[ovs-dev] [PATCH] ovsdb: Remove read permission of *.db from others

Mark Gray mark.d.gray at redhat.com
Wed Oct 14 12:44:03 UTC 2020


On 23/09/2020 21:48, Yi-Hung Wei wrote:
> Currently, when ovsdb *.db is created by ovsdb-tool it grants read
> permission to others.  This may incur security concerns, for example,
> IPsec Pre-shared keys are stored in ovs-vsitchd.conf.db.
> This patch addresses the concerns by removing permission for others.
> 
> Reported-by: Antonin Bas <abas at vmware.com>
> Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
> ---
>  ovsdb/log.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/ovsdb/log.c b/ovsdb/log.c
> index 41af77679178..4a28fa3db6da 100644
> --- a/ovsdb/log.c
> +++ b/ovsdb/log.c
> @@ -212,7 +212,7 @@ ovsdb_log_open(const char *name, const char *magic,
>      if (!strcmp(name, "/dev/stdin") && open_mode == OVSDB_LOG_READ_ONLY) {
>          fd = dup(STDIN_FILENO);
>      } else {
> -        fd = open(name, flags, 0666);
> +        fd = open(name, flags, 0660);
>      }
>      if (fd < 0) {
>          const char *op = (open_mode == OVSDB_LOG_CREATE_EXCL ? "create"
> 

I tested this and it works as expected. It also passes all the OVS
tests. It's definitely an issue as PSKs could indeed be in the the DB.
There may be unintended side-effects of this but I can't think of any
that would be legitimately need user RW permissions.

Acked-by: Mark Gray <mark.d.gray at redhat.com>



More information about the dev mailing list