Merge #1510

src/bin/auth/Makefile.am

@@ -44,7 +44,6 @@ pkglibexec_PROGRAMS = b10-auth
 b10_auth_SOURCES = query.cc query.h
 b10_auth_SOURCES += auth_srv.cc auth_srv.h
 b10_auth_SOURCES += auth_log.cc auth_log.h
-b10_auth_SOURCES += change_user.cc change_user.h
 b10_auth_SOURCES += auth_config.cc auth_config.h
 b10_auth_SOURCES += command.cc command.h
 b10_auth_SOURCES += common.h common.cc

src/bin/auth/b10-auth.xml

@@ -45,7 +45,6 @@
     <cmdsynopsis>
       <command>b10-auth</command>
       <arg><option>-n</option></arg>
-      <arg><option>-u <replaceable>username</replaceable></option></arg>
       <arg><option>-v</option></arg>
     </cmdsynopsis>
   </refsynopsisdiv>
@@ -93,20 +92,6 @@
       </varlistentry>
 
       <varlistentry>
-        <term><option>-u <replaceable>username</replaceable></option></term>
-        <listitem>
-	  <para>
-	    The user name of the <command>b10-auth</command> daemon.
-	    If specified, the daemon changes the process owner to the
-	    specified user.
-	    The <replaceable>username</replaceable> must be either a
-	    valid numeric user ID or a valid user name.
-	    By default the daemon runs as the user who invokes it.
-	  </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
         <term><option>-v</option></term>
         <listitem><para>
           Enabled verbose mode. This enables diagnostic messages to

src/bin/auth/change_user.cc

@@ -1,54 +0,0 @@
-// Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
-//
-// Permission to use, copy, modify, and/or distribute this software for any
-// purpose with or without fee is hereby granted, provided that the above
-// copyright notice and this permission notice appear in all copies.
-//
-// THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-// REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-// AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-// INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-// LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-// OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-// PERFORMANCE OF THIS SOFTWARE.
-
-#include <errno.h>
-#include <string.h>
-#include <pwd.h>
-#include <unistd.h>
-
-#include <boost/lexical_cast.hpp>
-
-#include <exceptions/exceptions.h>
-
-#include <auth/common.h>
-
-using namespace boost;
-using namespace std;
-
-void
-changeUser(const char* const username) {
-    const struct passwd *runas_pw = NULL;
-
-    runas_pw = getpwnam(username);
-    endpwent();
-    if (runas_pw == NULL) {
-        try {
-            runas_pw = getpwuid(lexical_cast<uid_t>(username));
-            endpwent();
-        } catch (const bad_lexical_cast&) {
-            ;                   // fall through to isc_throw below.
-        }
-    }
-    if (runas_pw == NULL) {
-        throw FatalError("Unknown user name or UID:" + string(username));
-    }
-
-    if (setgid(runas_pw->pw_gid) < 0) {
-        throw FatalError("setgid() failed: " + string(strerror(errno)));
-    }
-
-    if (setuid(runas_pw->pw_uid) < 0) {
-        throw FatalError("setuid() failed: " + string(strerror(errno)));
-    }
-}

src/bin/auth/change_user.h

@@ -1,57 +0,0 @@
-// Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
-//
-// Permission to use, copy, modify, and/or distribute this software for any
-// purpose with or without fee is hereby granted, provided that the above
-// copyright notice and this permission notice appear in all copies.
-//
-// THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-// REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-// AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-// INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-// LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-// OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-// PERFORMANCE OF THIS SOFTWARE.
-
-#ifndef __CHANGE_USER_H
-#define __CHANGE_USER_H 1
-
-/// \brief Change the run time user.
-///
-/// This function changes the user and its group of the authoritative server
-/// process.
-///
-/// On success the user ID of the process is changed to the specified user,
-/// and the group is changed to that of the new user.
-///
-/// This is considered a short term workaround until we develop clearer
-/// privilege separation, where the server won't even have to open privileged
-/// ports and can be started by a non privileged user from the beginning.
-/// This function therefore ignores some corner case problems (see below)
-/// which we would address otherwise.
-///
-/// \c username can be either a textual user name or its numeric ID.
-/// If the specified user name (or ID) doesn't specify a local user ID
-/// or the user originally starting the process doesn't have a permission
-/// of changing the user to \c username, this function throws an exception
-/// of class \c FatalError.
-///
-/// This function internally uses system libraries that do not guarantee
-/// reentrancy.  In fact, it doesn't even expect to be called more than once.
-/// The behavior is undefined if this function is called from multiple threads
-/// simultaneously or more generally called multiple times.
-///
-/// This function only offers the basic exception guarantee, that is, if
-/// an exception is thrown from this function, it's possible that an exception
-/// is thrown after changing the group ID.  This function doesn't recover
-/// from that situation.  In practice, the process is expected to consider
-/// this event a fatal error and will immediately exit, and shouldn't cause
-/// a real trouble.
-///
-/// \param username User name or ID of the new effective user.
-void changeUser(const char* const username);
-
-#endif // __CHANGE_USER_H
-
-// Local Variables:
-// mode: c++
-// End:

