diff mbox series

[ovs-dev] ovsdb: Remove read permission of *.db from others

Message ID 1600894095-96196-1-git-send-email-yihung.wei@gmail.com
State New
Headers show
Series [ovs-dev] ovsdb: Remove read permission of *.db from others | expand

Commit Message

Yi-Hung Wei Sept. 23, 2020, 8:48 p.m. UTC
Currently, when ovsdb *.db is created by ovsdb-tool it grants read
permission to others.  This may incur security concerns, for example,
IPsec Pre-shared keys are stored in ovs-vsitchd.conf.db.
This patch addresses the concerns by removing permission for others.

Reported-by: Antonin Bas <abas@vmware.com>
Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
---
 ovsdb/log.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Mark Gray Oct. 14, 2020, 12:44 p.m. UTC | #1
On 23/09/2020 21:48, Yi-Hung Wei wrote:
> Currently, when ovsdb *.db is created by ovsdb-tool it grants read
> permission to others.  This may incur security concerns, for example,
> IPsec Pre-shared keys are stored in ovs-vsitchd.conf.db.
> This patch addresses the concerns by removing permission for others.
> 
> Reported-by: Antonin Bas <abas@vmware.com>
> Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
> ---
>  ovsdb/log.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/ovsdb/log.c b/ovsdb/log.c
> index 41af77679178..4a28fa3db6da 100644
> --- a/ovsdb/log.c
> +++ b/ovsdb/log.c
> @@ -212,7 +212,7 @@ ovsdb_log_open(const char *name, const char *magic,
>      if (!strcmp(name, "/dev/stdin") && open_mode == OVSDB_LOG_READ_ONLY) {
>          fd = dup(STDIN_FILENO);
>      } else {
> -        fd = open(name, flags, 0666);
> +        fd = open(name, flags, 0660);
>      }
>      if (fd < 0) {
>          const char *op = (open_mode == OVSDB_LOG_CREATE_EXCL ? "create"
> 

I tested this and it works as expected. It also passes all the OVS
tests. It's definitely an issue as PSKs could indeed be in the the DB.
There may be unintended side-effects of this but I can't think of any
that would be legitimately need user RW permissions.

Acked-by: Mark Gray <mark.d.gray@redhat.com>
diff mbox series

Patch

diff --git a/ovsdb/log.c b/ovsdb/log.c
index 41af77679178..4a28fa3db6da 100644
--- a/ovsdb/log.c
+++ b/ovsdb/log.c
@@ -212,7 +212,7 @@  ovsdb_log_open(const char *name, const char *magic,
     if (!strcmp(name, "/dev/stdin") && open_mode == OVSDB_LOG_READ_ONLY) {
         fd = dup(STDIN_FILENO);
     } else {
-        fd = open(name, flags, 0666);
+        fd = open(name, flags, 0660);
     }
     if (fd < 0) {
         const char *op = (open_mode == OVSDB_LOG_CREATE_EXCL ? "create"