[ovs-dev] [PATCH] ovsdb: Remove read permission of *.db from others

Yi-Hung Wei yihung.wei at gmail.com
Wed Sep 23 20:48:15 UTC 2020


Currently, when ovsdb *.db is created by ovsdb-tool it grants read
permission to others.  This may incur security concerns, for example,
IPsec Pre-shared keys are stored in ovs-vsitchd.conf.db.
This patch addresses the concerns by removing permission for others.

Reported-by: Antonin Bas <abas at vmware.com>
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
---
 ovsdb/log.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ovsdb/log.c b/ovsdb/log.c
index 41af77679178..4a28fa3db6da 100644
--- a/ovsdb/log.c
+++ b/ovsdb/log.c
@@ -212,7 +212,7 @@ ovsdb_log_open(const char *name, const char *magic,
     if (!strcmp(name, "/dev/stdin") && open_mode == OVSDB_LOG_READ_ONLY) {
         fd = dup(STDIN_FILENO);
     } else {
-        fd = open(name, flags, 0666);
+        fd = open(name, flags, 0660);
     }
     if (fd < 0) {
         const char *op = (open_mode == OVSDB_LOG_CREATE_EXCL ? "create"
-- 
2.7.4



More information about the dev mailing list