X-Git-Url: https://git.archive.openwrt.org/?p=project%2Fprocd.git;a=blobdiff_plain;f=service%2Finstance.c;h=6dfc61b698b4620b66885dcaa7d792a47c374d4e;hp=c22e546b945ee9e636ff6b6bf918a601694dcd31;hb=4bccbfa967d756b8c84a62ea4752e936d8545a73;hpb=6a6fa0a6067cb3c522f5dc735e808a68f62b30b2

diff --git a/service/instance.c b/service/instance.c
index c22e546..6dfc61b 100644
--- a/service/instance.c
+++ b/service/instance.c
@@ -19,6 +19,7 @@
 #include <unistd.h>
 #include <stdint.h>
 #include <fcntl.h>
+#include <pwd.h>
 
 #include <libubox/md5.h>
 
@@ -40,6 +41,7 @@ enum {
 	INSTANCE_ATTR_LIMITS,
 	INSTANCE_ATTR_WATCH,
 	INSTANCE_ATTR_ERROR,
+	INSTANCE_ATTR_USER,
 	__INSTANCE_ATTR_MAX
 };
 
@@ -55,6 +57,7 @@ static const struct blobmsg_policy instance_attr[__INSTANCE_ATTR_MAX] = {
 	[INSTANCE_ATTR_LIMITS] = { "limits", BLOBMSG_TYPE_TABLE },
 	[INSTANCE_ATTR_WATCH] = { "watch", BLOBMSG_TYPE_ARRAY },
 	[INSTANCE_ATTR_ERROR] = { "error", BLOBMSG_TYPE_ARRAY },
+	[INSTANCE_ATTR_USER] = { "user", BLOBMSG_TYPE_STRING },
 };
 
 struct instance_netdev {
@@ -158,6 +161,10 @@ instance_run(struct service_instance *in)
 		if (fd > STDERR_FILENO)
 			close(fd);
 	}
+	if (in->uid || in->gid) {
+		setuid(in->uid);
+		setgid(in->gid);
+	}
 	execvp(argv[0], argv);
 	exit(127);
 }
@@ -291,6 +298,12 @@ instance_config_changed(struct service_instance *in, struct service_instance *in
 	if (in->nice != in_new->nice)
 		return true;
 
+	if (in->uid != in_new->uid)
+		return true;
+
+	if (in->gid != in_new->gid)
+		return true;
+
 	if (!blobmsg_list_equal(&in->limits, &in_new->limits))
 		return true;
 
@@ -450,6 +463,14 @@ instance_config_parse(struct service_instance *in)
 			return false;
 	}
 
+	if (tb[INSTANCE_ATTR_USER]) {
+		struct passwd *p = getpwnam(blobmsg_get_string(tb[INSTANCE_ATTR_USER]));
+		if (p) {
+			in->uid = p->pw_uid;
+			in->gid = p->pw_gid;
+		}
+	}
+
 	instance_fill_any(&in->data, tb[INSTANCE_ATTR_DATA]);
 
 	if (!instance_fill_array(&in->env, tb[INSTANCE_ATTR_ENV], NULL, false))