* Backend daemon drops privileges after initialization (to not run as root)

* New config option `CLICON_USER` with default value `clicon` * Can also be set with `-U <user>` clixon_backend command-line option
2019-09-11 21:24:14 +02:00 · 2019-09-11 21:24:14 +02:00 · 3d5abb77f9
commit 3d5abb77f9
parent 3806f7652e
60 changed files with 238 additions and 93 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,11 @@

 ## 4.2.0 (Expected: October)

+### Major New features
+* Backend daemon drops privileges after initialization (to not run as root)
+  * New config option `CLICON_USER` with default value `clicon`
+  * Can also be set with `-U <user>` clixon_backend command-line option
+
 ### API changes on existing features (you may need to change your code)
 * Restconf top-level operations GET root resource modified to comply with RFC 8040 Sec 3.1 
  * non-pretty print remove all spaces, eg `{"operations":{"clixon-example:client-rpc":[null]`
@ -67,6 +72,7 @@
  * `204 No Content` for replaced resources.
 * RESTCONF PUT/POST `Content-Type` is enforced
  * Before accepted JSON as default, now Content-Type must be explicit, such as `Content-Type: application/yang-data+json`
+  * If not, you will get 415 unsupported media type
 * RESTCONF identities has changed to use module names instead of prefixes following RFC8040:
  * Eg, `curl -X POST -d '{"type":"ex:eth"}` --> `curl -X POST -d '{"type":"ietf-interfaces:eth"`}
 * JSON changes
--- a/apps/backend/backend_main.c
+++ b/apps/backend/backend_main.c
@ -74,7 +74,7 @@
 #include "backend_startup.h"

 /* Command line options to be passed to getopt(3) */
-#define BACKEND_OPTS "hD:f:l:d:p:b:Fza:u:P:1s:c:g:y:o:"
+#define BACKEND_OPTS "hD:f:l:d:p:b:Fza:u:P:1s:c:U:g:y:o:"

 #define BACKEND_LOGFILE "/usr/local/var/clixon_backend.log"

@ -220,6 +220,72 @@ nacm_load_external(clicon_handle h)
    return retval;
 }

+static int 
+xmldb_drop_priv(clicon_handle h, 
+		const char   *db, 
+		uid_t         uid,
+		gid_t         gid)
+{
+    int         retval = -1;
+    char       *filename = NULL;
+
+    if (xmldb_db2file(h, db, &filename) < 0)
+	goto done;
+    if (chown(filename, uid, gid) < 0){
+	clicon_err(OE_UNIX, errno, "chown");
+	goto done;
+    }
+    retval = 0;
+ done:
+    if (filename)
+	free(filename);
+    return retval;
+}
+
+/*! Drop root privileges uid and gid to Clixon user/group
+ *  @param[in] h   Clicon handle
+ */
+static int
+drop_priv(clicon_handle h,
+	   uid_t         uid,
+	   gid_t         gid)
+{
+    int retval = -1;
+    
+    if (xmldb_exists(h, "running") != 1)
+	if (xmldb_create(h, "running") < 0)
+	    goto done;
+    if (xmldb_drop_priv(h, "running", uid, gid) < 0)
+	goto done;
+    if (xmldb_exists(h, "candidate") != 1)
+	if (xmldb_create(h, "candidate") < 0)
+	    goto done;
+    if (xmldb_drop_priv(h, "candidate", uid, gid) < 0)
+	goto done;
+    if (xmldb_exists(h, "startup") != 1)
+	if (xmldb_create(h, "startup") < 0)
+	    goto done;
+    if (xmldb_drop_priv(h, "startup", uid, gid) < 0)
+	goto done;
+
+    if (setgid(gid) == -1) {
+	clicon_err(OE_DEMON, errno, "setgid %d", gid);
+	goto done;
+    }
+    if (setuid(uid) == -1) {
+	clicon_err(OE_DEMON, errno, "setuid %d", uid);
+	goto done;
+    }
+    /* Verify you cannot regain root privileges */
+    if (setuid(0) != -1){
+	clicon_err(OE_DEMON, EPERM, "Could regain root privilieges");
+	goto done;
+    }
+    retval = 0;
+ done:
+    return retval;
+}
+
 /*! Given a retval, transform to status or fatal error
 *
 * @param[in]  ret    Return value from xml validation function
@ -290,6 +356,7 @@ usage(clicon_handle h,
    	    "\t-1\t\tRun once and then quit (dont wait for events)\n"
 	    "\t-s <mode>\tSpecify backend startup mode: none|startup|running|init)\n"
 	    "\t-c <file>\tLoad extra xml configuration, but don't commit.\n"
+	    "\t-U <user>\tRun backend daemon as this user\n"
 	    "\t-g <group>\tClient membership required to this group (default: %s)\n"

