On 1/27/23 10:25, Vladislav Odintsov wrote: > What do you thing about setting umask in ovs-ctl script? > I seems to be quite usable (it will work find with systemd and also with > direct invocation of ovs-ctl script): > > diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in > index e6e07f476..3c59469c4 100644 > --- a/utilities/ovs-ctl.in > +++ b/utilities/ovs-ctl.in > @@ -544,6 +544,7 @@ do > done > case $command in > start) > + umask 0002 > start_ovsdb || exit 1 > start_forwarding || exit 1 > add_managers
Setting umask in the script is fine, but it has to be opt-in, otherwise it might be a security concern. I guess, we could add another argument to the script. Something like --ovs-umask=XXXX. Similar to existing --ovs-user. Best regards, Ilya Maximets. > >> On 26 Jan 2023, at 14:30, Ilya Maximets <[email protected]> wrote: >> >> On 1/25/23 17:35, Vladislav Odintsov wrote: >>> >>> >>> Regards, >>> Vladislav Odintsov >>> >>>> On 25 Jan 2023, at 19:16, Ilya Maximets <[email protected]> wrote: >>>> >>>> On 1/25/23 16:15, Vladislav Odintsov wrote: >>>>> Hi, >>>>> >>>>> I’m a bit confused about linux unix socket files permissions, created by >>>>> ovs daemons. >>>>> >>>>> From source code [0] I see it sets 0770 fchmod on file descriptor prior >>>>> to socket bind(), assuming that sock file when creates will inherit FD’s >>>>> permissions. So, I expect that after unix socket files created, they have >>>>> rwxrwx--- permissions. >>>>> >>>>> However if running, for instance, ovsdb-server as root, it seems that >>>>> this fchmod() call has no effect. Instead default root umask (0022) seems >>>>> to be used: >>>>> >>>>> # ovsdb-server --remote punix:///var/run/openvswitch/ovs.sock >>>>> /etc/openvswitch/ovs.db >>>>> # ls -l /var/run/openvswitch/ovs.sock >>>>> srwxr-x--- 1 root root 0 Jan 25 17:48 /var/run/openvswitch/ovs.sock >>>> >>>> The requested mode and umask are both effective. >>>> The result is (mode & ~umask). In your case: >>>> >>>> 0770 & ~0022 = 0750, i.e. rwxr-x--- >>>> >>>>> >>>>> If switch user to non-root (default umask 0002): >>>>> >>>>> $ ovsdb-server --remote punix://$(pwd)/ovs.sock --unixctl=$(pwd)/ctl.sock >>>>> ./ovs.db >>>>> $ ls -l ovs.sock >>>>> srwxrwx--- 1 vlodintsov vlodintsov 0 Jan 25 17:42 ovs.sock >>>> >>>> 0770 & ~0002 = 0770 >>>> >>>>> >>>>> If running as root, passing desired user as an argument to ovsdb-server, >>>>> it still has the same as just root behaviour: >>>>> >>>>> # ovsdb-server --remote punix:///var/run/openvswitch/ovs.sock >>>>> /etc/openvswitch/ovs.db --user openvswitch:openvswitch >>>>> # ls -l /var/run/openvswitch/ovs.sock >>>>> srwxr-x--- 1 openvswitch openvswitch 0 Jan 25 17:47 >>>>> /var/run/openvswitch/ovs.sock >>>>> >>>>> >>>>> This line of code [0] is quite old (about 8 years), so what am I doing >>>>> wrong? >>>>> Is it possible to make socket writable by group without extenal call >>>>> chmod 0770 <path_to_socket> ? >>>> Process has inherited umask from the current shell, i.e. the parent >>>> process. umask is not a property of a user, it is typically set for >>>> a shell session in bashrc or /etc/profile. >>>> >>>> OVS has no way to know what is the desired umask for the user we're >>>> switching to. So, it remains the same as it was. >>>> >>>> Changing the umask for a current shell before starting the process >>>> should help, e.g. >>>> >>>> (umask 0002 && \ >>>> ovsdb-server --remote punix:$(pwd)/ovs.sock /etc/openvswitch/ovs.db \ >>>> --user openvswitch:openvswitch) >>> >>> So, if we use systemd service unit provided by ovs repo, we should edit >>> .service file? >>> Or maybe there is any other option for that? >> >> I don't think there is a way to change umask of a running process >> from outside of that process. So something will need to be modified. >> It can be a service file (UMask=...), or an ovs-ctl script or the >> code of the daemons themselves. >> >>> >>>> >>>> Best regards, Ilya Maximets. >>>> >>>>> >>>>> 0: >>>>> https://github.com/openvswitch/ovs/blob/v2.17.5/lib/socket-util-unix.c#L264 >>>>> >>>>> <https://github.com/openvswitch/ovs/blob/v2.17.5/lib/socket-util-unix.c#L264> >>>>> >>>>> Regards, >>>>> Vladislav Odintsov >>>> >>> >> >> _______________________________________________ >> dev mailing list >> [email protected] <mailto:[email protected]> >> https://mail.openvswitch.org/mailman/listinfo/ovs-dev >> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev> > > > Regards, > Vladislav Odintsov > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
