| Message ID | e58df0920ad5ce5aae73016e97441eef17eda484.1527068684.git.tredaelli@redhat.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [ovs-dev] rhel: Use openvswitch user/group for the log directory | expand |
On 23/05/18 14:46, Timothy Redaelli wrote: > Commit 94cd8383e297 ("rhel: fix log directory permissions") restored the > old 755 permission on /var/log/openvswitch and this can result in the > exposure of sensitive information. > > Since commit f624bf23b62a ("rhel: user/group openvswitch does not exist") > moved the user/group creations in %pre phase it's now possible to change > /var/log/openvswitch user/group to openvswitch:openvswitch and remove > the r/x bits for other again without having the "permission denied" > error when the logs are rotated. > > CC: Aaron Conole <aconole@redhat.com> > Fixes: 94cd8383e297 ("rhel: fix log directory permissions") > Signed-off-by: Timothy Redaelli <tredaelli@redhat.com> > Acked-by: Aaron Conole <aconole@redhat.com> > --- Reviewed-by: Markos Chandras <mchandras@suse.de>
On Wed, May 23, 2018 at 03:52:04PM +0100, Markos Chandras wrote: > On 23/05/18 14:46, Timothy Redaelli wrote: > > Commit 94cd8383e297 ("rhel: fix log directory permissions") restored the > > old 755 permission on /var/log/openvswitch and this can result in the > > exposure of sensitive information. > > > > Since commit f624bf23b62a ("rhel: user/group openvswitch does not exist") > > moved the user/group creations in %pre phase it's now possible to change > > /var/log/openvswitch user/group to openvswitch:openvswitch and remove > > the r/x bits for other again without having the "permission denied" > > error when the logs are rotated. > > > > CC: Aaron Conole <aconole@redhat.com> > > Fixes: 94cd8383e297 ("rhel: fix log directory permissions") > > Signed-off-by: Timothy Redaelli <tredaelli@redhat.com> > > Acked-by: Aaron Conole <aconole@redhat.com> > > --- > > Reviewed-by: Markos Chandras <mchandras@suse.de> Applied to master, thanks Timothy and Markos!
diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in index 9462ce236..64a87a793 100644 --- a/rhel/openvswitch-fedora.spec.in +++ b/rhel/openvswitch-fedora.spec.in @@ -591,7 +591,7 @@ fi %endif %doc NOTICE README.rst NEWS rhel/README.RHEL.rst /var/lib/openvswitch -%attr(755,-,-) /var/log/openvswitch +%attr(750,openvswitch,openvswitch) /var/log/openvswitch %ghost %attr(755,root,root) %{_rundir}/openvswitch %files ovn-docker
Commit 94cd8383e297 ("rhel: fix log directory permissions") restored the old 755 permission on /var/log/openvswitch and this can result in the exposure of sensitive information. Since commit f624bf23b62a ("rhel: user/group openvswitch does not exist") moved the user/group creations in %pre phase it's now possible to change /var/log/openvswitch user/group to openvswitch:openvswitch and remove the r/x bits for other again without having the "permission denied" error when the logs are rotated. CC: Aaron Conole <aconole@redhat.com> Fixes: 94cd8383e297 ("rhel: fix log directory permissions") Signed-off-by: Timothy Redaelli <tredaelli@redhat.com> Acked-by: Aaron Conole <aconole@redhat.com> --- rhel/openvswitch-fedora.spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)