 	    "\t-y <file>\tLoad yang spec file (override yang main module)\n"
@ -303,6 +370,7 @@ usage(clicon_handle h,
    exit(-1);
 }

+
 int
 main(int    argc,
     char **argv)
@ -314,7 +382,8 @@ main(int    argc,
    int           once;
    enum startup_mode_t startup_mode;
    char         *extraxml_file;
-    char         *config_group;
+    char         *backend_user = NULL;
+    char         *backend_group = NULL;
    char         *argv0 = argv[0];
    struct stat   st;
    clicon_handle h;
@ -333,6 +402,8 @@ main(int    argc,
    enum startup_status status = STARTUP_ERR; /* Startup status */
    int           ret;
    char         *dir;
+    gid_t         gid = -1;
+    uid_t         uid = -1;
    
    /* In the startup, logs to stderr & syslog and debug flag set later */
    clicon_log_init(__PROGRAM__, LOG_INFO, logdst);
@ -464,6 +535,10 @@ main(int    argc,
 	case 'c': /* Load application config */
 	    extraxml_file = optarg;
 	    break;
+	case 'U': /* config user (for socket and drop privileges) */
+	    if (clicon_option_add(h, "CLICON_SOCK", optarg) < 0)
+		goto done;
+	    break;
 	case 'g': /* config socket group */
 	    if (clicon_option_add(h, "CLICON_SOCK_GROUP", optarg) < 0)
 		goto done;
@ -541,22 +616,32 @@ main(int    argc,
    if (sockfamily==AF_UNIX && lstat(sock, &st) == 0)
 	unlink(sock);   

-    /* Sanity check: config group exists */
-    if ((config_group = clicon_sock_group(h)) == NULL){
+    /* XXX maybe only if !foreground */
+    /* Sanity check: backend user exists */
+    if ((backend_user = clicon_user(h)) == NULL){
+	clicon_err(OE_FATAL, 0, "clicon_user option not set");
+	return -1;
+    }
+    if (name2uid(backend_user, &uid) < 0){
+	clicon_log(LOG_ERR, "'%s' does not seem to be a valid user .\n", backend_user);
+	goto done;
+    }
+
+    /* Sanity check: backend group exists */
+    if ((backend_group = clicon_sock_group(h)) == NULL){
 	clicon_err(OE_FATAL, 0, "clicon_sock_group option not set");
 	return -1;
    }
-
-    if (group_name2gid(config_group, NULL) < 0){
+    if (group_name2gid(backend_group, &gid) < 0){
 	clicon_log(LOG_ERR, "'%s' does not seem to be a valid user group.\n" /* \n required here due to multi-line log */
 		"The config demon requires a valid group to create a server UNIX socket\n"
 		"Define a valid CLICON_SOCK_GROUP in %s or via the -g option\n"
 		"or create the group and add the user to it. On linux for example:"
 		"  sudo groupadd %s\n" 
 		"  sudo usermod -a -G %s user\n", 
-		   config_group, clicon_configfile(h),
-		   config_group, config_group);
-	return -1;
+		   backend_group, clicon_configfile(h),
+		   backend_group, backend_group);
+	goto done;
    }

