The openvswitch useropts file is being stored in a directory where the openvswitch user has write permissions. The openvswitch user can then manipulate the file to change the user under which switchd daemon runs.
This patch changes the file to /var/openvswitch.useropts preventing any manipulation. Signed-off-by: Jaime Caamaño Ruiz <[email protected]> --- rhel/usr_lib_systemd_system_ovs-vswitchd.service.in | 2 +- rhel/usr_lib_systemd_system_ovsdb-server.service | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in index edd76493c..87abe3a89 100644 --- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in +++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in @@ -14,7 +14,7 @@ Restart=on-failure Environment=XDG_RUNTIME_DIR=/var/run/openvswitch EnvironmentFile=/etc/openvswitch/default.conf EnvironmentFile=-/etc/sysconfig/openvswitch -EnvironmentFile=-/run/openvswitch/useropts +EnvironmentFile=-/run/openvswitch.useropts LimitSTACK=2M @begin_dpdk@ ExecStartPre=-/bin/sh -c '/usr/bin/chown :$${OVS_USER_ID##*:} /dev/hugepages' diff --git a/rhel/usr_lib_systemd_system_ovsdb-server.service b/rhel/usr_lib_systemd_system_ovsdb-server.service index 41ac2dded..d4b605a75 100644 --- a/rhel/usr_lib_systemd_system_ovsdb-server.service +++ b/rhel/usr_lib_systemd_system_ovsdb-server.service @@ -12,8 +12,8 @@ Restart=on-failure EnvironmentFile=/etc/openvswitch/default.conf EnvironmentFile=-/etc/sysconfig/openvswitch ExecStartPre=/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch /var/log/openvswitch -ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch/useropts; if [ "$${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo "OVSUSER=--ovs-user=${OVS_USER_ID}" > /run/openvswitch/useropts; fi' -EnvironmentFile=-/run/openvswitch/useropts +ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch.useropts; if [ "$${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo "OVSUSER=--ovs-user=${OVS_USER_ID}" > /run/openvswitch.useropts; fi' +EnvironmentFile=-/run/openvswitch.useropts ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ --no-ovs-vswitchd --no-monitor --system-id=random \ ${OVSUSER} \ -- 2.16.4 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
