On 10 October 2015 at 01:10, Andy Zhou <az...@nicira.com> wrote:
> By default, Unix domain sockets are created with file system permission
> mode of 0700. Only the process of the belongs to the same user can
>
How about:
s/Only the process of the belongs to the same user/This means that only
processes that run under the same user
> access this socket.
>
> For OVS, it may be more convenient to control access at the group
> level rather than at the user level, since the process needs to
>
s/the process needs/other processes need
> access OVSDB sockets or daemons' control sockets may not need the
s/OVSDB sockets or daemons' control sockets.../OVSDB and UNIXCTL sockets
while running under different use.
>
same permission as the OVS daemons.
>
> This patch change Unix domain sockets' file system permission to 0770,
>
s/change/changes
> open up the group access.
>
s/open up the/to grant
>
> It has been a issue in the past since OVS, until very recently,
>
s/has/hasn't
> has to run as root. If a process needs to access OVSDB, or OVS daemons'
>
s/has/had
s/needs/needed
> control sockets, it has to be a root process as well.
>
/s/has to/had to be running under
>
> With the added --user option to OVS daemons and this change, system
> administrators can deploy OVS more securely: OVS daemons can run as
> a non root user. Various processes that need to talk to OVS does not
> have to root process either. In fact, they can all run as
>
s/root/run a as root or ovs user anymore.
And then next sentence, I believe, becomes optional.
> different users, as long as they have sufficient rights to access
> OVS socket files.
>
> Signed-off-by: Andy Zhou <az...@nicira.com>
> ---
> lib/socket-util-unix.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/lib/socket-util-unix.c b/lib/socket-util-unix.c
> index afab195..1453384 100644
> --- a/lib/socket-util-unix.c
> +++ b/lib/socket-util-unix.c
> @@ -349,6 +349,11 @@ make_unix_socket(int style, bool nonblock,
> }
> free_sockaddr_un(dirfd, linkname);
>
> + if (!error) {
> + /* Allow users with in the same group to connect. */
>
s/with in/within
> + error = chmod(bind_path, 0770);
>
It seems that bind_unix_socket() called from this same afunction already
calls fchmod. Is there a good reason you have to do one more call from
here? Here is code:
/* Binds Unix domain socket 'fd' to a file with permissions 0700. */
static int
bind_unix_socket(int fd, struct sockaddr *sun, socklen_t sun_len)
{
const mode_t mode = 0700;
if (LINUX) {
if (fchmod(fd, mode)) {
Also, your way, I believe socket is not created with right permissions
atomically.
> + }
> +
> if (error) {
> goto error;
> }
> --
> 1.9.1
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
>
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
