I’ve sent a patch [0], please take a look on it when you have time. 0: https://patchwork.ozlabs.org/project/openvswitch/patch/[email protected]/
> On 27 Jan 2023, at 13:14, Ilya Maximets <[email protected]> wrote: > > On 1/27/23 10:25, Vladislav Odintsov wrote: >> What do you thing about setting umask in ovs-ctl script? >> I seems to be quite usable (it will work find with systemd and also with >> direct invocation of ovs-ctl script): >> >> diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in >> index e6e07f476..3c59469c4 100644 >> --- a/utilities/ovs-ctl.in >> +++ b/utilities/ovs-ctl.in >> @@ -544,6 +544,7 @@ do >> done >> case $command in >> start) >> + umask 0002 >> start_ovsdb || exit 1 >> start_forwarding || exit 1 >> add_managers > > Setting umask in the script is fine, but it has to be opt-in, otherwise > it might be a security concern. I guess, we could add another argument > to the script. Something like --ovs-umask=XXXX. Similar to existing > --ovs-user. > > Best regards, Ilya Maximets. > >> >>> On 26 Jan 2023, at 14:30, Ilya Maximets <[email protected]> wrote: >>> >>> On 1/25/23 17:35, Vladislav Odintsov wrote: >>>> >>>> >>>> Regards, >>>> Vladislav Odintsov >>>> >>>>> On 25 Jan 2023, at 19:16, Ilya Maximets <[email protected]> wrote: >>>>> >>>>> On 1/25/23 16:15, Vladislav Odintsov wrote: >>>>>> Hi, >>>>>> >>>>>> I’m a bit confused about linux unix socket files permissions, created by >>>>>> ovs daemons. >>>>>> >>>>>> From source code [0] I see it sets 0770 fchmod on file descriptor prior >>>>>> to socket bind(), assuming that sock file when creates will inherit FD’s >>>>>> permissions. So, I expect that after unix socket files created, they >>>>>> have rwxrwx--- permissions. >>>>>> >>>>>> However if running, for instance, ovsdb-server as root, it seems that >>>>>> this fchmod() call has no effect. Instead default root umask (0022) >>>>>> seems to be used: >>>>>> >>>>>> # ovsdb-server --remote punix:///var/run/openvswitch/ovs.sock >>>>>> /etc/openvswitch/ovs.db >>>>>> # ls -l /var/run/openvswitch/ovs.sock >>>>>> srwxr-x--- 1 root root 0 Jan 25 17:48 /var/run/openvswitch/ovs.sock >>>>> >>>>> The requested mode and umask are both effective. >>>>> The result is (mode & ~umask). In your case: >>>>> >>>>> 0770 & ~0022 = 0750, i.e. rwxr-x--- >>>>> >>>>>> >>>>>> If switch user to non-root (default umask 0002): >>>>>> >>>>>> $ ovsdb-server --remote punix://$(pwd)/ovs.sock >>>>>> --unixctl=$(pwd)/ctl.sock ./ovs.db >>>>>> $ ls -l ovs.sock >>>>>> srwxrwx--- 1 vlodintsov vlodintsov 0 Jan 25 17:42 ovs.sock >>>>> >>>>> 0770 & ~0002 = 0770 >>>>> >>>>>> >>>>>> If running as root, passing desired user as an argument to ovsdb-server, >>>>>> it still has the same as just root behaviour: >>>>>> >>>>>> # ovsdb-server --remote punix:///var/run/openvswitch/ovs.sock >>>>>> /etc/openvswitch/ovs.db --user openvswitch:openvswitch >>>>>> # ls -l /var/run/openvswitch/ovs.sock >>>>>> srwxr-x--- 1 openvswitch openvswitch 0 Jan 25 17:47 >>>>>> /var/run/openvswitch/ovs.sock >>>>>> >>>>>> >>>>>> This line of code [0] is quite old (about 8 years), so what am I doing >>>>>> wrong? >>>>>> Is it possible to make socket writable by group without extenal call >>>>>> chmod 0770 <path_to_socket> ? >>>>> Process has inherited umask from the current shell, i.e. the parent >>>>> process. umask is not a property of a user, it is typically set for >>>>> a shell session in bashrc or /etc/profile. >>>>> >>>>> OVS has no way to know what is the desired umask for the user we're >>>>> switching to. So, it remains the same as it was. >>>>> >>>>> Changing the umask for a current shell before starting the process >>>>> should help, e.g. >>>>> >>>>> (umask 0002 && \ >>>>> ovsdb-server --remote punix:$(pwd)/ovs.sock /etc/openvswitch/ovs.db \ >>>>> --user openvswitch:openvswitch) >>>> >>>> So, if we use systemd service unit provided by ovs repo, we should edit >>>> .service file? >>>> Or maybe there is any other option for that? >>> >>> I don't think there is a way to change umask of a running process >>> from outside of that process. So something will need to be modified. >>> It can be a service file (UMask=...), or an ovs-ctl script or the >>> code of the daemons themselves. >>> >>>> >>>>> >>>>> Best regards, Ilya Maximets. >>>>> >>>>>> >>>>>> 0: >>>>>> https://github.com/openvswitch/ovs/blob/v2.17.5/lib/socket-util-unix.c#L264 >>>>>> >>>>>> <https://github.com/openvswitch/ovs/blob/v2.17.5/lib/socket-util-unix.c#L264> >>>>>> >>>>>> Regards, >>>>>> Vladislav Odintsov >>>>> >>>> >>> >>> _______________________________________________ >>> dev mailing list >>> [email protected] <mailto:[email protected]> >>> <mailto:[email protected]> >>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>> <https://mail.openvswitch.org/mailman/listinfo/ovs-dev> >> >> >> Regards, >> Vladislav Odintsov >> > > _______________________________________________ > dev mailing list > [email protected] <mailto:[email protected]> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev Regards, Vladislav Odintsov _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
