Re: [ovs-dev] [additional --user changes v2 3/3] lib: allow group access to Unix domain sockets

Tue, 10 Nov 2015 21:03:07 -0800 

On Mon, Nov 9, 2015 at 12:43 PM, Andy Zhou <az...@nicira.com> wrote:
> By default, Unix domain sockets are created with file system permission
> mode of 0700. This means that only processes that runs under the same
> user can access this socket.
>
> For OVS, it may be more convenient to control access at the group
> level rather than at the user level, since other processes need to
> access OVSDB and UNIXCTL sockets while running under different users.
>
> This patch changes Unix domain sockets' file system permission to 0770,
> to grant group access.
>
> It has not been an issue in the past since OVS, until very recently,
> had to run as root. If a process needed to access OVSDB or UNIXCTL
> sockets, it had to be a root process as well.
>
> With the added --user option to OVS daemons and this change, system
> administrators can deploy OVS more securely: OVS daemons can run as
> a non root user. Various processes that need to talk to OVS does not
> have to run as root process anymore.
>
> Signed-off-by: Andy Zhou <az...@nicira.com>
>
> ---
> v1->v2: Move the permission change from make_unix_socket() to
> bind_unix_socket().
> ---
>  lib/socket-util-unix.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/lib/socket-util-unix.c b/lib/socket-util-unix.c
> index afab195..32f966d 100644
> --- a/lib/socket-util-unix.c
> +++ b/lib/socket-util-unix.c
> @@ -259,10 +259,10 @@ free_sockaddr_un(int dirfd, const char *linkname)
>  }
>
>  /* Binds Unix domain socket 'fd' to a file with permissions 0700. */
> -static int
> -bind_unix_socket(int fd, struct sockaddr *sun, socklen_t sun_len)
> +static int bind_unix_socket(int fd, struct sockaddr *sun, socklen_t sun_len)
>  {
> -    const mode_t mode = 0700;
> +    const mode_t mode = 0770;    /* Allow both user and group access. */
> +

LGTM. I assume you tested it.

>      if (LINUX) {
>          /* On Linux, the fd's permissions become the file's permissions.
>           * fchmod() does not affect other files, like umask() does. */
> --
> 1.9.1
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Reply via email to