[ovs-dev] [PATCH] lib: allow group access to Unix domain sockets

Andy Zhou azhou at nicira.com
Mon Nov 9 18:35:48 UTC 2015 

On Fri, Nov 6, 2015 at 5:51 PM, Ansis Atteka <ansisatteka at gmail.com> wrote:
>
>
> On 10 October 2015 at 01:10, Andy Zhou <azhou at nicira.com> wrote:
>>
>> By default, Unix domain sockets are created with file system permission
>> mode of 0700. Only the process of the belongs to the same user can
>
> How about:
> s/Only the process of the belongs to the same user/This means that only
> processes that run under the same user
>
>>
>> access this socket.
>>
>> For OVS, it may be more convenient to control access at the group
>> level rather than at the user level, since the process needs to
>
> s/the process needs/other processes need
>>
>> access OVSDB sockets or daemons' control sockets may not need the
>
> s/OVSDB sockets or daemons' control sockets.../OVSDB and UNIXCTL sockets
> while running under different use.
>
>
>>
>>
>>
>> same permission as the OVS daemons.
>>
>> This patch change Unix domain sockets' file system permission to 0770,
>
> s/change/changes
>>
>> open up the group access.
>
> s/open up the/to grant
>>
>>
>> It has been a issue in the past since OVS, until very recently,
>
> s/has/hasn't
>>
>> has to run as root. If a process needs to access OVSDB, or OVS daemons'
>
> s/has/had
> s/needs/needed
>
>>
>> control sockets, it has to be a root process as well.
>
> /s/has to/had to be running under
>>
>>
>> With the added --user option to OVS daemons and this change, system
>> administrators can deploy OVS more securely: OVS daemons can run as
>> a non root user. Various processes that need to talk to OVS does not
>> have to root process either.  In fact, they can all run as
>
> s/root/run a as root or ovs user anymore.
>
> And then next sentence, I believe, becomes optional.
>>
>> different users, as long as they have sufficient rights to access
>> OVS socket files.
>>
>> Signed-off-by: Andy Zhou <azhou at nicira.com>
>> ---
>>  lib/socket-util-unix.c | 5 +++++
>>  1 file changed, 5 insertions(+)
>>
>> diff --git a/lib/socket-util-unix.c b/lib/socket-util-unix.c
>> index afab195..1453384 100644
>> --- a/lib/socket-util-unix.c
>> +++ b/lib/socket-util-unix.c
>> @@ -349,6 +349,11 @@ make_unix_socket(int style, bool nonblock,
>>          }
>>          free_sockaddr_un(dirfd, linkname);
>>
>> +        if (!error) {
>> +            /* Allow users with in the same group to connect. */
>
> s/with in/within
>>
>> +            error = chmod(bind_path, 0770);
>
>
> It seems that bind_unix_socket() called from this same afunction already
> calls fchmod. Is there a good reason you have to do one more call from here?
> Here is code:
>
> /* Binds Unix domain socket 'fd' to a file with permissions 0700. */
> static int
> bind_unix_socket(int fd, struct sockaddr *sun, socklen_t sun_len)
> {
>     const mode_t mode = 0700;
>     if (LINUX) {
>         if (fchmod(fd, mode)) {
>
>
> Also, your way, I believe socket is not created with right permissions
> atomically.
>
>
You are right. Changing bind_unix_socket seems to be a better
solution. I will repost with this change.
>>
>> +        }
>> +
>>          if (error) {
>>              goto error;
>>          }
>> --
>> 1.9.1
>>
>> _______________________________________________
>> dev mailing list
>> dev at openvswitch.org
>> http://openvswitch.org/mailman/listinfo/dev
>
>

More information about the dev mailing list