server: support run as user and fix initialize timer

Author: pymumu

src/libmodelbox/base/include/modelbox/base/utils.h

@@ -277,9 +277,10 @@ Status ListSubDirectoryFiles(const std::string &path, const std::string &filter,
 /**
  * @brief Create directory recursively
  * @param path path to directory
+ * @param mode directory mode
  * @return create result
  */
-Status CreateDirectory(const std::string &path);
+Status CreateDirectory(const std::string &path, mode_t mode = 0700);
 
 /**
  * @brief Revmoe directory recursively

src/libmodelbox/base/utils/utils.cc

@@ -185,7 +185,7 @@ Status ListSubDirectoryFiles(const std::string &path, const std::string &filter,
   return STATUS_OK;
 }
 
-Status CreateDirectory(const std::string &path) {
+Status CreateDirectory(const std::string &path, mode_t mode) {
   std::string directory_path = path + "/";
   uint32_t dir_path_len = directory_path.length();
   if (dir_path_len > PATH_MAX) {
@@ -203,7 +203,7 @@ Status CreateDirectory(const std::string &path) {
       continue;
     }
 
-    int32_t ret = mkdir(dir_path, 0700);
+    int32_t ret = mkdir(dir_path, mode);
     if (ret != 0) {
       return {STATUS_FAULT, StrError(errno)};
     }

src/modelbox/common/flowuint_info.cc

@@ -86,7 +86,7 @@ std::shared_ptr<FlowUnitManager> FlowUnitInfo::GetFlowUnitManager() {
 
 std::shared_ptr<Drivers> FlowUnitInfo::GetDriverManager() { return drivers_; }
 
-Status GetInfoInFromTomlFile(const std::string &file, nlohmann::json &json) {
+Status GetInfoFromTomlFile(const std::string &file, nlohmann::json &json) {
   MBLOG_DEBUG << "flowunit from file: " << file;
   std::string json_data;
   std::ifstream infile(file);
@@ -267,7 +267,7 @@ Status FlowUnitInfo::GetInfoInJson(std::string *result) {
 
     for (const auto &f : flowunits_from_files_) {
       nlohmann::json json_flowunit;
-      auto ret = GetInfoInFromTomlFile(f, json_flowunit);
+      auto ret = GetInfoFromTomlFile(f, json_flowunit);
       if (!ret) {
         if (ret == STATUS_BADCONF) {
           continue;

src/modelbox/common/include/modelbox/common/utils.h

@@ -80,6 +80,29 @@ int modelbox_cpu_register_data(char *buf, int buf_size, ucontext_t *ucontext);
  */
 Status SplitIPPort(const std::string &host, std::string &ip, std::string &port);
 
+/**
+ * @brief Get user id and gid by username
+ * @param user username
+ * @param uid user id
+ * @param gid group id
+ * @return result.
+ */
+Status GetUidGid(const std::string &user, uid_t &uid, gid_t &gid);
+
+/**
+ * @brief change user and group of path
+ * @param user username
+ * @param path path to change
+ * @return result.
+ */
+Status ChownToUser(const std::string &user, const std::string &path);
+
+/**
+ * @brief run as user
+ * @return result.
+ */
+Status RunAsUser(const std::string &user);
+
 /**
  * @brief Custom stream
  */

src/modelbox/common/utils.cc

@@ -18,9 +18,12 @@
 
 #include <errno.h>
 #include <fcntl.h>
+#include <linux/capability.h>
+#include <pwd.h>
 #include <signal.h>
 #include <stdio.h>
 #include <string.h>
+#include <sys/prctl.h>
 #include <unistd.h>
 
 #include <mutex>
@@ -34,6 +37,11 @@ namespace modelbox {
 
 static int kPidFileFd = -1;
 
+extern "C" int capget(struct __user_cap_header_struct *header,
+                      struct __user_cap_data_struct *cap);
+extern "C" int capset(struct __user_cap_header_struct *header,
+                      struct __user_cap_data_struct *cap);
+
 std::once_flag root_dir_flag;
 
 const std::string &modelbox_root_dir() {
@@ -244,6 +252,90 @@ int modelbox_cpu_register_data(char *buf, int buf_size, ucontext_t *ucontext) {
   return 0;
 }
 