    /* Publish stream on pubsub channels.
@ -737,6 +822,7 @@ main(int    argc,
 	    fprintf(stderr, "config: daemon");
 	    exit(-1);
 	}
+	    
    }
    /* Write pid-file */
    if ((pid = pidfile_write(pidfile)) <  0)
@ -751,6 +837,7 @@ main(int    argc,
 	clicon_err(OE_DEMON, errno, "Setting signal");
 	goto done;
    }
+
    /* Initialize server socket and save it to handle */
    if ((ss = backend_server_socket(h)) < 0)
 	goto done;
@ -758,6 +845,10 @@ main(int    argc,
 	goto done;
    if (debug)
 	clicon_option_dump(h, debug);
+    /* Drop root privileges (unless root) */
+    if (uid != 0)
+	if (drop_priv(h, uid, gid) < 0)
+	    goto done;

    if (stream_timer_setup(0, h) < 0)
 	goto done;
--- a/doc/FAQ.md
+++ b/doc/FAQ.md
@ -467,7 +467,7 @@ Each plugin is initiated with an API struct followed by a plugin init function a
      return &api; /* Return NULL on error */
   }
 ```
-For more info see [../example/main/README.md]
+For more info see [the main example](../example/main/README.md)

 ## How do I write a commit function?
 In the example, you write a commit function in example_backend.c.
--- a/doc/README.md
+++ b/doc/README.md
@ -8,16 +8,16 @@ NETCONF and RESTCONF interfaces, an embedded database and transaction
 mechanism.

  * [Background](#background)
-  * [Frequently asked questions (FAQ)](doc/FAQ.md)
+  * [Frequently asked questions (FAQ)](FAQ.md)
  * [Hello world](example/hello/README.md)
  * [Changelog](CHANGELOG.md)
-  * [Installation](doc/INSTALL.md)
+  * [Installation](INSTALL.md)
  * [Licenses](#licenses)
  * [Support](#support)
  * [Dependencies](#dependencies)
  * [Extending](#extending)
  * [Yang](#yang)
-  * [CLI](doc/CLI.md)
+  * [CLI](CLI.md)
  * [XML and XPATH](#xml-and-xpath)
  * [Netconf](#netconf)
  * [Restconf](#restconf)
@ -28,9 +28,9 @@ mechanism.
  * [Runtime](#runtime)
  * [Clixon project page](http://www.clicon.org)
  * [Tests and CI](test/README.md)
-  * [Scaling: large lists](doc/scaling/large-lists.md)
+  * [Scaling: large lists](scaling/large-lists.md)
  * [Containers](docker/README.md)
-  * [Roadmap](doc/ROADMAP.md)
+  * [Roadmap](ROADMAP.md)
  * [Standard compliance](#standard-compliance)
  * [Reference manual](#reference) 
  
@ -81,7 +81,7 @@ specialize functions.  Clixon is extended by writing
 plugins for cli, backend, netconf and restconf.

 Plugins are written in C and easiest is to look at
-[example](example/README.md) or consulting the [FAQ](doc/FAQ.md).
+[example](example/README.md) or consulting the [FAQ](FAQ.md).

 ## Yang

@ -265,7 +265,7 @@ For CLI, login is typically made via SSH. For netconf, SSH netconf
 subsystem can be used. 
  
 Restconf however needs credentials.  This is done by writing a credentials callback in a restconf plugin. See:
-  * [FAQ](doc/FAQ.md#how-do-i-write-an-authentication-callback).
+  * [FAQ](FAQ.md#how-do-i-write-an-authentication-callback).
  * [Example](example/README.md) has an example how to do this with HTTP basic auth.
  * It has been done for other projects using Oauth2 or (https://github.com/CESNET/Netopeer2/tree/master/server/configuration)

@ -300,7 +300,7 @@ The functionality is as follows (references to sections in [RFC8341](https://too

 ## Runtime

-<img src="doc/clixon_example_sdk.png" alt="clixon sdk" style="width: 180px;"/>
+<img src="clixon_example_sdk.png" alt="clixon sdk" style="width: 180px;"/>

 The figure shows the SDK runtime of Clixon.

--- a/docker/base/Dockerfile
+++ b/docker/base/Dockerfile
@ -90,8 +90,8 @@ RUN apk add --update nginx
 # Expose nginx port for restconf
 EXPOSE 80

-# Create clicon group
-RUN addgroup clicon
+# Create clicon user and group
+RUN adduser -D -H clicon
 RUN adduser nginx clicon
 RUN adduser www-data clicon

--- a/docker/main/Dockerfile
+++ b/docker/main/Dockerfile
@ -108,8 +108,8 @@ RUN apk add --update sudo curl procps grep make bash
