conf: Add --runas option, changing to given UID and GID if started as root

On some systems, user and group "nobody" might not be available. The new --runas option allows to override the default "nobody" choice if started as root. Now that we allow this, drop the initgroups() call that was used to add any additional groups for the given user, as that might now grant unnecessarily broad permissions. For instance, several distributions have a "kvm" group to allow regular user access to /dev/kvm, and we don't need that in passt or pasta. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-05-18 19:10:45 +02:00
parent c318ffcb4c
commit a951e0b9ef
6 changed files with 135 additions and 46 deletions
--- a/passt.1
+++ b/passt.1
@@ -95,6 +95,13 @@ Log to standard error too.
 Default is to log to system logger only, if started from an interactive
 terminal, and to both system logger and standard error otherwise.

+.TP
+.BR \-\-runas " " \fIUID\fR|\fIUID:GID\fR|\fILOGIN\fR|\fILOGIN:GROUP\fR
+If started as root, change to given UID and corresponding group if UID is given,
+or to given UID and given GID if both are given. Alternatively, login name, or
+login name and group name can be passed.
+Default is to change to user \fInobody\fR if started as root.
+
 .TP
 .BR \-h ", " \-\-help
 Display a help message and exit.