* Backend daemon drops privileges after initialization (to not run as root)

* New config option `CLICON_USER` with default value `clicon`
  * Can also be set with `-U <user>` clixon_backend command-line option

test/lib.sh

@@ -91,6 +91,9 @@ testname=
 : ${IETFRFC=../yang/standard}
 #: ${IETFRFC=$YANGMODELS/standard/ietf/RFC}
 
+# Backend user
+BUSER=clicon
+
 # Follow the binary programs that can be parametrized (eg with valgrind)
 
 : ${clixon_cli:=clixon_cli}
@@ -170,6 +173,7 @@ stop_backend(){
 	sleep 1
 	checkvalgrind
     fi
+    sudo pkill -f clixon_backend # extra ($BUSER?)
 }
 
 # Wait for restconf to stop sending  502 Bad Gateway

test/test_augment.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # yang augment and identityref tests in different modules
 # See RFC7950 Sec 7.17
 # This test defines an example-augment module which augments an interface
@@ -218,12 +218,11 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi
 # kill backend
 stop_backend -f $cfg
-sudo pkill -u root -f clixon_backend
 
 rm -rf $dir

test/test_choice.sh

@@ -287,7 +287,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_cli.sh

@@ -126,7 +126,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_cli_history.sh

@@ -118,7 +118,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_cli_multikey.sh

@@ -132,7 +132,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_copy_config.sh

@@ -163,7 +163,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_feature.sh

@@ -191,7 +191,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_identity.sh

@@ -316,7 +316,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_leafref.sh

@@ -194,7 +194,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_minmax.sh

@@ -231,7 +231,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_nacm.sh

@@ -188,7 +188,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_nacm_default.sh

@@ -153,7 +153,7 @@ EOF
     if [ $BE -ne 0 ]; then     # Bring your own backend
 	new "Kill backend"
 	# Check if premature kill
-	pid=`pgrep -u root -f clixon_backend`
+	pid=$(pgrep -u $BUSER -f clixon_backend)
 	if [ -z "$pid" ]; then
 	    err "backend already dead"
 	fi

test/test_nacm_ext.sh

@@ -216,7 +216,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_nacm_module_read.sh

@@ -279,7 +279,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_nacm_module_write.sh

@@ -258,7 +258,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_nacm_protocol.sh

@@ -223,7 +223,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_netconf.sh

@@ -211,7 +211,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_order.sh

@@ -395,7 +395,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_pattern.sh

@@ -743,7 +743,7 @@ expectfn "$clixon_cli -1f $cfg -l o set c threematch abcg" 255 '^CLI syntax erro
 if [ $BE -ne 0 ]; then
     new "Kill backend"
     # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
     if [ -z "$pid" ]; then
 	err "backend already dead"
     fi

test/test_perf.sh

@@ -237,7 +237,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_perf_state.sh

@@ -145,7 +145,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_restconf.sh

@@ -278,7 +278,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_restconf2.sh

@@ -200,7 +200,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_restconf_err.sh

@@ -116,7 +116,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_restconf_jukebox.sh

@@ -261,7 +261,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_restconf_listkey.sh

@@ -157,7 +157,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_restconf_patch.sh

@@ -209,7 +209,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_restconf_startup.sh

@@ -89,7 +89,7 @@ testrun(){
     if [ $BE -ne 0 ]; then
 	new "Kill backend"
 	# Check if premature kill
-	pid=`pgrep -u root -f clixon_backend`
+	pid=$(pgrep -u $BUSER -f clixon_backend)
 	if [ -z "$pid" ]; then
 	    err "backend already dead"
 	fi
@@ -120,8 +120,11 @@ sudo rm -f $dir/startup_db;
 new "Run without startup option, check running is copied"
 testrun ""
 
-new "Check startup should not exist"
-if [ -f $dir/startup_db ]; then
-    err "startup should not exist"
+new "Check startup is empty"
+if [ ! -f $dir/startup_db ]; then
+    err "startup does not exist"
+fi
+if [ -s $dir/startup_db ]; then
+    err "startup is not empty"
 fi
 rm -rf $dir

test/test_rpc.sh

@@ -164,7 +164,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_startup.sh

@@ -102,7 +102,7 @@ testrun(){
     
     new "Kill backend"
     # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
     if [ -z "$pid" ]; then
 	err "backend already dead"
     fi

test/test_stream.sh

@@ -291,7 +291,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_submodule.sh

@@ -224,7 +224,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_transaction.sh

