What do you thing about setting umask in ovs-ctl script?
I seems to be quite usable (it will work find with systemd and also with direct
invocation of ovs-ctl script):
diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in
index e6e07f476..3c59469c4 100644
--- a/utilities/ovs-ctl.in
+++ b/utilities/ovs-ctl.in
@@ -544,6 +544,7 @@ do
done
case $command in
start)
+ umask 0002
start_ovsdb || exit 1
start_forwarding || exit 1
add_managers
> On 26 Jan 2023, at 14:30, Ilya Maximets <[email protected]> wrote:
>
> On 1/25/23 17:35, Vladislav Odintsov wrote:
>>
>>
>> Regards,
>> Vladislav Odintsov
>>
>>> On 25 Jan 2023, at 19:16, Ilya Maximets <[email protected]> wrote:
>>>
>>> On 1/25/23 16:15, Vladislav Odintsov wrote:
>>>> Hi,
>>>>
>>>> I’m a bit confused about linux unix socket files permissions, created by
>>>> ovs daemons.
>>>>
>>>> From source code [0] I see it sets 0770 fchmod on file descriptor prior to
>>>> socket bind(), assuming that sock file when creates will inherit FD’s
>>>> permissions. So, I expect that after unix socket files created, they have
>>>> rwxrwx--- permissions.
>>>>
>>>> However if running, for instance, ovsdb-server as root, it seems that this
>>>> fchmod() call has no effect. Instead default root umask (0022) seems to be
>>>> used:
>>>>
>>>> # ovsdb-server --remote punix:///var/run/openvswitch/ovs.sock
>>>> /etc/openvswitch/ovs.db
>>>> # ls -l /var/run/openvswitch/ovs.sock
>>>> srwxr-x--- 1 root root 0 Jan 25 17:48 /var/run/openvswitch/ovs.sock
>>>
>>> The requested mode and umask are both effective.
>>> The result is (mode & ~umask). In your case:
>>>
>>> 0770 & ~0022 = 0750, i.e. rwxr-x---
>>>
>>>>
>>>> If switch user to non-root (default umask 0002):
>>>>
>>>> $ ovsdb-server --remote punix://$(pwd)/ovs.sock --unixctl=$(pwd)/ctl.sock
>>>> ./ovs.db
>>>> $ ls -l ovs.sock
>>>> srwxrwx--- 1 vlodintsov vlodintsov 0 Jan 25 17:42 ovs.sock
>>>
>>> 0770 & ~0002 = 0770
>>>
>>>>
>>>> If running as root, passing desired user as an argument to ovsdb-server,
>>>> it still has the same as just root behaviour:
>>>>
>>>> # ovsdb-server --remote punix:///var/run/openvswitch/ovs.sock
>>>> /etc/openvswitch/ovs.db --user openvswitch:openvswitch
>>>> # ls -l /var/run/openvswitch/ovs.sock
>>>> srwxr-x--- 1 openvswitch openvswitch 0 Jan 25 17:47
>>>> /var/run/openvswitch/ovs.sock
>>>>
>>>>
>>>> This line of code [0] is quite old (about 8 years), so what am I doing
>>>> wrong?
>>>> Is it possible to make socket writable by group without extenal call chmod
>>>> 0770 <path_to_socket> ?
>>> Process has inherited umask from the current shell, i.e. the parent
>>> process. umask is not a property of a user, it is typically set for
>>> a shell session in bashrc or /etc/profile.
>>>
>>> OVS has no way to know what is the desired umask for the user we're
>>> switching to. So, it remains the same as it was.
>>>
>>> Changing the umask for a current shell before starting the process
>>> should help, e.g.
>>>
>>> (umask 0002 && \
>>> ovsdb-server --remote punix:$(pwd)/ovs.sock /etc/openvswitch/ovs.db \
>>> --user openvswitch:openvswitch)
>>
>> So, if we use systemd service unit provided by ovs repo, we should edit
>> .service file?
>> Or maybe there is any other option for that?
>
> I don't think there is a way to change umask of a running process
> from outside of that process. So something will need to be modified.
> It can be a service file (UMask=...), or an ovs-ctl script or the
> code of the daemons themselves.
>
>>
>>>
>>> Best regards, Ilya Maximets.
>>>
>>>>
>>>> 0:
>>>> https://github.com/openvswitch/ovs/blob/v2.17.5/lib/socket-util-unix.c#L264
>>>>
>>>> Regards,
>>>> Vladislav Odintsov
>>>
>>
>
> _______________________________________________
> dev mailing list
> [email protected] <mailto:[email protected]>
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Regards,
Vladislav Odintsov
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
