rpms/frr
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: #2147522 - It is not possible to run FRR as a non-root user

Browse Source
This commit is contained in:
Michal Ruprich 2022-11-28 13:48:35 +01:00
parent bf0b074c96
commit bf021ed2fa
2 changed files with 72 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
0008-frr-non-root-user.patch Normal file
View File

@ -0,0 +1,67 @@
From 1d42fb941af17a29346b2af03338f8e18470f009 Mon Sep 17 00:00:00 2001
From: Michal Ruprich <michalruprich@gmail.com>
Date: Tue, 22 Nov 2022 12:38:05 +0100
Subject: [PATCH] tools: Enable start of FRR for non-root user
There might be use cases when this would make sense, for example
running FRR in a container as a designated user.
Signed-off-by: Michal Ruprich <mruprich@redhat.com>
---
tools/etc/frr/daemons | 5 +++++
tools/frrcommon.sh.in | 4 ++++
2 files changed, 9 insertions(+)
diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons
index 8aa08871e35..2427bfff777 100644
--- a/tools/etc/frr/daemons
+++ b/tools/etc/frr/daemons
@@ -91,6 +91,12 @@ pathd_options=" -A 127.0.0.1"
# say BGP.
#MAX_FDS=1024
+# Uncomment this option if you want to run FRR as a non-root user. Note that
+# you should know what you are doing since most of the daemons need root
+# to work. This could be useful if you want to run FRR in a container
+# for instance.
+# FRR_NO_ROOT="yes"
+
# The list of daemons to watch is automatically generated by the init script.
#watchfrr_options=""
diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
index 3c16c27c6df..4f095a176e4 100755
--- a/tools/frrcommon.sh.in
+++ b/tools/frrcommon.sh.in
@@ -43,6 +43,10 @@ RELOAD_SCRIPT="$D_PATH/frr-reload.py"
#
is_user_root () {
+ if [[ ! -z $FRR_NO_ROOT && "${FRR_NO_ROOT}" == "yes" ]]; then
+ return 0
+ fi
+
[ "${EUID:-$(id -u)}" -eq 0 ] || {
log_failure_msg "Only users having EUID=0 can start/stop daemons"
return 1
diff --git a/doc/user/setup.rst b/doc/user/setup.rst
index 25934df..51ffd32 100644
--- a/doc/user/setup.rst
+++ b/doc/user/setup.rst
@@ -114,6 +114,16 @@ most operating systems is 1024. If the operator plans to run bgp with
several thousands of peers than this is where we would modify FRR to
allow this to happen.
+::
+
+ FRR_NO_ROOT="yes"
+
+This option allows you to run FRR as a non-root user. Use this option
+only when you know what you are doing since most of the daemons
+in FRR will not be able to run under a regular user. This option
+is useful for example when you run FRR in a container with a designated
+user instead of root.
+
::
zebra_options=" -s 90000000 --daemon -A 127.0.0.1"

6
frr.spec
View File

@ -7,7 +7,7 @@
Name: frr Name: frr
Version: 8.3.1 Version: 8.3.1
Release: 4%{?checkout}%{?dist} Release: 5%{?checkout}%{?dist}
Summary: Routing daemon Summary: Routing daemon
License: GPLv2+ License: GPLv2+
URL: http://www.frrouting.org URL: http://www.frrouting.org
@ -70,6 +70,7 @@ Patch0004: 0004-fips-mode.patch
Patch0005: 0005-ospf-api.patch Patch0005: 0005-ospf-api.patch
Patch0006: 0006-graceful-restart.patch Patch0006: 0006-graceful-restart.patch
Patch0007: 0007-cve-2022-37032.patch Patch0007: 0007-cve-2022-37032.patch
Patch0008: 0008-frr-non-root-user.patch
%description %description
FRRouting is free software that manages TCP/IP based routing protocols. It takes FRRouting is free software that manages TCP/IP based routing protocols. It takes
@ -275,6 +276,9 @@ make check PYTHON=%{__python3}
%endif %endif
%changelog %changelog
* Mon Nov 28 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-5
- Resolves: #2147522 - It is not possible to run FRR as a non-root user
* Thu Nov 24 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-4 * Thu Nov 24 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-4
- Resolves: #2144500 - AVC error when reloading FRR with provided reload script - Resolves: #2144500 - AVC error when reloading FRR with provided reload script