 # Expose nginx port for restconf
 EXPOSE 80

-# Create clicon group
-RUN addgroup clicon
+# Create clicon user and group
+RUN adduser -D -H clicon
 RUN adduser nginx clicon
 RUN adduser www-data clicon

--- a/lib/clixon/clixon_file.h
+++ b/lib/clixon/clixon_file.h
@ -43,6 +43,8 @@ int clicon_file_dirent(const char *dir, struct dirent **ent,

 int clicon_file_copy(char *src, char *target);

-int group_name2gid(char *name, gid_t *gid);
+int group_name2gid(const char *name, gid_t *gid);
+
+int name2uid(const char *name, uid_t *uid);

 #endif /* _CLIXON_FILE_H_ */
--- a/lib/clixon/clixon_options.h
+++ b/lib/clixon/clixon_options.h
@ -167,6 +167,9 @@ static inline char *clicon_sock(clicon_handle h){
 static inline char *clicon_sock_group(clicon_handle h){
    return clicon_option_str(h, "CLICON_SOCK_GROUP");
 }
+static inline char *clicon_user(clicon_handle h){
+    return clicon_option_str(h, "CLICON_USER");
+}
 static inline char *clicon_backend_pidfile(clicon_handle h){
    return clicon_option_str(h, "CLICON_BACKEND_PIDFILE");
 }
--- a/lib/src/clixon_datastore.c
+++ b/lib/src/clixon_datastore.c
@ -398,8 +398,8 @@ xmldb_delete(clicon_handle h,
    if (xmldb_db2file(h, db, &filename) < 0)
 	goto done;
    if (lstat(filename, &sb) == 0)
-	if (unlink(filename) < 0){
-	    clicon_err(OE_DB, errno, "unlink %s", filename);
+	if (truncate(filename, 0) < 0){
+	    clicon_err(OE_DB, errno, "truncate %s", filename);
 	    goto done;
 	}
    retval = 0;
--- a/lib/src/clixon_file.c
+++ b/lib/src/clixon_file.c
@ -219,9 +219,10 @@ clicon_file_copy(char *src,
 * @retval -1   Error. or not found
 */
 int
-group_name2gid(char *name, 
-	       gid_t *gid)
+group_name2gid(const char *name, 
+	       gid_t      *gid)
 {
+    int           retval = -1;
    char          buf[1024]; 
    struct group  g0;
    struct group *gr = &g0;
@ -231,14 +232,39 @@ group_name2gid(char *name,
    /* This leaks memory in ubuntu */
    if (getgrnam_r(name, gr, buf, sizeof(buf), &gtmp) < 0){
 	clicon_err(OE_UNIX, errno, "getgrnam_r(%s)", name);
-	return -1;
+	goto done;
    }
    if (gtmp == NULL){
 	clicon_err(OE_UNIX, 0, "No such group: %s", name);
-	fprintf(stderr, "No such group %s\n", name);
-	return -1;
+	goto done;
    }
    if (gid)
 	*gid = gr->gr_gid;
-    return 0;
+    retval = 0;
+ done:
+    return retval;
+}
+
+int
+name2uid(const char *name,
+	    uid_t      *uid)
+{
+    int            retval = -1;
+    char           buf[1024]; 
+    struct passwd  pwbuf;
+    struct passwd *pwbufp = NULL;
+
+    if (getpwnam_r(name, &pwbuf, buf, sizeof(buf), &pwbufp) != 0){
+	clicon_err(OE_UNIX, errno, "getpwnam_r(%s)", name);
+	goto done;
+    }
+    if (pwbufp == NULL){
+	clicon_err(OE_UNIX, 0, "No such user: %s", name);
+	goto done;
+    }
+    if (uid)
+	*uid = pwbufp->pw_uid;
+    retval = 0;
+ done:
+    return retval;
 }
--- a/test/lib.sh
+++ b/test/lib.sh
@ -91,6 +91,9 @@ testname=
 : ${IETFRFC=../yang/standard}
 #: ${IETFRFC=$YANGMODELS/standard/ietf/RFC}

+# Backend user
+BUSER=clicon
+
 # Follow the binary programs that can be parametrized (eg with valgrind)

 : ${clixon_cli:=clixon_cli}
@ -170,6 +173,7 @@ stop_backend(){
 	sleep 1
 	checkvalgrind
    fi
+    sudo pkill -f clixon_backend # extra ($BUSER?)
 }

 # Wait for restconf to stop sending  502 Bad Gateway
--- a/test/test_augment.sh
+++ b/test/test_augment.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # yang augment and identityref tests in different modules
 # See RFC7950 Sec 7.17
 # This test defines an example-augment module which augments an interface
@ -218,12 +218,11 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
 # kill backend
 stop_backend -f $cfg
-sudo pkill -u root -f clixon_backend

 rm -rf $dir
--- a/test/test_choice.sh
+++ b/test/test_choice.sh