src/bin/auth/main.cc

@@ -42,7 +42,6 @@
 #include <auth/common.h>
 #include <auth/auth_config.h>
 #include <auth/command.h>
-#include <auth/change_user.h>
 #include <auth/auth_srv.h>
 #include <auth/auth_log.h>
 #include <asiodns/asiodns.h>
@@ -86,7 +85,6 @@ usage() {
     cerr << "Usage:  b10-auth [-u user] [-nv]"
          << endl;
     cerr << "\t-n: do not cache answers in memory" << endl;
-    cerr << "\t-u: change process UID to the specified user" << endl;
     cerr << "\t-v: verbose output" << endl;
     exit(1);
 }
@@ -96,7 +94,6 @@ usage() {
 int
 main(int argc, char* argv[]) {
     int ch;
-    const char* uid = NULL;
     bool cache = true;
     bool verbose = false;
 
@@ -105,9 +102,6 @@ main(int argc, char* argv[]) {
         case 'n':
             cache = false;
             break;
-        case 'u':
-            uid = optarg;
-            break;
         case 'v':
             verbose = true;
             break;
@@ -201,10 +195,6 @@ main(int argc, char* argv[]) {
             LOG_ERROR(auth_logger, AUTH_CONFIG_LOAD_FAIL).arg(ex.what());
         }
 
-        if (uid != NULL) {
-            changeUser(uid);
-        }
-
         LOG_DEBUG(auth_logger, DBG_AUTH_START, AUTH_LOAD_TSIG);
         isc::server_common::initKeyring(*config_session);
         auth_server->setTSIGKeyRing(&isc::server_common::keyring);

src/bin/auth/tests/Makefile.am

@@ -24,7 +24,6 @@ run_unittests_SOURCES += $(top_srcdir)/src/lib/dns/tests/unittest_util.cc
 run_unittests_SOURCES += ../auth_srv.h ../auth_srv.cc
 run_unittests_SOURCES += ../auth_log.h ../auth_log.cc
 run_unittests_SOURCES += ../query.h ../query.cc
-run_unittests_SOURCES += ../change_user.h ../change_user.cc
 run_unittests_SOURCES += ../auth_config.h ../auth_config.cc
 run_unittests_SOURCES += ../command.h ../command.cc
 run_unittests_SOURCES += ../common.h ../common.cc
@@ -34,7 +33,6 @@ run_unittests_SOURCES += config_unittest.cc
 run_unittests_SOURCES += command_unittest.cc
 run_unittests_SOURCES += common_unittest.cc
 run_unittests_SOURCES += query_unittest.cc
-run_unittests_SOURCES += change_user_unittest.cc
 run_unittests_SOURCES += statistics_unittest.cc
 run_unittests_SOURCES += run_unittests.cc
 # This is a temporary workaround for #1206, where the InMemoryClient has been

src/bin/auth/tests/change_user_unittest.cc

@@ -1,65 +0,0 @@
-// Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
-//
-// Permission to use, copy, modify, and/or distribute this software for any
-// purpose with or without fee is hereby granted, provided that the above
-// copyright notice and this permission notice appear in all copies.
-//
-// THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-// REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-// AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-// INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-// LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-// OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-// PERFORMANCE OF THIS SOFTWARE.
-
-#include <stdlib.h>
-#include <unistd.h>             // for getuid
-
-#include <string>
-
-#include <boost/lexical_cast.hpp>
-
-#include <gtest/gtest.h>
-
-#include <auth/common.h>
-#include <auth/change_user.h>
-
-using namespace std;
-
-namespace {
-TEST(ChangeUserTest, changeToTheSameUser) {
-    const char* const my_username = getenv("USER");
-
-    // normally the USER environment variable should be set to the name
-    // of the local user running this test, but it's not always the case.
-    if (my_username == NULL) {
-        cerr << "Environment variable USER is undefined, skipping the test"
-             << endl;
-        return;
-    }
-
-    // changing to the run time user should succeed.
-    EXPECT_NO_THROW(changeUser(my_username));
-}
-
-TEST(ChangeUserTest, changeToTheSameUserId) {
-    // same as above, but using numeric user ID
-    EXPECT_NO_THROW(changeUser(
-                        (boost::lexical_cast<string>(getuid())).c_str()));
-}
-
-TEST(ChangeUserTest, badUID) {
-    // -1 should be an invalid numeric UID, and (hopefully) shouldn't be
-    // a valid textual username.
-    EXPECT_THROW(changeUser("-1"), FatalError);
-}
-
-TEST(ChangeUserTest, promotionAttempt) {
-    // change to root should fail unless the running user is a super user.
-    if (getuid() == 0) {
-        cerr << "Already a super user, skipping the test" << endl;
-        return;
-    }
-    EXPECT_THROW(changeUser("root"), FatalError);
-}
-}

