non-root users can use ovs-vsctl, but the following security problems may exist. Because /usr/share/openvswitch/scripts/ovs-ctl will call ovs-appctl, ovs-vsctl etc., and ovs-ctl is called by the OVS service as root. In this case, the following paths of attack exist: 1. non-root user tamper with the contents of ovs-vsctl to execute arbitrary bash commands, such as `reboot`; 2. When the ovs-ctl script is called by the OVS service as root, the ovs-vsctl command will be executed, and then the reboot is triggered. Originally, non-root users are not entitled to execute reboot, but through this attack can be successfully executed, there is a risk of raising privilege.
Thanks From: Vasu Dasari [mailto:[email protected]] Sent: Monday, February 22, 2021 11:13 PM To: wangyunjian <[email protected]> Cc: [email protected]; [email protected]; dingxiaoxiong <[email protected]>; Wangqian (Euler) <[email protected]>; chenchanghu <[email protected]> Subject: Re: [ovs-dev] Does the OVS command line support on-root users? You should be able to use ovs-vsctl commands as non-root users on a vswitch started as a non-root user. For example you can look at how any of the unit test cases are executed in ovs/tests/ofproto.at<http://ofproto.at>. For example, you can run one of the test cases as, $ cd $ovs_src_dir $ make check TESTSUITEFLAGS='-k "ofproto - echo request"' Vasu Dasari On Mon, Feb 22, 2021 at 3:49 AM wangyunjian <[email protected]<mailto:[email protected]>> wrote: Hi all: I have a question to consult: I see that OVS daemon has been supported to run as non-root in 2015 with the patch "lib/daemon: support --user option for all OVS daemon", I would like to know whether the openvswitch command line such as ovs-vsctl/ovs-appctl will be called as non-root in any plan, and is there any consideration for calling as root at present? Thanks _______________________________________________ dev mailing list [email protected]<mailto:[email protected]> https://mail.openvswitch.org/mailman/listinfo/ovs-dev _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
