[ovs-dev] [PATCH] ovsdb: Remove read permission of *.db from others
Yi-Hung Wei
yihung.wei at gmail.com
Wed Sep 23 20:48:15 UTC 2020
Currently, when ovsdb *.db is created by ovsdb-tool it grants read
permission to others. This may incur security concerns, for example,
IPsec Pre-shared keys are stored in ovs-vsitchd.conf.db.
This patch addresses the concerns by removing permission for others.
Reported-by: Antonin Bas <abas at vmware.com>
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
---
ovsdb/log.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ovsdb/log.c b/ovsdb/log.c
index 41af77679178..4a28fa3db6da 100644
--- a/ovsdb/log.c
+++ b/ovsdb/log.c
@@ -212,7 +212,7 @@ ovsdb_log_open(const char *name, const char *magic,
if (!strcmp(name, "/dev/stdin") && open_mode == OVSDB_LOG_READ_ONLY) {
fd = dup(STDIN_FILENO);
} else {
- fd = open(name, flags, 0666);
+ fd = open(name, flags, 0660);
}
if (fd < 0) {
const char *op = (open_mode == OVSDB_LOG_CREATE_EXCL ? "create"
--
2.7.4
More information about the dev
mailing list