init.d/sanlock | 4 +- src/limits.conf | 2 - src/main.c | 67 +++++++++++++++++++++++++++++++++++++++++++++++++ src/sanlock_internal.h | 2 + src/sysconfig.sanlock | 5 --- 5 files changed, 71 insertions(+), 9 deletions(-)

New commits: commit ae2b4f95c06e91ee6958e3f48a37c74bd6b7cc41 Author: David Teigland teigland@redhat.com Date: Thu May 24 10:00:43 2012 -0500

init: root user

Don't need sanlock:sanlock owner for run dir.

Signed-off-by: David Teigland teigland@redhat.com

diff --git a/init.d/sanlock b/init.d/sanlock index 5f049a6..b2cf012 100644 --- a/init.d/sanlock +++ b/init.d/sanlock @@ -34,7 +34,7 @@ start() { [ -x $exec ] || exit 5

if [ ! -d /var/run/$prog ]; then - install -d -o $SANLOCKUSER -g $SANLOCKUSER -m 775 /var/run/$prog + install -d -m 775 /var/run/$prog [ -x /sbin/restorecon ] && restorecon /var/run/$prog fi

commit 19362c0e16174d074e7ace48331ba4e2e184475c Author: David Teigland teigland@redhat.com Date: Thu May 24 09:59:43 2012 -0500

sysconfig: remove user option

sanlock will always run as root.

Signed-off-by: David Teigland teigland@redhat.com

diff --git a/src/sysconfig.sanlock b/src/sysconfig.sanlock index 1c14d4f..89b6fa3 100644 --- a/src/sysconfig.sanlock +++ b/src/sysconfig.sanlock @@ -1,8 +1,3 @@ -# SANLOCKUSER -- the daemon should run as this user -# -# To run as root user instead of sanlock user -#SANLOCKUSER="root" - # SANLOCKOPTS -- set the command line options for the sanlock daemon # See sanlock man page for full list of command line options. #

commit b8137b97ee3e55d64a9f279bf1b4836b6ba2f619 Author: David Teigland teigland@redhat.com Date: Thu May 24 09:58:26 2012 -0500

sanlock: remove limits.conf

Not needed since we're back to running as root.

Signed-off-by: David Teigland teigland@redhat.com

diff --git a/src/limits.conf b/src/limits.conf deleted file mode 100644 index f6fcedf..0000000 --- a/src/limits.conf +++ /dev/null @@ -1,2 +0,0 @@ -sanlock - memlock -1 -sanlock - rtprio -1

commit f4f9cddcef656e51055267905382d74f3b2c84c7 Author: David Teigland teigland@redhat.com Date: Thu May 24 09:57:39 2012 -0500

Revert "sanlock.log: empty file to install from rpm"

Not needed since we're back to running as root.

This reverts commit 1fe89953ba73f61c63e8d555ec7f69f0345bd4a1.

diff --git a/src/sanlock.log b/src/sanlock.log deleted file mode 100644 index e69de29..0000000

commit defe1cadea058dcd4b186ec7f3bef8ff9aa94692 Author: Federico Simoncelli fsimonce@redhat.com Date: Thu May 24 13:38:52 2012 +0000

sanlock: set the supplementary groups at startup

This is mostly required to access leases that resides on NFS exports with the root_squash option enabled. The sanlock process will acquire all the supplementary groups of the sanlock user.

Signed-off-by: Federico Simoncelli fsimonce@redhat.com

diff --git a/init.d/sanlock b/init.d/sanlock index 7004f1f..5f049a6 100644 --- a/init.d/sanlock +++ b/init.d/sanlock @@ -39,7 +39,7 @@ start() { fi

echo -n $"Starting $prog: " - daemon --user=$SANLOCKUSER $prog daemon $SANLOCKOPTS + daemon $prog daemon $SANLOCKOPTS retval=$? echo [ $retval -eq 0 ] diff --git a/src/main.c b/src/main.c index 82c39af..f8c74af 100644 --- a/src/main.c +++ b/src/main.c @@ -1182,6 +1182,69 @@ static void setup_host_name(void) uuid, name.nodename); }

+static void setup_groups(void) +{ + int rv, i, j, h; + int pngroups, sngroups, ngroups_max; + gid_t *pgroup, *sgroup; + + ngroups_max = sysconf(_SC_NGROUPS_MAX); + if (ngroups_max < 0) { + log_error("cannot get the max number of groups %i", errno); + return; + } + + pgroup = malloc(ngroups_max * 2 * sizeof(gid_t)); + if (!pgroup) { + log_error("cannot malloc the group list %i", errno); + exit(EXIT_FAILURE); + } + + pngroups = getgroups(ngroups_max, pgroup); + if (pngroups < 0) { + log_error("cannot get the process groups %i", errno); + goto out; + } + + sgroup = pgroup + ngroups_max; + sngroups = ngroups_max; + + rv = getgrouplist(com.uname, com.gid, sgroup, &sngroups); + if (rv < -1) { + log_error("cannot get the user %s groups %i", com.uname, errno); + goto out; + } + + for (i = 0, j = pngroups; i < sngroups; i++) { + if (j >= ngroups_max) { + log_error("too many groups for the user %s", com.uname); + break; + } + + /* check if the groups is already present in the list */ + for (h = 0; h < j; h++) { + if (pgroup[h] == sgroup[i]) { + goto skip_gid; + } + } + + pgroup[j] = sgroup[i]; + j++; + + skip_gid: + ; /* skipping the gid because it's already present */ + } + + rv = setgroups(j, pgroup); + if (rv < 0) { + log_error("cannot set the user %s groups %i", com.uname, errno); + goto out; + } + + out: + free(pgroup); +} + static int do_daemon(void) { struct sigaction act; @@ -1223,6 +1286,8 @@ static int do_daemon(void)

setup_host_name();

+ setup_groups(); + log_error("sanlock daemon started %s aio %d %d renew %d %d host %s time %llu", RELEASE_VERSION, main_task.use_aio, main_task.io_timeout_seconds, @@ -1635,9 +1700,11 @@ static int read_command_line(int argc, char *argv[]) parse_arg_resource(optionarg); /* com.res_args[] */ break; case 'U': + com.uname = optionarg; com.uid = user_to_uid(optionarg); break; case 'G': + com.gname = optionarg; com.gid = group_to_gid(optionarg); break;

diff --git a/src/sanlock_internal.h b/src/sanlock_internal.h index 4565855..d3ab366 100644 --- a/src/sanlock_internal.h +++ b/src/sanlock_internal.h @@ -531,7 +531,9 @@ struct command_line { int max_worker_threads; int aio_arg; int io_timeout_arg; + char *uname; /* -U */ int uid; /* -U */ + char *gname; /* -G */ int gid; /* -G */ int pid; /* -p */ char sort_arg;