From bf021ed2fa6398df545358e4a88e46ca358a443e Mon Sep 17 00:00:00 2001 From: Michal Ruprich Date: Mon, 28 Nov 2022 13:48:35 +0100 Subject: [PATCH] Resolves: #2147522 - It is not possible to run FRR as a non-root user --- 0008-frr-non-root-user.patch | 67 ++++++++++++++++++++++++++++++++++++ frr.spec | 6 +++- 2 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 0008-frr-non-root-user.patch diff --git a/0008-frr-non-root-user.patch b/0008-frr-non-root-user.patch new file mode 100644 index 0000000..6a0803c --- /dev/null +++ b/0008-frr-non-root-user.patch @@ -0,0 +1,67 @@ +From 1d42fb941af17a29346b2af03338f8e18470f009 Mon Sep 17 00:00:00 2001 +From: Michal Ruprich +Date: Tue, 22 Nov 2022 12:38:05 +0100 +Subject: [PATCH] tools: Enable start of FRR for non-root user + +There might be use cases when this would make sense, for example +running FRR in a container as a designated user. + +Signed-off-by: Michal Ruprich +--- + tools/etc/frr/daemons | 5 +++++ + tools/frrcommon.sh.in | 4 ++++ + 2 files changed, 9 insertions(+) + +diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons +index 8aa08871e35..2427bfff777 100644 +--- a/tools/etc/frr/daemons ++++ b/tools/etc/frr/daemons +@@ -91,6 +91,12 @@ pathd_options=" -A 127.0.0.1" + # say BGP. + #MAX_FDS=1024 + ++# Uncomment this option if you want to run FRR as a non-root user. Note that ++# you should know what you are doing since most of the daemons need root ++# to work. This could be useful if you want to run FRR in a container ++# for instance. ++# FRR_NO_ROOT="yes" ++ + # The list of daemons to watch is automatically generated by the init script. + #watchfrr_options="" + +diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in +index 3c16c27c6df..4f095a176e4 100755 +--- a/tools/frrcommon.sh.in ++++ b/tools/frrcommon.sh.in +@@ -43,6 +43,10 @@ RELOAD_SCRIPT="$D_PATH/frr-reload.py" + # + + is_user_root () { ++ if [[ ! -z $FRR_NO_ROOT && "${FRR_NO_ROOT}" == "yes" ]]; then ++ return 0 ++ fi ++ + [ "${EUID:-$(id -u)}" -eq 0 ] || { + log_failure_msg "Only users having EUID=0 can start/stop daemons" + return 1 +diff --git a/doc/user/setup.rst b/doc/user/setup.rst +index 25934df..51ffd32 100644 +--- a/doc/user/setup.rst ++++ b/doc/user/setup.rst +@@ -114,6 +114,16 @@ most operating systems is 1024. If the operator plans to run bgp with + several thousands of peers than this is where we would modify FRR to + allow this to happen. + ++:: ++ ++ FRR_NO_ROOT="yes" ++ ++This option allows you to run FRR as a non-root user. Use this option ++only when you know what you are doing since most of the daemons ++in FRR will not be able to run under a regular user. This option ++is useful for example when you run FRR in a container with a designated ++user instead of root. ++ + :: + + zebra_options=" -s 90000000 --daemon -A 127.0.0.1" diff --git a/frr.spec b/frr.spec index ecec156..3c7dbfc 100644 --- a/frr.spec +++ b/frr.spec @@ -7,7 +7,7 @@ Name: frr Version: 8.3.1 -Release: 4%{?checkout}%{?dist} +Release: 5%{?checkout}%{?dist} Summary: Routing daemon License: GPLv2+ URL: http://www.frrouting.org @@ -70,6 +70,7 @@ Patch0004: 0004-fips-mode.patch Patch0005: 0005-ospf-api.patch Patch0006: 0006-graceful-restart.patch Patch0007: 0007-cve-2022-37032.patch +Patch0008: 0008-frr-non-root-user.patch %description FRRouting is free software that manages TCP/IP based routing protocols. It takes @@ -275,6 +276,9 @@ make check PYTHON=%{__python3} %endif %changelog +* Mon Nov 28 2022 Michal Ruprich - 8.3.1-5 +- Resolves: #2147522 - It is not possible to run FRR as a non-root user + * Thu Nov 24 2022 Michal Ruprich - 8.3.1-4 - Resolves: #2144500 - AVC error when reloading FRR with provided reload script