Package: vde2
Version: 2.2.1-1
Severity: wishlist
Improve the permission on /var/run/vde2 and /var/run/vde2/*.ctl (or
whatever ctl file is chosen).
First I should indicate that I can see no reason why 2775 (ie. o+rx) is
a bad idea on /var/run/ctl. Any user who can run ps or ifconfig can
guess what's inside. If there is a compelling reason why this is a bad
thing then so be it.
On the other hand, if it remains 2770 then anybody who wishes to connect
a vde port must be in the vde2-net group, which also grants access to
write to the /var/run/vde2 directory and, by extension, connect to the
management port.
The attached patch allows one group (passed to vde_switch) to be given
rights to connect to ports while another (vde2-net) gets authority to
manage the switch itself.
If vde_switch is passed -g vmuser, then the various directories look
like (with one port attached):
drwxrwsr-x 3 vde2-net vde2-net 4096 2008-06-21 20:27 /var/run/vde2
drwxrws--- 2 root vmuser 4096 2008-06-21 20:27
/var/run/vde2/vde_lego_kvm.ctl
srwx-- 1 mkingvmuser 0 2008-06-21 20:27
/var/run/vde2/vde_lego_kvm.ctl/002
srw-rw 1 root vmuser 0 2008-06-21 20:27
/var/run/vde2/vde_lego_kvm.ctl/ctl
srw-rw 1 root vde2-net0 2008-06-21 20:27
/var/run/vde2/vde_lego_kvm.mgmt
-rw-r--r-- 1 root vde2-net6 2008-06-21 20:27
/var/run/vde2/vde_lego_kvm.pid
Matthew
diff -ur vde2-2.2.1/debian/network/if-pre-up.d/vde2
vde2-2.2.1-owner/debian/network/if-pre-up.d/vde2
--- vde2-2.2.1/debian/network/if-pre-up.d/vde2 2008-06-21 20:52:48.0
+0100
+++ vde2-2.2.1-owner/debian/network/if-pre-up.d/vde22008-06-21
19:58:17.0 +0100
@@ -21,7 +21,7 @@
if [ ! -d /var/run/vde2 ]; then
mkdir -p /var/run/vde2
chown vde2-net:vde2-net /var/run/vde2
-chmod 2770 /var/run/vde2
+chmod 2775 /var/run/vde2
fi
# vde2-switch [-|args]
diff -ur vde2-2.2.1/debian/postinst vde2-2.2.1-owner/debian/postinst
--- vde2-2.2.1/debian/postinst 2008-06-21 20:52:48.0 +0100
+++ vde2-2.2.1-owner/debian/postinst2008-06-21 20:58:55.0 +0100
@@ -13,7 +13,7 @@
if ! dpkg-statoverride --list /var/run/vde2 /dev/null; then
chown vde2-net:vde2-net /var/run/vde2
-chmod 2770 /var/run/vde2
+chmod 2775 /var/run/vde2
fi
if [ ! -e /dev/.devfsd ] [ ! -e /dev/net/tun ]; then
diff -ur vde2-2.2.1/src/vde_switch/datasock.c
vde2-2.2.1-owner/src/vde_switch/datasock.c
--- vde2-2.2.1/src/vde_switch/datasock.c2008-06-15 17:49:16.0
+0100
+++ vde2-2.2.1-owner/src/vde_switch/datasock.c 2008-06-21 20:22:19.0
+0100
@@ -418,6 +418,10 @@
printlog(LOG_ERR,Could not set the VDE ctl directory '%s'
permissions: %s, ctl_socket, strerror(errno));
exit(-1);
}
+ if(chown(ctl_socket,-1,grp_owner) 0) {
+ printlog(LOG_ERR, Could not chown the VDE ctl directory '%s':
%s, ctl_socket, strerror(errno));
+ exit(-1);
+ }
sun.sun_family = AF_UNIX;
snprintf(sun.sun_path,sizeof(sun.sun_path),%s/ctl,ctl_socket);
if(bind(connect_fd, (struct sockaddr *) sun, sizeof(sun)) 0){
--
I must take issue with the term a mere child, for it has been my
invariable experience that the company of a mere child is infinitely
preferable to that of a mere adult.
-- Fran Lebowitz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]