[ovs-dev] [Debian-non-root v2 4/4] Debian: start daemons as ovs(non-root) user

Andy Zhou azhou at nicira.com
Mon Oct 26 04:36:03 UTC 2015


On Sat, Oct 24, 2015 at 2:36 PM, Ben Pfaff <blp at nicira.com> wrote:
> On Fri, Oct 09, 2015 at 05:13:24PM -0700, Andy Zhou wrote:
>> Changes to Debian packaging scripts to create the ovs user and group.
>> Fix the permissions of ovs created files and directories so that
>> they are accessible by users belong to the ovs group.
>> Start daemons as the ovs user.
>>
>> Signed-off-by: Andy Zhou <azhou at nicira.com>
>>
>> ----
>> This patch does not include changes to the ipsec package. Ansis has
>> other plans for updating it.
>
> This looks carefully done.  Thank you!  I have a few suggestions, see
> below.
>
>> +case "$1" in
>> +    configure)
>> +        LOGDIR=/var/log/openvswitch
>> +        # Create the ovs user and group.
>> +        adduser --system --group --no-create-home --quiet $OVS_USER || true
>
> Based on looking at other packages, I'd suggest adding --disabled-login
> to this command.
>
> I am not sure why || true is there.  If adduser fails, then I suspect
> that configuration should fail.  I only see || true (or similar) in a
> minority of other packages that add users.
>
> From looking at other packages, it looks like there's an unwritten
> convention that a daemon's home directory should be its rundir, e.g. add
> "--home /var/run/openvswitch".
>
> A number of other packages check whether the account already exists
> before it creates it.  adduser is supposed to work OK in this case, as
> long as nothing needs to change, but it might be considered best
> practice to check.  e.g. here is what exim4-base does:
>
>         if ! getent passwd Debian-exim > /dev/null ; then
>           echo 'Adding system-user for exim (v4)' 1>&2
>           adduser --system --group --quiet --home /var/spool/exim4 \
>             --no-create-home --disabled-login --force-badname Debian-exim
>         fi
Those are good suggestions.  Will adopt all in the next rev.

>
> openvswitch-vtep.init seems like a funny place to do the following:
>
>> +    chown -R $OVS_USER:$OVS_GROUP /etc/openvswitch
>> +    chown -R $OVS_USER:$OVS_GROUP /var/run/openvswitch
>> +    chmod -R 0770 /var/run/openvswitch
>

I agree it is odd. But seems necessary given the directory and files
created above as root. Do you have
some alternatives in mind?

> Also, the 770 permissions for /var/run/openvswitch mean that
> unprivileged users can't see the OVS pidfiles that can reliably report
> what OVS daemons are running.  Based on looking at my own system, this
> is somewhat unusual (try running "find /var/run/ -maxdepth 1 -type d
> -ls" and look at your results).
I see. How about 775?



More information about the dev mailing list