On 07/05/2017 10:16 PM, Aaron Conole wrote: > Hi Markos, > [...] >> >> I am a bit puzzled about this to be honest... I am wondering if it would >> be better to do it the other way around. For example, supply a sysconfig >> file with OVS_USER_ID commented out, but if it's an upgrade, then do the >> sed magic to switch to root:root so things keep working as before. Would >> that be better? > > I prefer to do modifications only on install; that's the only time we > know for sure the exact state of the files being manipulated. On > upgrade, I worry that a user can change the contents in such a way that > the script matches, but does the wrong thing. Does it make sense, or > did I misunderstand? >
Yeah I agree that it may need some work to ensure that it will always do the right thing. I don't mind, just wanted to explore the alternative option. >>> + >>> + # In the case of upgrade, this is not needed. >>> + chown -R openvswitch:openvswitch /etc/openvswitch >> >> Should this be part of the systemd file in a ExecStartPre statement >> instead? Similar to what you do for the /var/run/openvswitch directory. > > I thought about doing that in the systemd script, but it exposes a > vulnerability. Assume that I have access to the openvswitch user (for a > moment). > > openvswitch /tmp$ gcc -o give_me_a_shell give_me_a_shell.c > openvswitch /tmp$ chmod 4755 give_me_a_shell > openvswitch /tmp$ cp give_me_a_shell /etc/openvswitch/ > openvswitch /tmp$ echo 'OVS_USER_ID=root:root' >> \ > /etc/sysconfig/openvswitch > openvswitch /tmp$ # do something that makes the admin restart ovs > openvswitch /tmp$ ls -lah /etc/openvswitch/give_me_a_shell > srwxr-xr-x. 1 root root 5.5K Jul 5 13:42 give_me_a_shell > openvswitch /tmp$ /etc/openvswitch/give_me_a_shell > # id > uid=0(root) gid=0(root) groups=0(root) > > So, I left it out. The alternative is to list every file we wish to > have chmod'ed, but I think that's probably a bit much. Good point. Reviewed-by: Markos Chandras <mchand...@suse.de> -- markos SUSE LINUX GmbH | GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) Maxfeldstr. 5, D-90409, Nürnberg _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
