[ovs-dev] [PATCH] Fix socket permissions on Linux

[Terry Wilson]

Unix sockets were not being created with the permission 0770,
instead using the current umask value. The manpage for fchmod()
states that that if filedes refers to a socket, the behavior is
undefined. Insetad, use the same code as *BSD to ensure the 0770
permission is set on unix sockets.

Signed-off-by: Terry Wilson <twil...@redhat.com>
---
 lib/socket-util-unix.c | 56 +++++++++++++++++++-------------------------------
 1 file changed, 21 insertions(+), 35 deletions(-)

diff --git a/lib/socket-util-unix.c b/lib/socket-util-unix.c
index 59f63fc..54147d1 100644
--- a/lib/socket-util-unix.c
+++ b/lib/socket-util-unix.c
@@ -263,42 +263,28 @@ static int bind_unix_socket(int fd, struct sockaddr *sun, 
socklen_t sun_len)
 {
     const mode_t mode = 0770;    /* Allow both user and group access. */
 
-    if (LINUX) {
-        /* On Linux, the fd's permissions become the file's permissions.
-         * fchmod() does not affect other files, like umask() does. */
-        if (fchmod(fd, mode)) {
-            return errno;
-        }
-
-        /* Must be after fchmod(). */
-        if (bind(fd, sun, sun_len)) {
-            return errno;
-        }
-        return 0;
+    /* On unix sockets, only the umask affects permissions.  The
+     * umask is process-wide rather than thread-specific, so we have to use
+     * a subprocess for safety. */
+    pid_t pid = fork();
+
+    if (!pid) {
+        umask(mode ^ 0777);
+        _exit(bind(fd, sun, sun_len) ? errno : 0);
+    } else if (pid > 0) {
+        int status;
+        int error;
+
+        do {
+            error = waitpid(pid, &status, 0) < 0 ? errno : 0;
+        } while (error == EINTR);
+
+        return (error ? error
+                : WIFEXITED(status) ? WEXITSTATUS(status)
+                : WIFSIGNALED(status) ? EINTR
+                : ECHILD /* WTF? */);
     } else {
-        /* On FreeBSD and NetBSD, only the umask affects permissions.  The
-         * umask is process-wide rather than thread-specific, so we have to use
-         * a subprocess for safety. */
-        pid_t pid = fork();
-
-        if (!pid) {
-            umask(mode ^ 0777);
-            _exit(bind(fd, sun, sun_len) ? errno : 0);
-        } else if (pid > 0) {
-            int status;
-            int error;
-
-            do {
-                error = waitpid(pid, &status, 0) < 0 ? errno : 0;
-            } while (error == EINTR);
-
-            return (error ? error
-                    : WIFEXITED(status) ? WEXITSTATUS(status)
-                    : WIFSIGNALED(status) ? EINTR
-                    : ECHILD /* WTF? */);
-        } else {
-            return errno;
-        }
+        return errno;
     }
 }
 
-- 
1.8.3.1

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev