@@ -360,7 +360,7 @@ vlog_set_log_file(const char *file_name)
new_log_file_name = (file_name
? xstrdup(file_name)
: xasprintf("%s/%s.log", ovs_logdir(), program_name));
- new_log_fd = open(new_log_file_name, O_WRONLY | O_CREAT | O_APPEND, 0666);
+ new_log_fd = open(new_log_file_name, O_WRONLY | O_CREAT | O_APPEND, 0660);
if (new_log_fd < 0) {
VLOG_WARN("failed to open %s for logging: %s",
new_log_file_name, ovs_strerror(errno));
@@ -231,7 +231,7 @@ rm -rf $RPM_BUILD_ROOT
make install DESTDIR=$RPM_BUILD_ROOT
install -d -m 0755 $RPM_BUILD_ROOT%{_rundir}/openvswitch
-install -d -m 0755 $RPM_BUILD_ROOT%{_localstatedir}/log/openvswitch
+install -d -m 0750 $RPM_BUILD_ROOT%{_localstatedir}/log/openvswitch
install -d -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch
install -p -D -m 0644 \
@@ -150,13 +150,14 @@ version_geq() {
install_dir () {
DIR="$1"
+ INSTALL_MODE="${2:-755}"
INSTALL_USER="root"
INSTALL_GROUP="root"
[ "$OVS_USER" != "" ] && INSTALL_USER="${OVS_USER%:*}"
[ "${OVS_USER##*:}" != "" ] && INSTALL_GROUP="${OVS_USER##*:}"
if test ! -d "$DIR"; then
- install -d -m 755 -o "$INSTALL_USER" -g "$INSTALL_GROUP" "$DIR"
+ install -d -m "$INSTALL_MODE" -o "$INSTALL_USER" -g "$INSTALL_GROUP" "$DIR"
restorecon "$DIR" >/dev/null 2>&1
fi
}
@@ -174,7 +175,7 @@ start_daemon () {
cd "$DAEMON_CWD"
# log file
- install_dir "$logdir"
+ install_dir "$logdir" "750"
set "$@" --log-file="$logdir/$daemon.log"
# pidfile and monitoring
@@ -206,7 +206,7 @@ esac
logdir=$(dirname "$log")
if test ! -d "$logdir"; then
- mkdir -p -m755 "$logdir" 2>/dev/null || true
+ mkdir -p -m750 "$logdir" 2>/dev/null || true
if test ! -d "$logdir"; then
echo "$0: log directory $logdir does not exist and cannot be created" >&2
exit 1
The Open vSwitch log directory and files are currently set world readable. However, since only Open vSwitch users and processes need to access this directory and these files there is no need to allow the world to access them, since it can result in the exposure of sensitive information. Signed-off-by: Timothy Redaelli <tredaelli@redhat.com> --- Changes since v1: * Change spec file for commit 2f4f43bfddfd ("rhel: fix the fedora spec"). * Make logs group- as well as owner-readable. Please deprecate "[RFC] make logs readable only by owner" since subject has changed lib/vlog.c | 2 +- rhel/openvswitch-fedora.spec.in | 2 +- utilities/ovs-lib.in | 5 +++-- utilities/ovs-pki.in | 2 +- 4 files changed, 6 insertions(+), 5 deletions(-)