Support running under OpenShift arbitrary UIDs (restricted-v2 SCC)

client/go/internal/vespa/find_user.go

@@ -39,6 +39,8 @@ func FindVespaUser() string {
 		u, err := user.Current()
 		if err == nil {
 			uName = u.Username
+		} else {
+			uName = strconv.Itoa(os.Getuid())
 		}
 	}
 	if uName != "" {

client/go/internal/vespa/switch_user.go

@@ -17,13 +17,17 @@ import (
 const ENV_CHECK = envvars.VESPA_ALREADY_SWITCHED_USER_TO
 
 func CheckCorrectUser() {
+	if os.Getenv("VESPA_SKIP_USER_CHECK") != "" {
+		return
+	}
 	vespaUser := FindVespaUser()
 	currentName := ""
 	currentUser, err1 := user.Current()
 	if err1 == nil {
 		currentName = currentUser.Username
 	} else {
 		trace.Trace("user.Current() failed:", err1)
+		currentName = fmt.Sprintf("%d", os.Getuid())
 	}
 	if currentName == vespaUser {
 		// all OK
@@ -36,11 +40,19 @@ func CheckCorrectUser() {
 		wantName = wantUser.Username
 	} else {
 		trace.Trace("user.Lookup", vespaUser, "failed:", err2)
+		if os.Getuid() != 0 {
+			trace.Warning("target user not found and not root; proceeding as current user")
+			return
+		}
 	}
 	if currentName == wantName {
 		// somewhat OK
 		return
 	}
+	if os.Getuid() != 0 {
+		trace.Warning("not running as VESPA_USER", vespaUser, "but cannot switch (not root); proceeding")
+		return
+	}
 	trace.Warning("not running as the VESPA_USER:", vespaUser)
 	alreadyTried := os.Getenv(ENV_CHECK)
 	if alreadyTried != "" {
@@ -68,14 +80,25 @@ func MaybeSwitchUser(action string) error {
 	wantUser, err := user.Lookup(vespaUser)
 	if err != nil {
 		trace.Trace("user.Lookup", vespaUser, "failed:", err)
+		if os.Getuid() != 0 {
+			trace.Trace("not root, proceeding as current user")
+			return nil
+		}
 		return err
 	}
 	currUser, err := user.Current()
 	if err != nil {
 		trace.Trace("user.Current() failed:", err)
+		if os.Getuid() != 0 {
+			return nil
+		}
 		return err
 	}
 	if wantUser.Username != currUser.Username {
+		if os.Getuid() != 0 {
+			trace.Trace("not root, cannot switch user; proceeding as", currUser.Username)
+			return nil
+		}
 		trace.Trace("want to switch user from:", currUser.Username)
 		trace.Trace("want to switch user to:", wantUser.Username)
 		alreadyTried := os.Getenv(ENV_CHECK)

configd/src/apps/su/main.cpp

@@ -19,14 +19,34 @@ int main(int argc, char** argv) {
     if (username == nullptr) {
         username = "vespa";
     }
+
+    uid_t oldu = getuid();
+
     struct passwd* p = getpwnam(username);
     if (p == nullptr) {
+        if (oldu != 0) {
+            execvp(argv[1], &argv[1]);
+            perror("FATAL error: execvp failed");
+            return 1;
+        }
         fprintf(stderr, "FATAL error: user '%s' missing in passwd file\n", username);
         return 1;
     }
     gid_t g = p->pw_gid;
     uid_t u = p->pw_uid;
 
