From: Andy Zhou Date: Sat, 10 Oct 2015 02:45:46 +0000 (-0700) Subject: lib: allow group access to Unix domain sockets X-Git-Tag: v2.5.0~327 X-Git-Url: http://git.cascardo.eti.br/?p=cascardo%2Fovs.git;a=commitdiff_plain;h=2258d8b5d2099d7a2b56c8414e6d3bddc9b43f0f lib: allow group access to Unix domain sockets By default, Unix domain sockets are created with file system permission mode of 0700. This means that only processes that runs under the same user can access this socket. For OVS, it may be more convenient to control access at the group level rather than at the user level, since other processes need to access OVSDB and UNIXCTL sockets while running under different users. This patch changes Unix domain sockets' file system permission to 0770, to grant group access. It has not been an issue in the past since OVS, until very recently, had to run as root. If a process needed to access OVSDB or UNIXCTL sockets, it had to be a root process as well. With the added --user option to OVS daemons and this change, system administrators can deploy OVS more securely: OVS daemons can run as a non root user. Various processes that need to talk to OVS does not have to run as root process anymore. Signed-off-by: Andy Zhou Acked-by: Ansis Atteka --- diff --git a/lib/socket-util-unix.c b/lib/socket-util-unix.c index afab1958d..32f966d81 100644 --- a/lib/socket-util-unix.c +++ b/lib/socket-util-unix.c @@ -259,10 +259,10 @@ free_sockaddr_un(int dirfd, const char *linkname) } /* Binds Unix domain socket 'fd' to a file with permissions 0700. */ -static int -bind_unix_socket(int fd, struct sockaddr *sun, socklen_t sun_len) +static int bind_unix_socket(int fd, struct sockaddr *sun, socklen_t sun_len) { - const mode_t mode = 0700; + const mode_t mode = 0770; /* Allow both user and group access. */ + if (LINUX) { /* On Linux, the fd's permissions become the file's permissions. * fchmod() does not affect other files, like umask() does. */