global: update HOME environment variable when dropping privileges

k8s/rook is currently starting daemon pods under root using the
"--setuser" CLI optional to drop priviledges. In the case of
rbd-mirror which creates connections to remote clusters via librados,
the default search path for Ceph config files includes
"$home/.ceph/$cluster.conf", which before this change would evaluate
to "/root/.ceph/..." and then fail with a -EPERM since that directory
is not accessible by the dropped priviledges user.

Signed-off-by: Jason Dillaman <dillaman@redhat.com>

diff --git a/src/global/global_init.cc b/src/global/global_init.cc
index c6edb93654c2d3a5974654455586658e6c36e1c0..6962f42a543ed34d3554c4e41ccd0abec11f2eac 100644 (file)
--- a/src/global/global_init.cc
+++ b/src/global/global_init.cc
@@ -214,21 +214,30 @@ global_init(const std::map<std::string,std::string> *defaults,
     gid_t gid = 0;
     std::string uid_string;
     std::string gid_string;
+    std::string home_directory;
     if (g_conf()->setuser.length()) {
+      char buf[4096];
+      struct passwd pa;
+      struct passwd *p = 0;
+
       uid = atoi(g_conf()->setuser.c_str());
-      if (!uid) {
-       char buf[4096];
-       struct passwd pa;
-       struct passwd *p = 0;
+      if (uid) {
+        getpwuid_r(uid, &pa, buf, sizeof(buf), &p);
+      } else {
        getpwnam_r(g_conf()->setuser.c_str(), &pa, buf, sizeof(buf), &p);
-       if (!p) {
+        if (!p) {
          cerr << "unable to look up user '" << g_conf()->setuser << "'"
               << std::endl;
          exit(1);
-       }
-       uid = p->pw_uid;
-       gid = p->pw_gid;
-       uid_string = g_conf()->setuser;
+        }
+
+        uid = p->pw_uid;
+        gid = p->pw_gid;
+        uid_string = g_conf()->setuser;
+      }
+
+      if (p && p->pw_dir != nullptr) {
+        home_directory = std::string(p->pw_dir);
       }
     }
     if (g_conf()->setgroup.length() > 0) {
@@ -289,6 +298,10 @@ global_init(const std::map<std::string,std::string> *defaults,
             << std::endl;
        exit(1);
       }
+      if (setenv("HOME", home_directory.c_str(), 1) != 0) {
+       cerr << "warning: unable to set HOME to " << home_directory << ": "
+             << cpp_strerror(errno) << std::endl;
+      }
       priv_ss << "set uid:gid to " << uid << ":" << gid << " (" << uid_string << ":" << gid_string << ")";
     } else {
       priv_ss << "deferred set uid:gid to " << uid << ":" << gid << " (" << uid_string << ":" << gid_string << ")";