@ -287,7 +287,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_cli.sh
+++ b/test/test_cli.sh
@ -126,7 +126,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_cli_history.sh
+++ b/test/test_cli_history.sh
@ -118,7 +118,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_cli_multikey.sh
+++ b/test/test_cli_multikey.sh
@ -132,7 +132,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_copy_config.sh
+++ b/test/test_copy_config.sh
@ -163,7 +163,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_feature.sh
+++ b/test/test_feature.sh
@ -191,7 +191,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_identity.sh
+++ b/test/test_identity.sh
@ -316,7 +316,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_leafref.sh
+++ b/test/test_leafref.sh
@ -194,7 +194,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_minmax.sh
+++ b/test/test_minmax.sh
@ -231,7 +231,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_nacm.sh
+++ b/test/test_nacm.sh
@ -188,7 +188,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_nacm_default.sh
+++ b/test/test_nacm_default.sh
@ -153,7 +153,7 @@ EOF
    if [ $BE -ne 0 ]; then     # Bring your own backend
 	new "Kill backend"
 	# Check if premature kill
-	pid=`pgrep -u root -f clixon_backend`
+	pid=$(pgrep -u $BUSER -f clixon_backend)
 	if [ -z "$pid" ]; then
 	    err "backend already dead"
 	fi
--- a/test/test_nacm_ext.sh
+++ b/test/test_nacm_ext.sh
@ -216,7 +216,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_nacm_module_read.sh
+++ b/test/test_nacm_module_read.sh
@ -279,7 +279,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_nacm_module_write.sh
+++ b/test/test_nacm_module_write.sh
@ -258,7 +258,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_nacm_protocol.sh
+++ b/test/test_nacm_protocol.sh
@ -223,7 +223,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_netconf.sh
+++ b/test/test_netconf.sh
@ -211,7 +211,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_order.sh
+++ b/test/test_order.sh
@ -395,7 +395,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_pattern.sh
+++ b/test/test_pattern.sh
@ -743,7 +743,7 @@ expectfn "$clixon_cli -1f $cfg -l o set c threematch abcg" 255 '^CLI syntax erro
 if [ $BE -ne 0 ]; then
    new "Kill backend"
    # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
    if [ -z "$pid" ]; then
 	err "backend already dead"
    fi
--- a/test/test_perf.sh
+++ b/test/test_perf.sh
@ -237,7 +237,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_perf_state.sh
+++ b/test/test_perf_state.sh
@ -145,7 +145,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_restconf.sh
+++ b/test/test_restconf.sh
@ -278,7 +278,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_restconf2.sh
+++ b/test/test_restconf2.sh
@ -200,7 +200,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_restconf_err.sh
+++ b/test/test_restconf_err.sh
@ -116,7 +116,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_restconf_jukebox.sh
+++ b/test/test_restconf_jukebox.sh
@ -261,7 +261,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_restconf_listkey.sh
+++ b/test/test_restconf_listkey.sh
@ -157,7 +157,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_restconf_patch.sh
+++ b/test/test_restconf_patch.sh
@ -209,7 +209,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_restconf_startup.sh
+++ b/test/test_restconf_startup.sh
@ -89,7 +89,7 @@ testrun(){
    if [ $BE -ne 0 ]; then
 	new "Kill backend"
 	# Check if premature kill
-	pid=`pgrep -u root -f clixon_backend`
+	pid=$(pgrep -u $BUSER -f clixon_backend)
 	if [ -z "$pid" ]; then
 	    err "backend already dead"
 	fi
@ -120,8 +120,11 @@ sudo rm -f $dir/startup_db;
 new "Run without startup option, check running is copied"
 testrun ""

-new "Check startup should not exist"
-if [ -f $dir/startup_db ]; then
-    err "startup should not exist"
+new "Check startup is empty"
