Netatalk
Allow netatalk to run as non-root
In this day and age, it's getting common for people to want to run services as regular users in a sandboxed environment, without the need for root access to the host system.
In the context of netatalk, you would want to for instance to spin up a quick AFP server for sharing the contents of your home directory to other Macs.
Right now, there's no logic or validation that stops one from launching the netatalk controller daemon and its child daemons as a regular user. In fact, it appears to mostly work. However, we run into (quite insidious) errors when trying to actually mount f.e. the home directory from a client.
I suspect that there's something about the logic for creation of and writing to the CNID database that assumes the controlling daemons run as root.
The become_root() function is currently called 25 times in afpd and libatalk.
It's used for:
- working with ACLs
- working with quota
- creating CNID database dirs
- manipulating EA metadata
- creating and manipulating AppleDouble metadata files
- creating and manipulating special Classic Mac OS files/dirs in the CNID dir
- reading and manipulating config files (afp.conf, afp_signature.conf, afp_voluuid.conf)
- manipulating volume dirs (e.g. setting groups)