On Sat, Oct 24, 2015 at 2:36 PM, Ben Pfaff <b...@nicira.com> wrote: > On Fri, Oct 09, 2015 at 05:13:24PM -0700, Andy Zhou wrote: >> Changes to Debian packaging scripts to create the ovs user and group. >> Fix the permissions of ovs created files and directories so that >> they are accessible by users belong to the ovs group. >> Start daemons as the ovs user. >> >> Signed-off-by: Andy Zhou <az...@nicira.com> >> >> ---- >> This patch does not include changes to the ipsec package. Ansis has >> other plans for updating it. > > This looks carefully done. Thank you! I have a few suggestions, see > below. > >> +case "$1" in >> + configure) >> + LOGDIR=/var/log/openvswitch >> + # Create the ovs user and group. >> + adduser --system --group --no-create-home --quiet $OVS_USER || true > > Based on looking at other packages, I'd suggest adding --disabled-login > to this command. > > I am not sure why || true is there. If adduser fails, then I suspect > that configuration should fail. I only see || true (or similar) in a > minority of other packages that add users. > > From looking at other packages, it looks like there's an unwritten > convention that a daemon's home directory should be its rundir, e.g. add > "--home /var/run/openvswitch". > > A number of other packages check whether the account already exists > before it creates it. adduser is supposed to work OK in this case, as > long as nothing needs to change, but it might be considered best > practice to check. e.g. here is what exim4-base does: > > if ! getent passwd Debian-exim > /dev/null ; then > echo 'Adding system-user for exim (v4)' 1>&2 > adduser --system --group --quiet --home /var/spool/exim4 \ > --no-create-home --disabled-login --force-badname Debian-exim > fi Those are good suggestions. Will adopt all in the next rev.
> > openvswitch-vtep.init seems like a funny place to do the following: > >> + chown -R $OVS_USER:$OVS_GROUP /etc/openvswitch >> + chown -R $OVS_USER:$OVS_GROUP /var/run/openvswitch >> + chmod -R 0770 /var/run/openvswitch > I agree it is odd. But seems necessary given the directory and files created above as root. Do you have some alternatives in mind? > Also, the 770 permissions for /var/run/openvswitch mean that > unprivileged users can't see the OVS pidfiles that can reliably report > what OVS daemons are running. Based on looking at my own system, this > is somewhat unusual (try running "find /var/run/ -maxdepth 1 -type d > -ls" and look at your results). I see. How about 775? _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
