@
case 'g':
bgpd_privs.group = optarg;
break;
+ case 'S': /* skip run as = override bgpd_privs */
+ skip_runas = 1;
+ break;
case 'v':
print_version (progname);
exit (0);
@@ -439,6 +446,8 @@
/* Initializations. */
srandom (time (NULL));
signal_init (bm->master, array_size(bgp_signals), bgp_signals);
+ if (skip_runas)
+ memset (&bgpd_privs, 0, sizeof (bgpd_privs));
zprivs_init (&bgpd_privs);
cmd_init (1);
vty_init (bm->master);
diff --git a/doc/bgpd.8 b/doc/bgpd.8
index 8daaefa..1a873b4 100644
--- a/doc/bgpd.8
+++ b/doc/bgpd.8
@@ -6,7 +6,7 @@
.SH SYNOPSIS
.B bgpd
[
-.B \-dhrv
+.B \-dhrSv
] [
.B \-f
.I config-file
@@ -74,6 +74,9 @@
\fB\-r\fR, \fB\-\-retain\fR
When the program terminates, retain routes added by \fBbgpd\fR.
.TP
+\fB\-S\fR, \fB\-\-skip_runas\fR
+Skip setting the process effective user and group.
+.TP
\fB\-v\fR, \fB\-\-version\fR
Print the version and exit.
.SH FILES