OpenSAF / Tickets / #1138 opensaf as non root cannot be started in a container

#1138 opensaf as non root cannot be started in a container

Milestone: 4.3.3

Status: fixed

Owner: nobody

Labels: None

Type: defect

Component: base

Part: -

Version: 4.5

Priority: major

Blocker:

Updated: 2014-10-01

Created: 2014-09-26

Creator: Hans Feldt

Private: No

OpenSAF (non root) fails to start in a linux container. Reason is that AMF started components such as SMFD runs as opensaf/opensaf but get changed to whatever the binaries was installed as. The start fails because the processes cannot write their PID files into the directory /var/run/opensaf which is owned by opensaf.

This was a not so well thought idea in ncs_os_process_execute_timed() that was supposed to get more security.

Besides these are system calls executed in between fork() and exec() which we have had lots of problems with before.

This "feature" should be removed.

Description has changed:

Diff:

--- old
+++ new
@@ -1,4 +1,6 @@
-OpenSAF (non root) fails to start in a linux container. Reason is that AMF started components such as SMFD runs as opensaf/opensaf but get changed to whatever the binaries was installed as. This was a not so well thought idea in ncs_os_process_execute_timed() that was supposed to get more security.
+OpenSAF (non root) fails to start in a linux container. Reason is that AMF started components such as SMFD runs as opensaf/opensaf but get changed to whatever the binaries was installed as. The start fails because the processes cannot write their PID files into the directory /var/run/opensaf which is owned by opensaf.
+
+This was a not so well thought idea in ncs_os_process_execute_timed() that was supposed to get more security.

 Besides these are system calls executed in between fork() and exec() which we have had lots of problems with before.

Hans Feldt - 2014-09-26

status: accepted --> review
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Hans Feldt - 2014-10-01

changeset: 5966:0fb0d27bde70
branch: opensaf-4.3.x
parent: 5956:b8dfd4a2cc01
user: Hans Feldt osafdevel@gmail.com
date: Fri Sep 26 08:53:42 2014 +0200
summary: base: remove setgid/setuid calls in execute_timed [#1138]

changeset: 5967:1ba02b3bf85a
branch: opensaf-4.4.x
parent: 5959:59a26ad0410f
user: Hans Feldt osafdevel@gmail.com
date: Fri Sep 26 08:53:42 2014 +0200
summary: base: remove setgid/setuid calls in execute_timed [#1138]

changeset: 5968:8adcf25b25a4
branch: opensaf-4.5.x
parent: 5962:c7427848a172
user: Hans Feldt osafdevel@gmail.com
date: Fri Sep 26 08:53:42 2014 +0200
summary: base: remove setgid/setuid calls in execute_timed [#1138]

changeset: 5969:ead18326c13b
tag: tip
parent: 5965:1c0e1876ef7b
user: Hans Feldt osafdevel@gmail.com
date: Fri Sep 26 08:53:42 2014 +0200
summary: base: remove setgid/setuid calls in execute_timed [#1138]

Related

Tickets: ~~#1138~~

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Hans Feldt - 2014-10-01

status: review --> fixed

assigned_to: Hans Feldt --> nobody
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

opensaf as non root cannot be started in a container

Milestone

Searches

Help

#1138 opensaf as non root cannot be started in a container

Related

Discussion

Related