+    if (g == getgid() && u == oldu) {
+        execvp(argv[1], &argv[1]);
+        perror("FATAL error: execvp failed");
+        return 1;
+    }
+
+    if (oldu != 0) {
+        execvp(argv[1], &argv[1]);
+        perror("FATAL error: execvp failed");
+        return 1;
+    }
+
     gid_t grouplist[256];
     int   group_arr_sz = 256;
 #ifdef __APPLE__
@@ -45,7 +65,6 @@ int main(int argc, char** argv) {
 #endif
 
     gid_t oldg = getgid();
-    uid_t oldu = getuid();
 
     if (g != oldg && setgid(g) != 0) {
         perror("FATAL error: could not change group id");

dist/vespa.spec

@@ -415,7 +415,9 @@ getent group %{_vespa_group} >/dev/null || groupadd -r %{_vespa_group}
 getent passwd %{_vespa_user} >/dev/null || \
     useradd -r %{?_vespa_user_uid:-u %{_vespa_user_uid}} -g %{_vespa_group} --home-dir %{_prefix} -s /sbin/nologin \
     -c "Create owner of all Vespa data files" %{_vespa_user}
+usermod -a -G root %{_vespa_user} 2>/dev/null || true
 %endif
+chmod g+w /etc/passwd 2>/dev/null || true
 %if 0%{?el8} || 0%{?el9}
 # TODO Hardcoded toolset version, should be detected in a better way.
 mkdir -p /opt/rh
@@ -501,7 +503,7 @@ fi
 %exclude %{_prefix}/conf/configserver-app/config-models.xml
 %dir %{_prefix}/conf/logd
 %dir %{_prefix}/conf/vespa
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/zookeeper/conf
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/zookeeper/conf
 %dir %{_prefix}/etc
 %{_prefix}/etc/systemd
 %{_prefix}/etc/vespa
@@ -532,39 +534,39 @@ fi
 %exclude %{_prefix}/libexec/vespa/find-pid
 %exclude %{_prefix}/libexec/vespa/standalone-container.sh
 %exclude %{_prefix}/libexec/vespa/vespa-curl-wrapper
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/logs
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/logs/vespa
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/logs/vespa/access
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/logs/vespa/configserver
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/logs/vespa/search
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/logs
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/logs/vespa
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/logs/vespa/access
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/logs/vespa/configserver
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/logs/vespa/search
 %{_prefix}/man
 %{_prefix}/sbin
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/secure
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/crash
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/db
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/db/vespa
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/db/vespa/config_server
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/db/vespa/config_server/serverdb
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/db/vespa/config_server/serverdb/tenants
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/db/vespa/download
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/db/vespa/filedistribution
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/db/vespa/index
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/db/vespa/logcontrol
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/db/vespa/search
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/db/vespa/tmp
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/jdisc_container
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/run
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/tmp
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/tmp/vespa
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/vespa
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/vespa/application
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/vespa/bundlecache
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/vespa/bundlecache/configserver
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/vespa/cache
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/vespa/cache/config
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/zookeeper
-%dir %attr(-,%{_vespa_user},%{_vespa_group}) %{_prefix}/var/zookeeper/version-2
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/secure
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/crash
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/db
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/db/vespa
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/db/vespa/config_server
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/db/vespa/config_server/serverdb
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/db/vespa/config_server/serverdb/tenants
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/db/vespa/download
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/db/vespa/filedistribution
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/db/vespa/index
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/db/vespa/logcontrol
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/db/vespa/search
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/db/vespa/tmp
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/jdisc_container
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/run
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/tmp
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/tmp/vespa
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/vespa
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/vespa/application
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/vespa/bundlecache
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/vespa/bundlecache/configserver
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/vespa/cache
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/vespa/cache/config
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/zookeeper
+%dir %attr(0775,%{_vespa_user},root) %{_prefix}/var/zookeeper/version-2
 %config(noreplace) %{_prefix}/conf/logd/logd.cfg
 %if %{_create_vespa_service}
 %attr(644,root,root) /usr/lib/systemd/system/vespa.service

standalone-container/src/main/sh/standalone-container.sh

@@ -108,8 +108,10 @@ FixDataDirectory() {
         echo "Creating data directory '$1'"
         mkdir -p "$1" || exit 1
     fi
-    chown "${VESPA_USER}" "$1"
-    chmod 755 "$1"
+    if [ "$(id -u)" = "0" ]; then
+        chown "${VESPA_USER}" "$1"
+    fi
+    chmod 755 "$1" 2>/dev/null || true
 }
 
