Run portlayer as un-privileged user

Start portlayer process with vicadmin user and give capabilities of mounting disks and binding a port less than 1024.
vmware · Jan 4, 2019 · 0dbc953 · 0dbc953
1 parent 68968ce
commit 0dbc953
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/isos/appliance/permissions-setup b/isos/appliance/permissions-setup
@@ -2,4 +2,7 @@
 
 # Allow access to VM uuid for self-reflection
 chmod 444 /sys/devices/virtual/dmi/id/product_serial
-chmod 444 /sys/class/dmi/id/product_serial
+chmod 444 /sys/class/dmi/id/product_serial
+
+# Give port-layer capabilities to mount image disks and bind 53 port
+setcap cap_net_bind_service,cap_sys_admin=+ep /sbin/port-layer-server
diff --git a/lib/install/management/appliance.go b/lib/install/management/appliance.go
@@ -673,6 +673,8 @@ func (d *Dispatcher) createAppliance(conf *config.VirtualContainerHostConfigSpec
 	)
 
 	cfg := &executor.SessionConfig{
+		User:    "vicadmin",
+		Group:   "vicadmin",
 		Cmd: executor.Cmd{
 			Path: "/sbin/port-layer-server",
 			Args: []string{