From patchwork Sat Oct 10 08:10:50 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Zhou X-Patchwork-Id: 528554 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (unknown [IPv6:2600:3c00::f03c:91ff:fe6e:bdf7]) by ozlabs.org (Postfix) with ESMTP id CC0FD14030B for ; Sat, 10 Oct 2015 19:11:01 +1100 (AEDT) Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id C5EF610BA5; Sat, 10 Oct 2015 01:10:59 -0700 (PDT) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx3v1.cudamail.com (mx3.cudamail.com [64.34.241.5]) by archives.nicira.com (Postfix) with ESMTPS id 41C5910BA3 for ; Sat, 10 Oct 2015 01:10:58 -0700 (PDT) Received: from bar4.cudamail.com (bar2 [192.168.15.2]) by mx3v1.cudamail.com (Postfix) with ESMTP id B1A586198B9 for ; Sat, 10 Oct 2015 02:10:57 -0600 (MDT) X-ASG-Debug-ID: 1444464656-03dc213abe910b0001-byXFYA Received: from mx3-pf3.cudamail.com ([192.168.14.3]) by bar4.cudamail.com with ESMTP id CKVvAGxGF1iDIcdt (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 10 Oct 2015 02:10:56 -0600 (MDT) X-Barracuda-Envelope-From: azhou@nicira.com X-Barracuda-RBL-Trusted-Forwarder: 192.168.14.3 Received: from unknown (HELO mail-pa0-f42.google.com) (209.85.220.42) by mx3-pf3.cudamail.com with ESMTPS (RC4-SHA encrypted); 10 Oct 2015 08:10:56 -0000 Received-SPF: unknown (mx3-pf3.cudamail.com: Multiple SPF records returned) X-Barracuda-RBL-Trusted-Forwarder: 209.85.220.42 Received: by pacex6 with SMTP id ex6so108087171pac.0 for ; Sat, 10 Oct 2015 01:10:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=TqQ5OjLQ/QbD8bXA2i/+miPSvUDX4gux7Oq4hpl1CFM=; b=ZMC3H2tC5wagiexduyCh9YusL/nHNFtmLMJ6oD484vlhR5SCrvGmQYhQ8+5t9LZaB2 IsJ5R4g9/BXWPekumZZsZ0F1L12I3FgO3snCiQ7vc7HvSNlU67bbeLjkRqYkCupyAZMY AKcbUPQ8TUl6SI1Bxb+i5001wHG6kKo02LVe8QZvKYMkTVqM5dytOwV4YPfuOD3SjlIR W2ypZ4uEaa7HQs4EiVleQtiBm2rX6yC5etiGQYgqVc71dfHcIK57NeEMiO6Di4Onzegb +fUR+JbnxQ8iikaIj8ZcvdnAcT95VLaktwCrgk0n4jtLpbJ5Lrgv9giQLiMsEvJI3FsE LxEg== X-Gm-Message-State: ALoCoQmtepspwtTfBd1p+PWz4D71hsRXiQG8/P1h8Pl8S3hWeeNjkLcAi9dCvcDMl2Rf6m+mHF/J X-Received: by 10.66.240.37 with SMTP id vx5mr20620939pac.76.1444464656312; Sat, 10 Oct 2015 01:10:56 -0700 (PDT) Received: from ubuntu.localdomain ([208.91.1.34]) by smtp.gmail.com with ESMTPSA id kw10sm6667510pbc.25.2015.10.10.01.10.55 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 10 Oct 2015 01:10:55 -0700 (PDT) X-CudaMail-Envelope-Sender: azhou@nicira.com X-Barracuda-Apparent-Source-IP: 208.91.1.34 From: Andy Zhou To: dev@openvswitch.org X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-V3-1009001621 X-CudaMail-DTE: 101015 X-CudaMail-Originating-IP: 209.85.220.42 Date: Sat, 10 Oct 2015 01:10:50 -0700 X-ASG-Orig-Subj: [##CM-V3-1009001621##][PATCH] lib: allow group access to Unix domain sockets Message-Id: <1444464650-29921-1-git-send-email-azhou@nicira.com> X-Mailer: git-send-email 1.9.1 X-Barracuda-Connect: UNKNOWN[192.168.14.3] X-Barracuda-Start-Time: 1444464656 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 Subject: [ovs-dev] [PATCH] lib: allow group access to Unix domain sockets X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" By default, Unix domain sockets are created with file system permission mode of 0700. Only the process of the belongs to the same user can access this socket. For OVS, it may be more convenient to control access at the group level rather than at the user level, since the process needs to access OVSDB sockets or daemons' control sockets may not need the same permission as the OVS daemons. This patch change Unix domain sockets' file system permission to 0770, open up the group access. It has been a issue in the past since OVS, until very recently, has to run as root. If a process needs to access OVSDB, or OVS daemons' control sockets, it has to be a root process as well. With the added --user option to OVS daemons and this change, system administrators can deploy OVS more securely: OVS daemons can run as a non root user. Various processes that need to talk to OVS does not have to root process either. In fact, they can all run as different users, as long as they have sufficient rights to access OVS socket files. Signed-off-by: Andy Zhou --- lib/socket-util-unix.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/socket-util-unix.c b/lib/socket-util-unix.c index afab195..1453384 100644 --- a/lib/socket-util-unix.c +++ b/lib/socket-util-unix.c @@ -349,6 +349,11 @@ make_unix_socket(int style, bool nonblock, } free_sockaddr_un(dirfd, linkname); + if (!error) { + /* Allow users with in the same group to connect. */ + error = chmod(bind_path, 0770); + } + if (error) { goto error; }