[ovs-dev] to exec ovs-vsctl, or to emulate it?
neil.mckee at inmon.com
Sun Aug 29 20:58:00 UTC 2010
I have a daemon written in C that invokes /usr/bin/ovs-vsctl to configure sFlow on the local Open VSwitch, and my question is about how to do that securely. I'm using pipe/fork/dup2/execve etc. to bypass shell-expansion etc. so it's not a complete disaster from a security point of view, but my daemon has to run all the time and check/update the config periodically, which means it has to retain super-user privileges so it can call ovs-vsctl each time.
I suspect that I should really be connecting at the layer below: i.e. opening the unix domain socket to connect to the ovsdb server and sending commands just like ovs-vsctl does. That way I could relinquish superuser privileges as soon as the socket was opened (right?)
So my questions are:
1. Which API is more stable? The ovs-vsctl command-line or the underlying socket API?
2. If I really should be connecting to the socket API, what is the minimal #include that I would need?
3. Should I just stick with what I have because the security difference is marginal and the effort of emulating ovs-vsctl could be non-trivial?
4. If I continue to use ovs-vsctl, what is the best way of ensuring that /usr/bin/ovs-vsctl is genuine, and that OpenVSwitch is actually installed and running? I was thinking I would just have to check the permissions on /usr/bin/ovs-vsctl (and /usr/bin) to make sure that it is owned by root and only root could change it, but maybe there is a better way to know that I can trust it?
As usual, my apologies if this is already documented meticulously somewhere.
More information about the dev