+Status GetUidGid(const std::string &user, uid_t &uid, gid_t &gid) {
+  struct passwd *result = nullptr;
+  struct passwd pwd;
+  std::vector<char> buff;
+  ssize_t bufsize = 0;
+  int ret = -1;
+
+  if (user == "") {
+    return {STATUS_INVALID, "user is empty"};
+  }
+
+  bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
+  if (bufsize == -1) {
+    bufsize = 1024 * 16;
+  }
+
+  buff.reserve(bufsize);
+  ret = getpwnam_r(user.c_str(), &pwd, buff.data(), bufsize, &result);
+  if (ret != 0) {
+    return {STATUS_FAULT, "get user " + user + " failed: " + StrError(errno)};
+  }
+
+  if (result == nullptr) {
+    return {STATUS_NOTFOUND, "user " + user + " not found"};
+  }
+
+  uid = result->pw_uid;
+  gid = result->pw_gid;
+
+  return STATUS_OK;
+}
+
+Status ChownToUser(const std::string &user, const std::string &path) {
+  uid_t uid = 0;
+  gid_t gid = 0;
+  int unused __attribute__((unused)) = 0;
+
+  auto ret = GetUidGid(user, uid, gid);
+  if (ret != STATUS_OK) {
+    return ret;
+  }
+
+  if (chown(path.c_str(), uid, gid) != 0) {
+    return {STATUS_INVALID, "chown " + path + " failed: " + StrError(errno)};
+  }
+
+  return STATUS_OK;
+}
+
+Status RunAsUser(const std::string &user) {
+  struct __user_cap_data_struct cap;
+  struct __user_cap_header_struct header;
+  header.version = _LINUX_CAPABILITY_VERSION;
+  header.pid = 0;
+  uid_t uid = 0;
+  gid_t gid = 0;
+  int unused __attribute__((unused)) = 0;
+
+  auto ret = GetUidGid(user, uid, gid);
+  if (ret != STATUS_OK) {
+    return ret;
+  }
+
+  if (getuid() == uid) {
+    return STATUS_OK;
+  }
+
+  if (capget(&header, &cap) < 0) {
+    return {STATUS_INVALID, "capget failed: " + StrError(errno)};
+  }
+
+  prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
+  cap.effective |= (1 << CAP_NET_RAW | 1 << CAP_NET_ADMIN);
+  cap.permitted |= (1 << CAP_NET_RAW | 1 << CAP_NET_ADMIN);
+  unused = setgid(gid);
+  unused = setuid(uid);
+  if (capset(&header, &cap) < 0) {
+    return {STATUS_INVALID, "capset failed: " + StrError(errno)};
+  }
+
+  prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0);
+  return STATUS_OK;
+}
+
 Status SplitIPPort(const std::string &host, std::string &ip,
                    std::string &port) {
   auto pos = host.find_last_of(':');

src/modelbox/manager/src/manager.c

@@ -316,8 +316,6 @@ int manager_init(char *name) {
     return -1;
   }
 
-  mkdir(MANAGER_PID_PATH, 0750);
-
   manager_log_callback_reg(manager_tlog);
 
   if (strnlen(pid_file_path, sizeof(pid_file_path)) <= 0) {
@@ -332,6 +330,7 @@ int manager_init(char *name) {
 
   strncpy_s(piddir, sizeof(piddir), pid_file_path, sizeof(pid_file_path));
   dirname(piddir);
+  mkdir(piddir, 0750);
 
   /* create key */
   if (strnlen(key_file_path, sizeof(key_file_path)) <= 0) {

src/modelbox/server/etc/modelbox-opts

@@ -21,4 +21,4 @@ fi
 # custom env variable here
 
 # modelbox server opts
-MODELBOX_OPTS="-c ${MODELBOX_ROOT}@CMAKE_INSTALL_FULL_SYSCONFDIR@/modelbox/modelbox.conf"
+MODELBOX_OPTS="$MODELBOX_OPTS -c ${MODELBOX_ROOT}@CMAKE_INSTALL_FULL_SYSCONFDIR@/modelbox/modelbox.conf"

src/modelbox/server/etc/modelbox.conf.in

@@ -4,6 +4,9 @@ port = "1104"
 flow_path = "@MODELBOX_ROOT_VAR@@CMAKE_INSTALL_FULL_SYSCONFDIR@/modelbox/graph"
 application_root = "@MODELBOX_ROOT_VAR@/opt/modelbox/application"
 
+# run as user
+# user = "modelbox"
+
 # [acl]
 # allow = [
 #     "127.0.0.1/8"