Change to a non-root user after starting the server

onedns/cli.py

@@ -12,6 +12,7 @@ def daemon(args, one_args, **kwargs):
     srv = server.OneDNS(args.domain, one_kwargs=one_args)
     srv.daemon(dns_port=args.dns_port,
                sync_interval=args.sync_interval,
+               user=args.user,
                test=test, test_vms=test_vms)
 
 
@@ -58,6 +59,9 @@ def get_parser():
     daemon_parser.add_argument(
         '--sync-interval', required=False, default=5 * 60, type=positive_int,
         help="time in seconds between ONE syncs")
+    daemon_parser.add_argument(
+        '--user', required=False, default='nobody',
+        help="system user name to setuid() to")
 
     shell_parser = subparsers.add_parser('shell')
     shell_parser.set_defaults(func=shell)

onedns/server.py

@@ -1,5 +1,7 @@
 import re
 import time
+import pwd
+import os
 
 from onedns import zone
 from onedns import resolver
@@ -61,7 +63,7 @@ class OneDNS(resolver.DynamicResolver):
         log.info("Adding VM {id}: {vm}".format(id=vm.id, vm=vm.name))
         for name, ip in dns_entries.items():
             self._check_for_duplicates(vm.id, name, ip, zone=zone)
-            self.add_host(name, ip, zone=zone)
+            self.add_host(name.lower(), ip, zone=zone)
 
     def remove_vm(self, vm, zone=None):
         dns_entries = self._get_vm_dns_entries(vm)
@@ -93,9 +95,15 @@ class OneDNS(resolver.DynamicResolver):
     def daemon(self, *args, **kwargs):
         test = kwargs.pop('test', False)
         test_vms = kwargs.pop('test_vms', None)
+        user = kwargs.pop('user', 'nobody')
         sync_interval = kwargs.pop('sync_interval', 5 * 60)
         if self._udp_server is None or not self._udp_server.isAlive():
             self.start(*args, **kwargs)
+        _, _, uid, gid, _, root, shell = pwd.getpwnam(user)
+        os.chdir('/')
+        os.setgroups([])
+        os.setgid(gid)
+        os.setuid(uid)
         while self._udp_server.isAlive():
             try:
                 self.sync(vms=test_vms)