 StartCommand() {
@@ -262,10 +264,12 @@ Main() {
         Fail "Service must math the regex '$service_regex'"
     fi
 
-    if ! getent passwd "$user" &> /dev/null; then
-        Fail "Bad user ($user): not found in passwd"
-    elif test "$(id -un)" != "$user"; then
-        Fail "${0##*/} must be started by $user"
+    if getent passwd "$user" &> /dev/null; then
+        if test "$(id -un 2>/dev/null)" != "$user"; then
+            if [ "$(id -u)" != "$(id -u "$user" 2>/dev/null)" ]; then
+                Fail "${0##*/} must be started by $user"
+            fi
+        fi
     fi
 
     case "$command" in

vespabase/src/common-env.sh

@@ -81,6 +81,8 @@ populate_environment () {
         consider_fallback VESPA_USER "vespa"
     elif id nobody >/dev/null 2>&1 ; then
         consider_fallback VESPA_USER "nobody"
+    else
+        consider_fallback VESPA_USER "$(id -un 2>/dev/null || echo $(id -u))"
     fi
 }
 

vespabase/src/rhel-prestart.sh

@@ -98,23 +98,14 @@ fixdir () {
         exit 1
     fi
     mkdir -p "$4"
-    if ! $IS_ROOT; then
-        local stat="$(stat -c "%U %G" $4)"
-        local user=${stat% *}
-        local group=${stat#* }
-        if [ "$1" != "$user" ]; then
-            echo "Wrong owner for ${VESPA_HOME}/$4, expected $1, was $user"
-            exit 1
-        fi
-        if [ "$2" != "$group" ]; then
-            echo "Wrong group for ${VESPA_HOME}/$4, expected $2, was $group"
-            exit 1
-        fi
-    else
+    if $IS_ROOT; then
         chown $1 "$4"
         chgrp $2 "$4"
+    elif ! [ -w "$4" ]; then
+        echo "Directory ${VESPA_HOME}/$4 is not writable by current user (UID $(id -u))"
+        exit 1
     fi
-    chmod $3 "$4"
+    chmod $3 "$4" 2>/dev/null || true
 }
 
 # BEGIN directory fixups
@@ -149,8 +140,9 @@ fixdir ${VESPA_USER} ${VESPA_GROUP}   755  var/vespa/cache
 fixdir ${VESPA_USER} ${VESPA_GROUP}   755  var/vespa/cache/config
 
 if $IS_ROOT; then
-    chown -hR ${VESPA_USER} logs/vespa
-    chown -hR ${VESPA_USER} var/db/vespa
+    chown -hR ${VESPA_USER}:root logs/vespa
+    chown -hR ${VESPA_USER}:root var/db/vespa
+    chmod -R g+w logs/vespa var/db/vespa 2>/dev/null || true
 fi
 
 # END directory fixups

vespabase/src/vespa-configserver.service.in

@@ -5,7 +5,7 @@ After=network.target
 
 [Service]
 Type=forking
-User=vespa
+User=@VESPA_USER@
 PIDFile=@CMAKE_INSTALL_PREFIX@/var/run/configserver.pid
 ExecStart=@CMAKE_INSTALL_PREFIX@/bin/vespa-start-configserver
 ExecStop=@CMAKE_INSTALL_PREFIX@/bin/vespa-stop-configserver

vespabase/src/vespa.service.in

@@ -5,7 +5,7 @@ After=network.target
 
 [Service]
 Type=forking
-User=vespa
+User=@VESPA_USER@
 PIDFile=@CMAKE_INSTALL_PREFIX@/var/run/sentinel.pid
 ExecStart=@CMAKE_INSTALL_PREFIX@/bin/vespa-start-services
 ExecStop=@CMAKE_INSTALL_PREFIX@/bin/vespa-stop-services