+if [ ! -f $dir/startup_db ]; then
+    err "startup does not exist"
+fi
+if [ -s $dir/startup_db ]; then
+    err "startup is not empty"
 fi
 rm -rf $dir
--- a/test/test_rpc.sh
+++ b/test/test_rpc.sh
@ -164,7 +164,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_startup.sh
+++ b/test/test_startup.sh
@ -102,7 +102,7 @@ testrun(){
    
    new "Kill backend"
    # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
    if [ -z "$pid" ]; then
 	err "backend already dead"
    fi
--- a/test/test_stream.sh
+++ b/test/test_stream.sh
@ -291,7 +291,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_submodule.sh
+++ b/test/test_submodule.sh
@ -224,7 +224,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_transaction.sh
+++ b/test/test_transaction.sh
@ -311,7 +311,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_type.sh
+++ b/test/test_type.sh
@ -628,7 +628,7 @@ EOF
    if [ $BE -ne 0 ]; then
 	new "Kill backend"
 	# Check if premature kill
-	pid=`pgrep -u root -f clixon_backend`
+	pid=$(pgrep -u $BUSER -f clixon_backend)
 	if [ -z "$pid" ]; then
 	    err "backend already dead"
 	fi
--- a/test/test_type_range.sh
+++ b/test/test_type_range.sh
@ -306,7 +306,7 @@ testrange string "012" "01234567890" ""
 if [ $BE -ne 0 ]; then
    new "Kill backend"
    # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
    if [ -z "$pid" ]; then
 	err "backend already dead"
    fi
--- a/test/test_union.sh
+++ b/test/test_union.sh
@ -107,7 +107,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_unique.sh
+++ b/test/test_unique.sh
@ -216,7 +216,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_upgrade.sh
+++ b/test/test_upgrade.sh
@ -283,7 +283,7 @@ runtest(){
    if [ $BE -ne 0 ]; then
 	new "Kill backend"
 	# Check if premature kill
-	pid=`pgrep -u root -f clixon_backend`
+	pid=$(pgrep -u $BUSER -f clixon_backend)
 	if [ -z "$pid" ]; then
 	    err "backend already dead"
 	fi
--- a/test/test_upgrade_auto.sh
+++ b/test/test_upgrade_auto.sh
@ -274,7 +274,7 @@ stop_restconf
 if [ $BE -ne 0 ]; then
    new "Kill backend"
    # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
    if [ -z "$pid" ]; then
 	err "backend already dead"
    fi
--- a/test/test_upgrade_interfaces.sh
+++ b/test/test_upgrade_interfaces.sh
@ -285,7 +285,7 @@ testrun(){
    if [ $BE -ne 0 ]; then
 	new "Kill backend"
 	# Check if premature kill
-	pid=`pgrep -u root -f clixon_backend`
+	pid=$(pgrep -u $BUSER -f clixon_backend)
 	if [ -z "$pid" ]; then
 	    err "backend already dead"
 	fi
--- a/test/test_upgrade_repair.sh
+++ b/test/test_upgrade_repair.sh
@ -151,7 +151,7 @@ stop_restconf
 if [ $BE -ne 0 ]; then
    new "Kill backend"
    # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
    if [ -z "$pid" ]; then
 	err "backend already dead"
    fi
--- a/test/test_when_must.sh
+++ b/test/test_when_must.sh
@ -147,7 +147,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_with_default.sh
+++ b/test/test_with_default.sh
@ -112,7 +112,7 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/test/test_yang.sh
+++ b/test/test_yang.sh
@ -286,12 +286,11 @@ fi

 new "Kill backend"
 # Check if premature kill
-pid=$(pgrep -u root -f clixon_backend)
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
 # kill backend
 stop_backend -f "$cfg"
-sudo pkill -u root -f clixon_backend

 rm -rf "$dir"
--- a/test/test_yang_extension.sh
+++ b/test/test_yang_extension.sh
@ -114,7 +114,7 @@ expecteof "$clixon_netconf -qf $cfg -D $DBG" 0 "<rpc><get-config><source><candid
 if [ $BE -ne 0 ]; then
    new "Kill backend"
    # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
    if [ -z "$pid" ]; then
 	err "backend already dead"
    fi
--- a/test/test_yang_load.sh
+++ b/test/test_yang_load.sh
@ -100,7 +100,7 @@ expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><edit-config><target><candidate/></
