[ovs-dev] [PATCH] Fix socket permissions on Linux
Ben Pfaff
blp at ovn.org
Thu Aug 16 23:11:41 UTC 2018
On Thu, Aug 16, 2018 at 05:21:28PM -0500, Terry Wilson wrote:
> On Thu, Aug 16, 2018 at 4:57 PM, Ben Pfaff <blp at ovn.org> wrote:
> > On Thu, Aug 16, 2018 at 07:55:09PM +0000, Terry Wilson wrote:
> >> Unix sockets were not being created with the permission 0770,
> >> instead using the current umask value. The manpage for fchmod()
> >> states that that if filedes refers to a socket, the behavior is
> >> undefined. Insetad, use the same code as *BSD to ensure the 0770
> >> permission is set on unix sockets.
> >>
> >> Signed-off-by: Terry Wilson <twilson at redhat.com>
> >
> > It's extraordinarily expensive to fork() to make a single system call.
>
> I agree it is ridiculously ugly, though it isn't like this is
> something that is done in a tight loop anywhere either.
>
> > As far as I can tell, the existing code actually works on Linux, in the
> > same way as the third 'mode' parameter to open(2).
>
> It doesn't (and never has) on my Centos 7 machine. I ran into this a
> couple of years ago and ended up just working around it. As an example
> after make rpm-fedora and installing:
> [centos at test x86_64]$ ls -al /var/run/openvswitch/db.sock
> srwxr-x---. 1 openvswitch openvswitch 0 Aug 16 22:09 db.sock
>
> So we've got 0750 and not 0770 like the hardcoded value in the source.
Presumably, that's 0770 modulo the umask, which is the same thing you
get out of the third argument to open(). I guess your umask is 0022.
If we need exactly 0770 then it's harder and we probably have to
> > Surely there's a better way to do this.
>
> I *hope* so. I mean it certainly seems like something one would want
> to be able to do, but I remember looking for a couple of days 2 years
> ago and giving up. umask seemed like the only reliable option.
> Whatever the solution is, fchmod is *not* it since it is specifically
> undefined behavior to use it on a socket. I'll try with ubuntu and see
> what happens there, but wouldn't imagine it to be different.
>
> From man 3 fchmod:
> DESCRIPTION
> ...
> If fildes refers to a socket, the behavior of fchmod() is unspecified.
That's what POSIX says, at
http://pubs.opengroup.org/onlinepubs/9699919799/functions/fchmod.html.
This particular behavior has been in Linux forever as far as I can tell.
More information about the dev
mailing list