# * handle worker processes (option 'max_workers')
# * allow to restart while workers are still runningl
# (option 'leave_children_open_on_reload')
+# * run as different user using setuid/setgid
use strict;
use warnings;
+use English;
+
use PVE::SafeSyslog;
use PVE::INotify;
};
my $terminate_server = sub {
- my ($self) = @_;
+ my ($self, $allow_open_children) = @_;
$self->{terminate} = 1; # set flag to avoid worker restart
}
# if configured, leave children running on HUP
- return if $self->{got_hup_signal} &&
+ return if $allow_open_children &&
$self->{leave_children_open_on_reload};
# else, send TERM to old workers
local $SIG{TERM} = sub {
local ($@, $!, $?); # do not overwrite error vars
syslog('info', "received signal TERM");
- &$terminate_server($self);
+ &$terminate_server($self, 0);
&$server_cleanup($self);
&$old_sig_term(@_) if $old_sig_term;
};
local $SIG{QUIT} = sub {
local ($@, $!, $?); # do not overwrite error vars
syslog('info', "received signal QUIT");
- &$terminate_server($self);
+ &$terminate_server($self, 0);
&$server_cleanup($self);
&$old_sig_quit(@_) if $old_sig_quit;
};
local ($@, $!, $?); # do not overwrite error vars
syslog('info', "received signal INT");
$SIG{INT} = 'DEFAULT'; # allow to terminate now
- &$terminate_server($self);
+ &$terminate_server($self, 0);
&$server_cleanup($self);
&$old_sig_int(@_) if $old_sig_int;
};
syslog('info', "received signal HUP");
$self->{got_hup_signal} = 1;
if ($self->{max_workers}) {
- &$terminate_server($self);
+ &$terminate_server($self, 1);
} elsif ($self->can('hup')) {
eval { $self->hup() };
warn $@ if $@;
if ($err) {
syslog ('err', "ERROR: $err");
- &$terminate_server($self);
+ &$terminate_server($self, 1);
if (my $wait_time = $self->{restart_on_error}) {
$self->restart_daemon($wait_time);
$self = bless {
name => $name,
- run_dir => '/var/run',
+ pidfile => "/var/run/${name}.pid",
env_restart_pve_daemon => $restart,
env_pve_lock_fd => $lockfd,
workers => {},
old_workers => {},
}, $class;
+
foreach my $opt (keys %params) {
my $value = $params{$opt};
if ($opt eq 'restart_on_error') {
$self->{$opt} = $value;
} elsif ($opt eq 'stop_wait_time') {
$self->{$opt} = $value;
- } elsif ($opt eq 'run_dir') {
+ } elsif ($opt eq 'pidfile') {
$self->{$opt} = $value;
} elsif ($opt eq 'max_workers') {
$self->{$opt} = $value;
} elsif ($opt eq 'leave_children_open_on_reload') {
$self->{$opt} = $value;
+ } elsif ($opt eq 'setgid') {
+ $self->{$opt} = $value;
+ } elsif ($opt eq 'setuid') {
+ $self->{$opt} = $value;
} else {
die "unknown daemon option '$opt'\n";
}
}
+ if (my $gidstr = $self->{setgid}) {
+ my $gid = getgrnam($gidstr) || die "getgrnam failed - $!\n";
+ POSIX::setgid($gid) || die "setgid $gid failed - $!\n";
+ $EGID = "$gid $gid"; # this calls setgroups
+ # just to be sure
+ die "detected strange gid\n" if !($GID eq "$gid $gid" && $EGID eq "$gid $gid");
+ }
+
+ if (my $uidstr = $self->{setuid}) {
+ my $uid = getpwnam($uidstr) || die "getpwnam failed - $!\n";
+ POSIX::setuid($uid) || die "setuid $uid failed - $!\n";
+ # just to be sure
+ die "detected strange uid\n" if !($UID == $uid && $EUID == $uid);
+ }
+
if ($restart && $self->{max_workers}) {
if (my $wpids = $ENV{PVE_DAEMON_WORKER_PIDS}) {
foreach my $pid (split(':', $wpids)) {
}
}
- $self->{pidfile} = "$self->{run_dir}/${name}.pid";
-
$self->{nodename} = PVE::INotify::nodename();
$self->{cmdline} = [];