From patchwork Wed Nov 11 00:36:06 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Zhou X-Patchwork-Id: 542677 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (unknown [IPv6:2600:3c00::f03c:91ff:fe6e:bdf7]) by ozlabs.org (Postfix) with ESMTP id 1114914142D for ; Wed, 11 Nov 2015 11:36:28 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nicira_com.20150623.gappssmtp.com header.i=@nicira_com.20150623.gappssmtp.com header.b=Duy8RcYb; dkim-atps=neutral Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id E2A7710A79; Tue, 10 Nov 2015 16:36:16 -0800 (PST) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx1e4.cudamail.com (mx1.cudamail.com [69.90.118.67]) by archives.nicira.com (Postfix) with ESMTPS id 3FD2310A5E for ; Tue, 10 Nov 2015 16:36:15 -0800 (PST) Received: from bar5.cudamail.com (unknown [192.168.21.12]) by mx1e4.cudamail.com (Postfix) with ESMTPS id BB3D61E014A for ; Tue, 10 Nov 2015 17:36:14 -0700 (MST) X-ASG-Debug-ID: 1447202174-09eadd036424cab0001-byXFYA Received: from mx1-pf1.cudamail.com ([192.168.24.1]) by bar5.cudamail.com with ESMTP id 2KPj67bhL3IMYRvl (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 10 Nov 2015 17:36:14 -0700 (MST) X-Barracuda-Envelope-From: azhou@nicira.com X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.1 Received: from unknown (HELO mail-pa0-f42.google.com) (209.85.220.42) by mx1-pf1.cudamail.com with ESMTPS (RC4-SHA encrypted); 11 Nov 2015 00:36:14 -0000 Received-SPF: unknown (mx1-pf1.cudamail.com: Multiple SPF records returned) X-Barracuda-RBL-Trusted-Forwarder: 209.85.220.42 Received: by pacdm15 with SMTP id dm15so12886933pac.3 for ; Tue, 10 Nov 2015 16:36:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nicira_com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=vFIKxL1LsQ9J0UJxXUerPdMPEvZhAryUqMajx2XVdEs=; b=Duy8RcYbL1NLj/LFL4XByjx1NUaJcIT9FKjBQ9bG8FOFmio4UIsUnc2ZWm1qPGLC0o uS+OOKAJg4sJXXi2hxOHJA0zLOr3w54Jgy8fUhtk/QQdtbHEpsKzWqWHjXSjVaCIR/fr 8MxiPf97vOE1oICcAMjAtJXMTnxw0DlwokwX0htdHanzzYnemEDzZ+dWsxxiK/ia4qFL GkA0IvaZN/kkZ38b1DsYYkXGNHaDGcd5QrJ5JCbF/49x5K4/px0iB6WNeHC19IBit5Dz hsjnxXd5Bn0zVg01AO4lLMcOkQ1uNE+sJ7E7/H4YzfuKa1XAuvV2H7YXKec6baXgHrcA /yyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=vFIKxL1LsQ9J0UJxXUerPdMPEvZhAryUqMajx2XVdEs=; b=MT0ThgAlMdnNEgY/5aDgsxPcybLcj2vQXj7wk+9S/MOYqap0gkePfwP1MiNZc7gW1l mAMrpm1eVkSJgEG8qi8zZzU+Z8z1gTZvo/X/FdgXc6C8Iwhhrs/19Y4firpiVN80Nuiz v+T84ezAFHtIgCDDRfpmehuFe3xEIW17mDx8bpBZl1jt47JGEvLNlVtCWeBnCHIH2yNe Mgl2YdWrjvK5Cp5C/1KGhKJCr69PNxihIRPP1AavzgntE4ogaJmTUg3PzLeXJp1MiyH/ hp3q/lX4ohHDihVkFjLss14XV79iZEeciSQ7fiTQkcmp6KMD4ZtDvbqgmsbGDERtLmrT 0E/g== X-Gm-Message-State: ALoCoQmeUJEcEnCZEhZpSOimXoko3f/lOthfZU5ILisCSaVo2RpjZC/NBIQ44bvdmJ1+73qohsNS X-Received: by 10.66.194.16 with SMTP id hs16mr9887697pac.93.1447202173641; Tue, 10 Nov 2015 16:36:13 -0800 (PST) Received: from ubuntu.localdomain ([208.91.1.34]) by smtp.gmail.com with ESMTPSA id k10sm6308326pbq.78.2015.11.10.16.36.12 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 10 Nov 2015 16:36:13 -0800 (PST) X-CudaMail-Envelope-Sender: azhou@nicira.com X-Barracuda-Apparent-Source-IP: 208.91.1.34 From: Andy Zhou To: dev@openvswitch.org X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-E1-1109104220 X-CudaMail-DTE: 111015 X-CudaMail-Originating-IP: 209.85.220.42 Date: Tue, 10 Nov 2015 16:36:06 -0800 X-ASG-Orig-Subj: [##CM-E1-1109104220##][additional --user changes v3 3/3] lib: allow group access to Unix domain sockets Message-Id: <1447202166-16842-3-git-send-email-azhou@nicira.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1447202166-16842-1-git-send-email-azhou@nicira.com> References: <1447202166-16842-1-git-send-email-azhou@nicira.com> X-Barracuda-Connect: UNKNOWN[192.168.24.1] X-Barracuda-Start-Time: 1447202174 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 Subject: [ovs-dev] [additional --user changes v3 3/3] lib: allow group access to Unix domain sockets X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" By default, Unix domain sockets are created with file system permission mode of 0700. This means that only processes that runs under the same user can access this socket. For OVS, it may be more convenient to control access at the group level rather than at the user level, since other processes need to access OVSDB and UNIXCTL sockets while running under different users. This patch changes Unix domain sockets' file system permission to 0770, to grant group access. It has not been an issue in the past since OVS, until very recently, had to run as root. If a process needed to access OVSDB or UNIXCTL sockets, it had to be a root process as well. With the added --user option to OVS daemons and this change, system administrators can deploy OVS more securely: OVS daemons can run as a non root user. Various processes that need to talk to OVS does not have to run as root process anymore. Signed-off-by: Andy Zhou --- v1->v2: Move the permission change from make_unix_socket() to bind_unix_socket(). --- lib/socket-util-unix.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/socket-util-unix.c b/lib/socket-util-unix.c index afab195..32f966d 100644 --- a/lib/socket-util-unix.c +++ b/lib/socket-util-unix.c @@ -259,10 +259,10 @@ free_sockaddr_un(int dirfd, const char *linkname) } /* Binds Unix domain socket 'fd' to a file with permissions 0700. */ -static int -bind_unix_socket(int fd, struct sockaddr *sun, socklen_t sun_len) +static int bind_unix_socket(int fd, struct sockaddr *sun, socklen_t sun_len) { - const mode_t mode = 0700; + const mode_t mode = 0770; /* Allow both user and group access. */ + if (LINUX) { /* On Linux, the fd's permissions become the file's permissions. * fchmod() does not affect other files, like umask() does. */