* Changed config and install options for Restconf

* clixon_restconf daemon is installed in /usr/local/sbin (as clixon_backend), instead of /www-data * `configure --with-wwwdir=<dir>` remains but only applies to fcgi socket and log * New option `CLICON_RESTCONF_INSTALL_DIR` is set to where clixon_restconf is installed, with default `/usr/local/sbin/` * Restconf drop privileges user is defined by `CLICON_RESTCONF_USER` * `configure --with-wwwuser=<user>` is removed * clixon_restconf drop of privileges is defined by `CLICON_RESTCONF_PRIVILEGES` option * New clixon-restconf@2020-05-20.yang revision * Added: restconf `log-destination`
2021-05-21 15:12:06 +02:00 · 2021-05-21 15:12:06 +02:00 · c20c672d83
commit c20c672d83
parent c3e26b004c
32 changed files with 410 additions and 221 deletions
--- a/lib/clixon/clixon_nacm.h
+++ b/lib/clixon/clixon_nacm.h
@ -63,6 +63,6 @@ int nacm_datanode_write(clicon_handle h, cxobj *xr, cxobj *xt,
 			enum nacm_access access,
 			char *username, cxobj *xnacm, cbuf *cbret);
 int nacm_access_pre(clicon_handle h, char *peername, char *username, cxobj **xnacmp);
-int verify_nacm_user(enum nacm_credentials_t cred, char *peername, char *nacmname, cbuf *cbret);
+int verify_nacm_user(clicon_handle h, enum nacm_credentials_t cred, char *peername, char *nacmname, cbuf *cbret);

 #endif /* _CLIXON_NACM_H */
--- a/lib/clixon/clixon_options.h
+++ b/lib/clixon/clixon_options.h
@ -219,6 +219,7 @@ int   clicon_sock_port(clicon_handle h);
 int   clicon_autocommit(clicon_handle h);
 int   clicon_startup_mode(clicon_handle h);
 enum priv_mode_t clicon_backend_privileges_mode(clicon_handle h);
+enum priv_mode_t clicon_restconf_privileges_mode(clicon_handle h);
 enum nacm_credentials_t clicon_nacm_credentials(clicon_handle h);

 enum datastore_cache clicon_datastore_cache(clicon_handle h);
--- a/lib/src/clixon_nacm.c
+++ b/lib/src/clixon_nacm.c
@ -1106,7 +1106,10 @@ nacm_access_check(clicon_handle h,
    cxobj  *x;
    cvec  *nsc = NULL;
    char  *recovery_user;
-    
+#ifdef WITH_RESTCONF
+    char  *wwwuser;
+#endif    
+
    clicon_debug(1, "%s", __FUNCTION__);
    if ((nsc = xml_nsctx_init(NULL, NACM_NS)) == NULL)
 	goto done;
@ -1148,9 +1151,10 @@ nacm_access_check(clicon_handle h,
 		strcmp(peername, "root") == 0)
 		goto permit;
 #ifdef WITH_RESTCONF
+	    wwwuser=clicon_option_str(h,"CLICON_RESTCONF_USER");
 	    if (strcmp(username, recovery_user) == 0 &&
-		strcmp(peername, WWWUSER) == 0)
-	    goto permit;
+		wwwuser && strcmp(peername, wwwuser) == 0)
+		goto permit;
 #endif
 	    break;
 	}
@ -1252,6 +1256,8 @@ nacm_access_pre(clicon_handle  h,
 }

 /*! Verify nacm user with  peer uid credentials
+ *
+ * @param[in]  h         Clixon handle
 * @param[in]  mode      Peer credential mode: none, exact or except
 * @param[in]  peername  Peer username if any
 * @param[in]  username  username received in XML (eg for NACM)
@ -1270,13 +1276,17 @@ nacm_access_pre(clicon_handle  h,
 * - peer user is www (can be any NACM user)
 */
 int
-verify_nacm_user(enum nacm_credentials_t cred,
+verify_nacm_user(clicon_handle           h,
+		 enum nacm_credentials_t cred,
 		 char                   *peername,
 		 char                   *nacmname,
 		 cbuf                   *cbret)
 {
    int   retval = -1;
    cbuf *cbmsg = NULL;
+#ifdef WITH_RESTCONF
+    char  *wwwuser;
+#endif    

    if (cred == NC_NONE)
 	return 1;
@ -1294,7 +1304,8 @@ verify_nacm_user(enum nacm_credentials_t cred,
 	if (strcmp(peername, "root") == 0)
 	    goto ok;
 #ifdef WITH_RESTCONF
-	if (strcmp(peername, WWWUSER) == 0)
+	wwwuser=clicon_option_str(h,"CLICON_RESTCONF_USER");
+	if (wwwuser && strcmp(peername, wwwuser) == 0)
 	    goto ok;
 #endif
    }
--- a/lib/src/clixon_options.c
+++ b/lib/src/clixon_options.c
@ -871,7 +871,7 @@ clicon_startup_mode(clicon_handle h)
    return clicon_str2int(startup_mode_map, mode);
 }

-/*! Which privileges drop method to use
+/*! Which privileges drop method to use for backend
 * @param[in] h     Clicon handle
 * @retval    mode  Privileges mode
 */
@ -885,6 +885,20 @@ clicon_backend_privileges_mode(clicon_handle h)
    return clicon_str2int(priv_mode_map, mode);
 }

+/*! Which privileges drop method to use for restconf
+ * @param[in] h     Clicon handle
+ * @retval    mode  Privileges mode
+ */
+enum priv_mode_t
+clicon_restconf_privileges_mode(clicon_handle h)
+{
+    char *mode;
+
+    if ((mode = clicon_option_str(h, "CLICON_RESTCONF_PRIVILEGES")) == NULL)
+	return -1;
+    return clicon_str2int(priv_mode_map, mode);
+}
+
 /*! Which privileges drop method to use
 * @param[in] h     Clicon handle
 * @retval    mode  Privileges mode
--- a/lib/src/clixon_proc.c
+++ b/lib/src/clixon_proc.c
@ -277,11 +277,17 @@ clixon_proc_background(char       **argv,
 	clicon_err(OE_UNIX, EINVAL, "argv is NULL");
 	goto quit;
    }
+    if (clicon_debug_get()){
+	i = 0;
+	while (argv[i]){
+	    clicon_debug(1, "%s argv[%d]:%s", __FUNCTION__, i, argv[i]);
+	    i++;
+	}
+    }
    /* Before here call quit on error */
    sigprocmask(0, NULL, &oset);
    set_signal(SIGINT, clixon_proc_sigint, &oldhandler);
    /* Now call done on error */
-    
    if ((child = fork()) < 0) {
 	clicon_err(OE_UNIX, errno, "fork");
 	goto done;
@ -327,7 +333,7 @@ clixon_proc_background(char       **argv,
 	}
 #endif /* HAVE_SETNS */
 	if (execvp(argv[0], argv) < 0) {
-	    clicon_err(OE_UNIX, errno, "execv");
+	    clicon_err(OE_UNIX, errno, "execv(%s)", argv[0]);
 	    exit(1);
 	}
 	/* Not reached */