Regards, Vladislav Odintsov
> On 25 Jan 2023, at 19:16, Ilya Maximets <i.maxim...@ovn.org> wrote: > > On 1/25/23 16:15, Vladislav Odintsov wrote: >> Hi, >> >> I’m a bit confused about linux unix socket files permissions, created by ovs >> daemons. >> >> From source code [0] I see it sets 0770 fchmod on file descriptor prior to >> socket bind(), assuming that sock file when creates will inherit FD’s >> permissions. So, I expect that after unix socket files created, they have >> rwxrwx--- permissions. >> >> However if running, for instance, ovsdb-server as root, it seems that this >> fchmod() call has no effect. Instead default root umask (0022) seems to be >> used: >> >> # ovsdb-server --remote punix:///var/run/openvswitch/ovs.sock >> /etc/openvswitch/ovs.db >> # ls -l /var/run/openvswitch/ovs.sock >> srwxr-x--- 1 root root 0 Jan 25 17:48 /var/run/openvswitch/ovs.sock > > The requested mode and umask are both effective. > The result is (mode & ~umask). In your case: > > 0770 & ~0022 = 0750, i.e. rwxr-x--- > >> >> If switch user to non-root (default umask 0002): >> >> $ ovsdb-server --remote punix://$(pwd)/ovs.sock --unixctl=$(pwd)/ctl.sock >> ./ovs.db >> $ ls -l ovs.sock >> srwxrwx--- 1 vlodintsov vlodintsov 0 Jan 25 17:42 ovs.sock > > 0770 & ~0002 = 0770 > >> >> If running as root, passing desired user as an argument to ovsdb-server, it >> still has the same as just root behaviour: >> >> # ovsdb-server --remote punix:///var/run/openvswitch/ovs.sock >> /etc/openvswitch/ovs.db --user openvswitch:openvswitch >> # ls -l /var/run/openvswitch/ovs.sock >> srwxr-x--- 1 openvswitch openvswitch 0 Jan 25 17:47 >> /var/run/openvswitch/ovs.sock >> >> >> This line of code [0] is quite old (about 8 years), so what am I doing wrong? >> Is it possible to make socket writable by group without extenal call chmod >> 0770 <path_to_socket> ? > Process has inherited umask from the current shell, i.e. the parent > process. umask is not a property of a user, it is typically set for > a shell session in bashrc or /etc/profile. > > OVS has no way to know what is the desired umask for the user we're > switching to. So, it remains the same as it was. > > Changing the umask for a current shell before starting the process > should help, e.g. > > (umask 0002 && \ > ovsdb-server --remote punix:$(pwd)/ovs.sock /etc/openvswitch/ovs.db \ > --user openvswitch:openvswitch) So, if we use systemd service unit provided by ovs repo, we should edit .service file? Or maybe there is any other option for that? > > Best regards, Ilya Maximets. > >> >> 0: >> https://github.com/openvswitch/ovs/blob/v2.17.5/lib/socket-util-unix.c#L264 >> >> Regards, >> Vladislav Odintsov > _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
