[ovs-git] [openvswitch/ovs] 6069ed: lib: simplify daemon_become_new_user__()

GitHub noreply at github.com
Thu Nov 12 02:10:47 UTC 2015


  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: 6069edb0ea9c861d32016473a86d330f5ce60123
      https://github.com/openvswitch/ovs/commit/6069edb0ea9c861d32016473a86d330f5ce60123
  Author: Andy Zhou <azhou at nicira.com>
  Date:   2015-11-11 (Wed, 11 Nov 2015)

  Changed paths:
    M lib/daemon-unix.c
    M lib/daemon.man

  Log Message:
  -----------
  lib: simplify daemon_become_new_user__()

A global variable 'switch_user' was used to make sure
we switch process's current user only once. This logic is now
simplified by testing for uid directly; if switch process has
taken place, the current uid will be not be zero.

Signed-off-by: Andy Zhou <azhou at nicira.com>
Acked-by: Ansis Atteka <aatteka at nicira.com>


  Commit: 3de44dd188690763cfa8f08cf36c64ade0174501
      https://github.com/openvswitch/ovs/commit/3de44dd188690763cfa8f08cf36c64ade0174501
  Author: Andy Zhou <azhou at nicira.com>
  Date:   2015-11-11 (Wed, 11 Nov 2015)

  Changed paths:
    M include/openvswitch/vlog.h
    M lib/daemon-unix.c
    M lib/vlog.c

  Log Message:
  -----------
  vlog: change log file owner when switching user

vlog log file can be created when parsing --log-file option, before
switching user, in case the --user option is also specified. While this
does not directly cause errors for the running daemons, it can
leave the log files on the disk as created under the "root" user.
This patch fix the log file ownership to the user specified with --user.

Signed-off-by: Andy Zhou <azhou at nicira.com>
Acked-by: Ansis Atteka <aatteka at nicira.com>


  Commit: 2258d8b5d2099d7a2b56c8414e6d3bddc9b43f0f
      https://github.com/openvswitch/ovs/commit/2258d8b5d2099d7a2b56c8414e6d3bddc9b43f0f
  Author: Andy Zhou <azhou at nicira.com>
  Date:   2015-11-11 (Wed, 11 Nov 2015)

  Changed paths:
    M lib/socket-util-unix.c

  Log Message:
  -----------
  lib: allow group access to Unix domain sockets

By default, Unix domain sockets are created with file system permission
mode of 0700. This means that only processes that runs under the same
user can access this socket.

For OVS, it may be more convenient to control access at the group
level rather than at the user level, since other processes need to
access OVSDB and UNIXCTL sockets while running under different users.

This patch changes Unix domain sockets' file system permission to 0770,
to grant group access.

It has not been an issue in the past since OVS, until very recently,
had to run as root. If a process needed to access OVSDB or UNIXCTL
sockets, it had to be a root process as well.

With the added --user option to OVS daemons and this change, system
administrators can deploy OVS more securely: OVS daemons can run as
a non root user. Various processes that need to talk to OVS does not
have to run as root process anymore.

Signed-off-by: Andy Zhou <azhou at nicira.com>
Acked-by: Ansis Atteka <aatteka at nicira.com>


Compare: https://github.com/openvswitch/ovs/compare/c4e34c6114bc...2258d8b5d209


More information about the git mailing list