src/bin/bind10/bind10_src.py.in

@@ -570,8 +570,6 @@ class BoB:
         authargs = ['b10-auth']
         if self.nocache:
             authargs += ['-n']
-        if self.uid:
-            authargs += ['-u', str(self.uid)]
         if self.verbose:
             authargs += ['-v']
 
@@ -589,8 +587,6 @@ class BoB:
         self.curproc = "b10-resolver"
         # XXX: this must be read from the configuration manager in the future
         resargs = ['b10-resolver']
-        if self.uid:
-            resargs += ['-u', str(self.uid)]
         if self.verbose:
             resargs += ['-v']
 

src/bin/resolver/Makefile.am

@@ -49,7 +49,6 @@ pkglibexec_PROGRAMS = b10-resolver
 b10_resolver_SOURCES = resolver.cc resolver.h
 b10_resolver_SOURCES += resolver_log.cc resolver_log.h
 b10_resolver_SOURCES += response_scrubber.cc response_scrubber.h
-b10_resolver_SOURCES += $(top_builddir)/src/bin/auth/change_user.h
 b10_resolver_SOURCES += $(top_builddir)/src/bin/auth/common.h
 b10_resolver_SOURCES += main.cc
 
@@ -70,7 +69,6 @@ b10_resolver_LDADD += $(top_builddir)/src/lib/server_common/libserver_common.la
 b10_resolver_LDADD += $(top_builddir)/src/lib/cache/libcache.la
 b10_resolver_LDADD += $(top_builddir)/src/lib/nsas/libnsas.la
 b10_resolver_LDADD += $(top_builddir)/src/lib/resolve/libresolve.la
-b10_resolver_LDADD += $(top_builddir)/src/bin/auth/change_user.o
 b10_resolver_LDFLAGS = -pthread
 
 # TODO: config.h.in is wrong because doesn't honor pkgdatadir

src/bin/resolver/b10-resolver.xml

@@ -44,7 +44,6 @@
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>b10-resolver</command>
-      <arg><option>-u <replaceable>username</replaceable></option></arg>
       <arg><option>-v</option></arg>
     </cmdsynopsis>
   </refsynopsisdiv>
@@ -85,20 +84,6 @@
 
     <variablelist>
 
-      <varlistentry>
-        <term><option>-u <replaceable>username</replaceable></option></term>
-        <listitem>
-	  <para>
-	    The user name of the <command>b10-resolver</command> daemon.
-	    If specified, the daemon changes the process owner to the
-	    specified user.
-	    The <replaceable>username</replaceable> must be either a
-	    valid numeric user ID or a valid user name.
-	    By default the daemon runs as the user who invokes it.
-	  </para>
-        </listitem>
-      </varlistentry>
-
 <!-- TODO: this needs to be fixed as -v on command line
 should imply stdout or stderr output also -->
 <!-- TODO: can this -v be overidden by configuration or bindctl? -->

src/bin/resolver/main.cc

@@ -45,7 +45,6 @@
 
 #include <xfr/xfrout_client.h>
 
-#include <auth/change_user.h>
 #include <auth/common.h>
 
 #include <resolver/spec_config.h>
@@ -95,7 +94,6 @@ my_command_handler(const string& command, ConstElementPtr args) {
 void
 usage() {
     cerr << "Usage:  b10-resolver [-u user] [-v]" << endl;
-    cerr << "\t-u: change process UID to the specified user" << endl;
     cerr << "\t-v: verbose output" << endl;
     exit(1);
 }
@@ -105,13 +103,9 @@ int
 main(int argc, char* argv[]) {
     bool verbose = false;
     int ch;
-    const char* uid = NULL;
 
     while ((ch = getopt(argc, argv, "u:v")) != -1) {
         switch (ch) {
-        case 'u':
-            uid = optarg;
-            break;
         case 'v':
             verbose = true;
             break;
@@ -214,11 +208,6 @@ main(int argc, char* argv[]) {
                                              my_command_handler);
         LOG_DEBUG(resolver_logger, RESOLVER_DBG_INIT, RESOLVER_CONFIG_CHANNEL);
 
-        // FIXME: This does not belong here, but inside Boss
-        if (uid != NULL) {
-            changeUser(uid);
-        }
-
         resolver->setConfigSession(config_session);
         // Install all initial configurations.  If loading configuration
         // fails, it will be logged, but we start the server anyway, giving