@@ -311,7 +311,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_type.sh

@@ -628,7 +628,7 @@ EOF
     if [ $BE -ne 0 ]; then
 	new "Kill backend"
 	# Check if premature kill
-	pid=`pgrep -u root -f clixon_backend`
+	pid=$(pgrep -u $BUSER -f clixon_backend)
 	if [ -z "$pid" ]; then
 	    err "backend already dead"
 	fi

test/test_type_range.sh

@@ -306,7 +306,7 @@ testrange string "012" "01234567890" ""
 if [ $BE -ne 0 ]; then
     new "Kill backend"
     # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
     if [ -z "$pid" ]; then
 	err "backend already dead"
     fi

test/test_union.sh

@@ -107,7 +107,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_unique.sh

@@ -216,7 +216,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_upgrade.sh

@@ -283,7 +283,7 @@ runtest(){
     if [ $BE -ne 0 ]; then
 	new "Kill backend"
 	# Check if premature kill
-	pid=`pgrep -u root -f clixon_backend`
+	pid=$(pgrep -u $BUSER -f clixon_backend)
 	if [ -z "$pid" ]; then
 	    err "backend already dead"
 	fi

test/test_upgrade_auto.sh

@@ -274,7 +274,7 @@ stop_restconf
 if [ $BE -ne 0 ]; then
     new "Kill backend"
     # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
     if [ -z "$pid" ]; then
 	err "backend already dead"
     fi

test/test_upgrade_interfaces.sh

@@ -285,7 +285,7 @@ testrun(){
     if [ $BE -ne 0 ]; then
 	new "Kill backend"
 	# Check if premature kill
-	pid=`pgrep -u root -f clixon_backend`
+	pid=$(pgrep -u $BUSER -f clixon_backend)
 	if [ -z "$pid" ]; then
 	    err "backend already dead"
 	fi

test/test_upgrade_repair.sh

@@ -151,7 +151,7 @@ stop_restconf
 if [ $BE -ne 0 ]; then
     new "Kill backend"
     # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
     if [ -z "$pid" ]; then
 	err "backend already dead"
     fi

test/test_when_must.sh

@@ -147,7 +147,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_with_default.sh

@@ -112,7 +112,7 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi

test/test_yang.sh

@@ -286,12 +286,11 @@ fi
 
 new "Kill backend"
 # Check if premature kill
-pid=$(pgrep -u root -f clixon_backend)
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi
 # kill backend
 stop_backend -f "$cfg"
-sudo pkill -u root -f clixon_backend
 
 rm -rf "$dir"

test/test_yang_extension.sh

@@ -114,7 +114,7 @@ expecteof "$clixon_netconf -qf $cfg -D $DBG" 0 "<rpc><get-config><source><candid
 if [ $BE -ne 0 ]; then
     new "Kill backend"
     # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
     if [ -z "$pid" ]; then
 	err "backend already dead"
     fi

test/test_yang_load.sh

@@ -100,7 +100,7 @@ expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><edit-config><target><candidate/></
 if [ $BE -ne 0 ]; then
     new "Kill backend"
     # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
     if [ -z "$pid" ]; then
 	err "backend already dead"
     fi
@@ -149,7 +149,7 @@ expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><edit-config><target><candidate/></
 if [ $BE -ne 0 ]; then
     new "Kill backend"
     # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
     if [ -z "$pid" ]; then
 	err "backend already dead"
     fi
@@ -193,7 +193,7 @@ expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><edit-config><target><candidate/></
 if [ $BE -ne 0 ]; then
     new "Kill backend"
     # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
     if [ -z "$pid" ]; then
 	err "backend already dead"
     fi
@@ -237,7 +237,7 @@ expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><edit-config><target><candidate/></
 if [ $BE -ne 0 ]; then
     new "Kill backend"
     # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
     if [ -z "$pid" ]; then
 	err "backend already dead"
     fi
@@ -281,7 +281,7 @@ expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><edit-config><target><candidate/></
 if [ $BE -ne 0 ]; then
     new "Kill backend"
     # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
     if [ -z "$pid" ]; then
 	err "backend already dead"
     fi
@@ -326,7 +326,7 @@ expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><edit-config><target><candidate/></
 if [ $BE -ne 0 ]; then
     new "Kill backend"
     # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
     if [ -z "$pid" ]; then
 	err "backend already dead"
     fi
@@ -372,7 +372,7 @@ expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><edit-config><target><candidate/></
 if [ $BE -ne 0 ]; then
     new "Kill backend"
     # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
     if [ -z "$pid" ]; then
 	err "backend already dead"
     fi
@@ -418,7 +418,7 @@ expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><edit-config><target><candidate/></
 if [ $BE -ne 0 ]; then
     new "Kill backend"
     # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
     if [ -z "$pid" ]; then
 	err "backend already dead"
     fi

test/test_yang_namespace.sh

@@ -137,7 +137,7 @@ if [ $BE -eq 0 ]; then
 fi
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
     err "backend already dead"
 fi