@@ -360,7 +360,7 @@ vlog_set_log_file(const char *file_name)
new_log_file_name = (file_name
? xstrdup(file_name)
: xasprintf("%s/%s.log", ovs_logdir(), program_name));
- new_log_fd = open(new_log_file_name, O_WRONLY | O_CREAT | O_APPEND, 0666);
+ new_log_fd = open(new_log_file_name, O_WRONLY | O_CREAT | O_APPEND, 0600);
if (new_log_fd < 0) {
VLOG_WARN("failed to open %s for logging: %s",
new_log_file_name, ovs_strerror(errno));
@@ -150,13 +150,14 @@ version_geq() {
install_dir () {
DIR="$1"
+ INSTALL_MODE="${2:-755}"
INSTALL_USER="root"
INSTALL_GROUP="root"
[ "$OVS_USER" != "" ] && INSTALL_USER="${OVS_USER%:*}"
[ "${OVS_USER##*:}" != "" ] && INSTALL_GROUP="${OVS_USER##*:}"
if test ! -d "$DIR"; then
- install -d -m 755 -o "$INSTALL_USER" -g "$INSTALL_GROUP" "$DIR"
+ install -d -m "$INSTALL_MODE" -o "$INSTALL_USER" -g "$INSTALL_GROUP" "$DIR"
restorecon "$DIR" >/dev/null 2>&1
fi
}
@@ -174,7 +175,7 @@ start_daemon () {
cd "$DAEMON_CWD"
# log file
- install_dir "$logdir"
+ install_dir "$logdir" "700"
set "$@" --log-file="$logdir/$daemon.log"
# pidfile and monitoring
@@ -201,7 +201,7 @@ esac
logdir=$(dirname "$log")
if test ! -d "$logdir"; then
- mkdir -p -m755 "$logdir" 2>/dev/null || true
+ mkdir -p -m700 "$logdir" 2>/dev/null || true
if test ! -d "$logdir"; then
echo "$0: log directory $logdir does not exist and cannot be created" >&2
exit 1
The Open vSwitch log directory and files are currently set world readable. However, since only Open vSwitch users and processes need to access this directory and files there is no need to allow the world to access them, since it can result in the exposure of sensitive information. Signed-off-by: Timothy Redaelli <tredaelli@redhat.com> --- lib/vlog.c | 2 +- utilities/ovs-lib.in | 5 +++-- utilities/ovs-pki.in | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) I didn't change the MKDIR_P in automake.mk since it will be removed in https://patchwork.ozlabs.org/patch/737029/