[ovs-dev] [PATCH] lib: allow group access to Unix domain sockets

Andy Zhou azhou at nicira.com
Sat Oct 10 08:10:50 UTC 2015


By default, Unix domain sockets are created with file system permission
mode of 0700. Only the process of the belongs to the same user can
access this socket.

For OVS, it may be more convenient to control access at the group
level rather than at the user level, since the process needs to
access OVSDB sockets or daemons' control sockets may not need the
same permission as the OVS daemons.

This patch change Unix domain sockets' file system permission to 0770,
open up the group access.

It has been a issue in the past since OVS, until very recently,
has to run as root. If a process needs to access OVSDB, or OVS daemons'
control sockets, it has to be a root process as well.

With the added --user option to OVS daemons and this change, system
administrators can deploy OVS more securely: OVS daemons can run as
a non root user. Various processes that need to talk to OVS does not
have to root process either.  In fact, they can all run as
different users, as long as they have sufficient rights to access
OVS socket files.

Signed-off-by: Andy Zhou <azhou at nicira.com>
---
 lib/socket-util-unix.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/socket-util-unix.c b/lib/socket-util-unix.c
index afab195..1453384 100644
--- a/lib/socket-util-unix.c
+++ b/lib/socket-util-unix.c
@@ -349,6 +349,11 @@ make_unix_socket(int style, bool nonblock,
         }
         free_sockaddr_un(dirfd, linkname);
 
+        if (!error) {
+            /* Allow users with in the same group to connect. */
+            error = chmod(bind_path, 0770);
+        }
+
         if (error) {
             goto error;
         }
-- 
1.9.1




More information about the dev mailing list