[ovs-dev] [PATCH] Fix socket permissions on Linux

Ben Pfaff blp at ovn.org
Thu Aug 16 23:13:25 UTC 2018


On Thu, Aug 16, 2018 at 06:58:54PM -0400, Aaron Conole wrote:
> Terry Wilson <twilson at redhat.com> writes:
> 
> > On Thu, Aug 16, 2018 at 4:57 PM, Ben Pfaff <blp at ovn.org> wrote:
> >> On Thu, Aug 16, 2018 at 07:55:09PM +0000, Terry Wilson wrote:
> >>> Unix sockets were not being created with the permission 0770,
> >>> instead using the current umask value. The manpage for fchmod()
> >>> states that that if filedes refers to a socket, the behavior is
> >>> undefined. Insetad, use the same code as *BSD to ensure the 0770
> >>> permission is set on unix sockets.
> >>>
> >>> Signed-off-by: Terry Wilson <twilson at redhat.com>
> >>
> >> It's extraordinarily expensive to fork() to make a single system call.
> >
> > I agree it is ridiculously ugly, though it isn't like this is
> > something that is done in a tight loop anywhere either.
> >
> >> As far as I can tell, the existing code actually works on Linux, in the
> >> same way as the third 'mode' parameter to open(2).
> >
> > It doesn't (and never has) on my Centos 7 machine. I ran into this a
> > couple of years ago and ended up just working around it. As an example
> > after make rpm-fedora and installing:
> > [centos at test x86_64]$ ls -al /var/run/openvswitch/db.sock
> > srwxr-x---.  1 openvswitch openvswitch    0 Aug 16 22:09 db.sock
> >
> > So we've got 0750 and not 0770 like the hardcoded value in the source.
> >
> >> Surely there's a better way to do this.
> >
> > I *hope* so. I mean it certainly seems like something one would want
> > to be able to do, but I remember looking for a couple of days 2 years
> > ago and giving up. umask seemed like the only reliable option.
> > Whatever the solution is, fchmod is *not* it since it is specifically
> > undefined behavior to use it on a socket. I'll try with ubuntu and see
> > what happens there, but wouldn't imagine it to be different.
> 
> So...
> 
> Gather 'round folks, and let me tell you the tale of a series long
> ago posted:
> 
> https://mail.openvswitch.org/pipermail/ovs-dev/2016-August/321866.html

Wow, I don't remember reading that patch at all.  That's unusual, for
me.


More information about the dev mailing list