[ovs-dev] [PATCH] lib: allow group access to Unix domain sockets

Ansis Atteka ansisatteka at gmail.com
Sat Nov 7 01:51:42 UTC 2015


On 10 October 2015 at 01:10, Andy Zhou <azhou at nicira.com> wrote:

> By default, Unix domain sockets are created with file system permission
> mode of 0700. Only the process of the belongs to the same user can
>
How about:
s/Only the process of the belongs to the same user/This means that only
processes that run under the same user


> access this socket.
>
> For OVS, it may be more convenient to control access at the group
> level rather than at the user level, since the process needs to
>
s/the process needs/other processes need

> access OVSDB sockets or daemons' control sockets may not need the

s/OVSDB sockets or daemons' control sockets.../OVSDB and UNIXCTL sockets
while running under different use.



>

same permission as the OVS daemons.
>
> This patch change Unix domain sockets' file system permission to 0770,
>
s/change/changes

> open up the group access.
>
s/open up the/to grant

>
> It has been a issue in the past since OVS, until very recently,
>
s/has/hasn't

> has to run as root. If a process needs to access OVSDB, or OVS daemons'
>
s/has/had
s/needs/needed


> control sockets, it has to be a root process as well.
>
/s/has to/had to be running under

>
> With the added --user option to OVS daemons and this change, system
> administrators can deploy OVS more securely: OVS daemons can run as
> a non root user. Various processes that need to talk to OVS does not
> have to root process either.  In fact, they can all run as
>
s/root/run a as root or ovs user anymore.

And then next sentence, I believe, becomes optional.

> different users, as long as they have sufficient rights to access
> OVS socket files.
>
> Signed-off-by: Andy Zhou <azhou at nicira.com>
> ---
>  lib/socket-util-unix.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/lib/socket-util-unix.c b/lib/socket-util-unix.c
> index afab195..1453384 100644
> --- a/lib/socket-util-unix.c
> +++ b/lib/socket-util-unix.c
> @@ -349,6 +349,11 @@ make_unix_socket(int style, bool nonblock,
>          }
>          free_sockaddr_un(dirfd, linkname);
>
> +        if (!error) {
> +            /* Allow users with in the same group to connect. */
>
s/with in/within

> +            error = chmod(bind_path, 0770);
>

It seems that bind_unix_socket() called from this same afunction already
calls fchmod. Is there a good reason you have to do one more call from
here? Here is code:

/* Binds Unix domain socket 'fd' to a file with permissions 0700. */
static int
bind_unix_socket(int fd, struct sockaddr *sun, socklen_t sun_len)
{
    const mode_t mode = 0700;
    if (LINUX) {
        if (fchmod(fd, mode)) {


Also, your way, I believe socket is not created with right permissions
atomically.



> +        }
> +
>          if (error) {
>              goto error;
>          }
> --
> 1.9.1
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
>



More information about the dev mailing list