[ovs-dev] to exec ovs-vsctl, or to emulate it?

Neil McKee neil.mckee at inmon.com
Sun Aug 29 20:58:00 UTC 2010


I have a daemon written in C that invokes /usr/bin/ovs-vsctl to configure sFlow on the local Open VSwitch,  and my question is about how to do that securely.  I'm using pipe/fork/dup2/execve etc. to bypass shell-expansion etc. so it's not a complete disaster from a security point of view,   but  my daemon has to run all the time and check/update the config periodically,  which means it has to retain super-user privileges so it can call ovs-vsctl each time.

I suspect that I should really be connecting at the layer below:  i.e. opening the unix domain socket to connect to the ovsdb server and sending commands just like ovs-vsctl does.   That way I could relinquish superuser privileges as soon as the socket was opened (right?)

So my questions are:
1. Which API is more stable?  The ovs-vsctl command-line or the underlying socket API?
2. If I really should be connecting to the socket API,  what is the minimal #include that I would need?
3. Should I just stick with what I have because the security difference is marginal and the effort of emulating ovs-vsctl could be non-trivial?
4. If I continue to use ovs-vsctl,  what is the best way of ensuring that /usr/bin/ovs-vsctl is genuine,  and that OpenVSwitch is actually installed and running?   I was thinking I would just have to check the permissions on /usr/bin/ovs-vsctl (and /usr/bin) to make sure that it is owned by root and only root could change it,   but maybe there is a better way to know that I can trust it?

As usual,  my apologies if this is already documented meticulously somewhere.

Regards,
Neil






More information about the dev mailing list