Re: [ovs-dev] Wrong unix socket file permissions

Wed, 25 Jan 2023 08:17:13 -0800 

On 1/25/23 16:15, Vladislav Odintsov wrote:
> Hi,
> 
> I’m a bit confused about linux unix socket files permissions, created by ovs 
> daemons.
> 
> From source code [0] I see it sets 0770 fchmod on file descriptor prior to 
> socket bind(), assuming that sock file when creates will inherit FD’s 
> permissions. So, I expect that after unix socket files created, they have 
> rwxrwx--- permissions.
> 
> However if running, for instance, ovsdb-server as root, it seems that this 
> fchmod() call has no effect. Instead default root umask (0022) seems to be 
> used:
> 
> # ovsdb-server --remote punix:///var/run/openvswitch/ovs.sock 
> /etc/openvswitch/ovs.db
> # ls -l /var/run/openvswitch/ovs.sock
> srwxr-x--- 1 root root 0 Jan 25 17:48 /var/run/openvswitch/ovs.sock

The requested mode and umask are both effective.
The result is (mode & ~umask).  In your case:

0770 & ~0022 = 0750, i.e. rwxr-x---

> 
> If switch user to non-root (default umask 0002):
> 
> $ ovsdb-server --remote punix://$(pwd)/ovs.sock --unixctl=$(pwd)/ctl.sock 
> ./ovs.db
> $ ls -l ovs.sock
> srwxrwx--- 1 vlodintsov vlodintsov 0 Jan 25 17:42 ovs.sock

0770 & ~0002 = 0770

> 
> If running as root, passing desired user as an argument to ovsdb-server, it 
> still has the same as just root behaviour:
> 
> # ovsdb-server --remote punix:///var/run/openvswitch/ovs.sock 
> /etc/openvswitch/ovs.db --user openvswitch:openvswitch
> # ls -l /var/run/openvswitch/ovs.sock
> srwxr-x--- 1 openvswitch openvswitch 0 Jan 25 17:47 
> /var/run/openvswitch/ovs.sock
> 
> 
> This line of code [0] is quite old (about 8 years), so what am I doing wrong?
> Is it possible to make socket writable by group without extenal call chmod 
> 0770 <path_to_socket> ?
Process has inherited umask from the current shell, i.e. the parent
process.  umask is not a property of a user, it is typically set for
a shell session in bashrc or /etc/profile.

OVS has no way to know what is the desired umask for the user we're
switching to.  So, it remains the same as it was.

Changing the umask for a current shell before starting the process
should help, e.g.

(umask 0002 && \
 ovsdb-server --remote punix:$(pwd)/ovs.sock /etc/openvswitch/ovs.db \
              --user openvswitch:openvswitch)

Best regards, Ilya Maximets.

> 
> 0: https://github.com/openvswitch/ovs/blob/v2.17.5/lib/socket-util-unix.c#L264
> 
> Regards,
> Vladislav Odintsov

_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to