 if [ $BE -ne 0 ]; then
    new "Kill backend"
    # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
    if [ -z "$pid" ]; then
 	err "backend already dead"
    fi
@ -149,7 +149,7 @@ expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><edit-config><target><candidate/></
 if [ $BE -ne 0 ]; then
    new "Kill backend"
    # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
    if [ -z "$pid" ]; then
 	err "backend already dead"
    fi
@ -193,7 +193,7 @@ expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><edit-config><target><candidate/></
 if [ $BE -ne 0 ]; then
    new "Kill backend"
    # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
    if [ -z "$pid" ]; then
 	err "backend already dead"
    fi
@ -237,7 +237,7 @@ expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><edit-config><target><candidate/></
 if [ $BE -ne 0 ]; then
    new "Kill backend"
    # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
    if [ -z "$pid" ]; then
 	err "backend already dead"
    fi
@ -281,7 +281,7 @@ expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><edit-config><target><candidate/></
 if [ $BE -ne 0 ]; then
    new "Kill backend"
    # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
    if [ -z "$pid" ]; then
 	err "backend already dead"
    fi
@ -326,7 +326,7 @@ expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><edit-config><target><candidate/></
 if [ $BE -ne 0 ]; then
    new "Kill backend"
    # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
    if [ -z "$pid" ]; then
 	err "backend already dead"
    fi
@ -372,7 +372,7 @@ expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><edit-config><target><candidate/></
 if [ $BE -ne 0 ]; then
    new "Kill backend"
    # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
    if [ -z "$pid" ]; then
 	err "backend already dead"
    fi
@ -418,7 +418,7 @@ expecteof "$clixon_netconf -qf $cfg" 0 '<rpc><edit-config><target><candidate/></
 if [ $BE -ne 0 ]; then
    new "Kill backend"
    # Check if premature kill
-    pid=`pgrep -u root -f clixon_backend`
+    pid=$(pgrep -u $BUSER -f clixon_backend)
    if [ -z "$pid" ]; then
 	err "backend already dead"
    fi
--- a/test/test_yang_namespace.sh
+++ b/test/test_yang_namespace.sh
@ -137,7 +137,7 @@ if [ $BE -eq 0 ]; then
 fi
 new "Kill backend"
 # Check if premature kill
-pid=`pgrep -u root -f clixon_backend`
+pid=$(pgrep -u $BUSER -f clixon_backend)
 if [ -z "$pid" ]; then
    err "backend already dead"
 fi
--- a/yang/clixon/Makefile.in
+++ b/yang/clixon/Makefile.in
@ -41,7 +41,7 @@ datarootdir     = @datarootdir@
 # See also STD_YANG_INSTALLDIR for the standard yang files
 YANG_INSTALLDIR   = @YANG_INSTALLDIR@

-YANGSPECS	 = clixon-config@2019-06-05.yang
+YANGSPECS	 = clixon-config@2019-09-11.yang
 YANGSPECS	+= clixon-lib@2019-08-13.yang
 YANGSPECS	+= clixon-rfc5277@2008-07-01.yang
 YANGSPECS	+= clixon-xml-changelog@2019-03-21.yang
--- a/yang/clixon/clixon-config@2019-09-11.yang
+++ b/yang/clixon/clixon-config@2019-09-11.yang
@ -39,6 +39,10 @@ module clixon-config {

       ***** END LICENSE BLOCK *****";

+    revision 2019-09-11 {
+	description
+	    "Added: CLICON_USER: user that backend daemon drops privileges to";
+
    revision 2019-06-05 {
 	description
 	    "Added: CLICON_YANG_REGEXP, CLICON_CLI_TAB_MODE, 
@ -415,7 +419,15 @@ module clixon-config {
 	leaf CLICON_SOCK_GROUP {
 	    type string;
 	    default "clicon";
-	    description "Group membership to access clixon_backend unix socket";
+	    description
+		"Group membership to access clixon_backend unix socket and gid for 
+                 deamon";
+	}
+	leaf CLICON_USER {
+	    type string;
+	    default "clicon";
+	    description 
+		"User to access clixon_backend unix socket and uid for deamon";
 	}
 	leaf CLICON_BACKEND_PIDFILE {
 	    type string;