On 1/25/23 17:35, Vladislav Odintsov wrote: > > > Regards, > Vladislav Odintsov > >> On 25 Jan 2023, at 19:16, Ilya Maximets <[email protected]> wrote: >> >> On 1/25/23 16:15, Vladislav Odintsov wrote: >>> Hi, >>> >>> I’m a bit confused about linux unix socket files permissions, created by >>> ovs daemons. >>> >>> From source code [0] I see it sets 0770 fchmod on file descriptor prior to >>> socket bind(), assuming that sock file when creates will inherit FD’s >>> permissions. So, I expect that after unix socket files created, they have >>> rwxrwx--- permissions. >>> >>> However if running, for instance, ovsdb-server as root, it seems that this >>> fchmod() call has no effect. Instead default root umask (0022) seems to be >>> used: >>> >>> # ovsdb-server --remote punix:///var/run/openvswitch/ovs.sock >>> /etc/openvswitch/ovs.db >>> # ls -l /var/run/openvswitch/ovs.sock >>> srwxr-x--- 1 root root 0 Jan 25 17:48 /var/run/openvswitch/ovs.sock >> >> The requested mode and umask are both effective. >> The result is (mode & ~umask). In your case: >> >> 0770 & ~0022 = 0750, i.e. rwxr-x--- >> >>> >>> If switch user to non-root (default umask 0002): >>> >>> $ ovsdb-server --remote punix://$(pwd)/ovs.sock --unixctl=$(pwd)/ctl.sock >>> ./ovs.db >>> $ ls -l ovs.sock >>> srwxrwx--- 1 vlodintsov vlodintsov 0 Jan 25 17:42 ovs.sock >> >> 0770 & ~0002 = 0770 >> >>> >>> If running as root, passing desired user as an argument to ovsdb-server, it >>> still has the same as just root behaviour: >>> >>> # ovsdb-server --remote punix:///var/run/openvswitch/ovs.sock >>> /etc/openvswitch/ovs.db --user openvswitch:openvswitch >>> # ls -l /var/run/openvswitch/ovs.sock >>> srwxr-x--- 1 openvswitch openvswitch 0 Jan 25 17:47 >>> /var/run/openvswitch/ovs.sock >>> >>> >>> This line of code [0] is quite old (about 8 years), so what am I doing >>> wrong? >>> Is it possible to make socket writable by group without extenal call chmod >>> 0770 <path_to_socket> ? >> Process has inherited umask from the current shell, i.e. the parent >> process. umask is not a property of a user, it is typically set for >> a shell session in bashrc or /etc/profile. >> >> OVS has no way to know what is the desired umask for the user we're >> switching to. So, it remains the same as it was. >> >> Changing the umask for a current shell before starting the process >> should help, e.g. >> >> (umask 0002 && \ >> ovsdb-server --remote punix:$(pwd)/ovs.sock /etc/openvswitch/ovs.db \ >> --user openvswitch:openvswitch) > > So, if we use systemd service unit provided by ovs repo, we should edit > .service file? > Or maybe there is any other option for that?
I don't think there is a way to change umask of a running process from outside of that process. So something will need to be modified. It can be a service file (UMask=...), or an ovs-ctl script or the code of the daemons themselves. > >> >> Best regards, Ilya Maximets. >> >>> >>> 0: >>> https://github.com/openvswitch/ovs/blob/v2.17.5/lib/socket-util-unix.c#L264 >>> >>> Regards, >>> Vladislav Odintsov >> > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
