Added support for setting user under which the process should run.

5 files changed, 69 insertions, 6 deletions

diff --git a/cpp/src/IceGrid/Activator.cpp b/cpp/src/IceGrid/Activator.cpp
index 4bf9fed248a..bea536fbb49 100644
--- a/cpp/src/IceGrid/Activator.cpp
+++ b/cpp/src/IceGrid/Activator.cpp
@@ -25,6 +25,7 @@
 #ifndef _WIN32
 #   include <sys/wait.h>
 #   include <signal.h>
+#   include <pwd.h> // for getpwnam
 #endif
 
 using namespace std;
@@ -76,8 +77,12 @@ reportChildError(int err, int fd, const char* cannot, const char* name)
     strcpy(msg, cannot);
     strcat(msg, " `");
     strcat(msg, name);
-    strcat(msg, "':  ");
-    strcat(msg, strerror(err));
+    strcat(msg, "'");
+    if(err)
+    {
+	strcat(msg, ": ");
+	strcat(msg, strerror(err));
+    }
     write(fd, msg, strlen(msg));
     close(fd);
 
@@ -339,6 +344,7 @@ int
 Activator::activate(const string& name,
 		    const string& exePath,
 		    const string& pwdPath,
+		    const string& user,
 		    const Ice::StringSeq& options,
 		    const Ice::StringSeq& envs,
 		    const ServerIPtr& server)
@@ -447,6 +453,30 @@ Activator::activate(const string& name,
     // Activate and create.
     //
 #ifdef _WIN32
+
+    if(!user.empty())
+    {
+	vector<char> buf(256);
+	buf.resize(256);
+	DWORD size = buf.size();
+	bool success = GetUserName(&buf[0], &size)
+	if(!success && GetLastError() == ERROR_INSUFFICIENT_BUFFER)
+	{
+	    buf.resize(size);
+	    success = GetUserName(&buf[0], &size);
+	}
+	if(!success)
+	{
+	    SyscallException ex(__FILE__, __LINE__);
+	    ex.error = getSystemErrno();
+	    throw ex;
+	}
+	if(user != string(&buf[0]))
+	{
+	    throw "can't run `" + name + "' under user account `" + user + "'";
+	}
+    }
+
     //
     // Compose command line.
     //
@@ -652,6 +682,29 @@ Activator::activate(const string& name,
 	//
 
 	//
+	// Change the user under which the process will run if a
+	// specific user is set.
+	//
+	if(!user.empty())
+	{
+	    struct passwd* pw = getpwnam(user.c_str());
+	    if(!pw)
+	    {
+		reportChildError(0, fds[1], "unknown user", user.c_str()); 
+	    }
+	    
+	    if(setgid(pw->pw_gid) == -1)
+	    {
+		reportChildError(getSystemErrno(), fds[1], "cannot set process group id for user", user.c_str()); 
+	    }	    
+
+	    if(setuid(pw->pw_uid) == -1)
+	    {
+		reportChildError(getSystemErrno(), fds[1], "cannot set process user id for user", user.c_str());
+	    }
+	}
+
+	//
 	// Assign a new process group for this process. 
 	//
 	setpgid(0, 0);
diff --git a/cpp/src/IceGrid/Activator.h b/cpp/src/IceGrid/Activator.h
index 77bbbfe1c08..546552e9e16 100644
--- a/cpp/src/IceGrid/Activator.h
+++ b/cpp/src/IceGrid/Activator.h
@@ -31,8 +31,8 @@ public:
     Activator(const TraceLevelsPtr&, const Ice::PropertiesPtr&);
     virtual ~Activator();
 
-    virtual int activate(const std::string&, const std::string&, const std::string&, const Ice::StringSeq&, 
-			 const Ice::StringSeq&, const ServerIPtr&);
+    virtual int activate(const std::string&, const std::string&, const std::string&, const std::string&, 
+			 const Ice::StringSeq&, const Ice::StringSeq&, const ServerIPtr&);
     virtual void deactivate(const std::string&, const Ice::ProcessPrx&);
     virtual void kill(const std::string&);
     virtual void sendSignal(const std::string&, const std::string&);
diff --git a/cpp/src/IceGrid/DescriptorBuilder.cpp b/cpp/src/IceGrid/DescriptorBuilder.cpp
index f075c15792f..11152635da1 100644
--- a/cpp/src/IceGrid/DescriptorBuilder.cpp
+++ b/cpp/src/IceGrid/DescriptorBuilder.cpp
@@ -731,7 +731,7 @@ ServerDescriptorBuilder::init(const ServerDescriptorPtr& desc, const XmlAttribut
     _descriptor->activation = attrs("activation", "manual");
     _descriptor->applicationDistrib = attrs.asBool("application-distrib", true);
     _descriptor->allocatable = attrs.asBool("allocatable", false);
-
+    _descriptor->user = attrs("user", "");
 }
 
 ServiceDescriptorBuilder*
diff --git a/cpp/src/IceGrid/DescriptorHelper.cpp b/cpp/src/IceGrid/DescriptorHelper.cpp
index 4413e1f03c6..89ee8a55c10 100644
--- a/cpp/src/IceGrid/DescriptorHelper.cpp
+++ b/cpp/src/IceGrid/DescriptorHelper.cpp
@@ -1044,6 +1044,11 @@ ServerHelper::operator==(const ServerHelper& helper) const
 	return false;
     }
 
+    if(_desc->user != helper._desc->user)
+    {
+	return false;
+    }
+
     return true;
 }
 
@@ -1066,6 +1071,7 @@ ServerHelper::instantiateImpl(const ServerDescriptorPtr& instance,
     instance->activation = resolve(_desc->activation, "activation");
     instance->applicationDistrib = _desc->applicationDistrib;
     instance->allocatable = _desc->allocatable;
+    instance->user = resolve(_desc->user, "user");
     if(!instance->activation.empty() && 
        instance->activation != "manual" && instance->activation != "on-demand" && instance->activation != "always")
     {
@@ -1147,6 +1153,10 @@ ServerHelper::printImpl(Output& out, const string& application, const string& no
     {
 	out << nl << "deactivationTimeout = `" << _desc->deactivationTimeout << "'";
     }
+    if(!_desc->user.empty())
+    {
+	out << nl << "user = `" << _desc->user << "'";
+    }
     if(!_desc->applicationDistrib)
     {
 	out << nl << "application distribution = `false'";
diff --git a/cpp/src/IceGrid/ServerI.cpp b/cpp/src/IceGrid/ServerI.cpp
index c42b860f74a..c5dec6941f4 100644
--- a/cpp/src/IceGrid/ServerI.cpp
+++ b/cpp/src/IceGrid/ServerI.cpp
@@ -1109,7 +1109,7 @@ ServerI::activate()
     string failure;
     try
     {
-	int pid = _node->getActivator()->activate(desc->id, desc->exe, desc->pwd, options, envs, this);
+	int pid = _node->getActivator()->activate(desc->id, desc->exe, desc->pwd, desc->user, options, envs, this);
 
 	ServerCommandPtr command;
 	{