Message ID | 1600894095-96196-1-git-send-email-yihung.wei@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [ovs-dev] ovsdb: Remove read permission of *.db from others | expand |
On 23/09/2020 21:48, Yi-Hung Wei wrote: > Currently, when ovsdb *.db is created by ovsdb-tool it grants read > permission to others. This may incur security concerns, for example, > IPsec Pre-shared keys are stored in ovs-vsitchd.conf.db. > This patch addresses the concerns by removing permission for others. > > Reported-by: Antonin Bas <abas@vmware.com> > Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> > --- > ovsdb/log.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/ovsdb/log.c b/ovsdb/log.c > index 41af77679178..4a28fa3db6da 100644 > --- a/ovsdb/log.c > +++ b/ovsdb/log.c > @@ -212,7 +212,7 @@ ovsdb_log_open(const char *name, const char *magic, > if (!strcmp(name, "/dev/stdin") && open_mode == OVSDB_LOG_READ_ONLY) { > fd = dup(STDIN_FILENO); > } else { > - fd = open(name, flags, 0666); > + fd = open(name, flags, 0660); > } > if (fd < 0) { > const char *op = (open_mode == OVSDB_LOG_CREATE_EXCL ? "create" > I tested this and it works as expected. It also passes all the OVS tests. It's definitely an issue as PSKs could indeed be in the the DB. There may be unintended side-effects of this but I can't think of any that would be legitimately need user RW permissions. Acked-by: Mark Gray <mark.d.gray@redhat.com>
On 10/14/20 2:44 PM, Mark Gray wrote: > On 23/09/2020 21:48, Yi-Hung Wei wrote: >> Currently, when ovsdb *.db is created by ovsdb-tool it grants read >> permission to others. This may incur security concerns, for example, >> IPsec Pre-shared keys are stored in ovs-vsitchd.conf.db. >> This patch addresses the concerns by removing permission for others. >> >> Reported-by: Antonin Bas <abas@vmware.com> >> Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> >> --- >> ovsdb/log.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/ovsdb/log.c b/ovsdb/log.c >> index 41af77679178..4a28fa3db6da 100644 >> --- a/ovsdb/log.c >> +++ b/ovsdb/log.c >> @@ -212,7 +212,7 @@ ovsdb_log_open(const char *name, const char *magic, >> if (!strcmp(name, "/dev/stdin") && open_mode == OVSDB_LOG_READ_ONLY) { >> fd = dup(STDIN_FILENO); >> } else { >> - fd = open(name, flags, 0666); >> + fd = open(name, flags, 0660); >> } >> if (fd < 0) { >> const char *op = (open_mode == OVSDB_LOG_CREATE_EXCL ? "create" >> > > I tested this and it works as expected. It also passes all the OVS > tests. It's definitely an issue as PSKs could indeed be in the the DB. > There may be unintended side-effects of this but I can't think of any > that would be legitimately need user RW permissions. > > Acked-by: Mark Gray <mark.d.gray@redhat.com> Thanks! Applied to master and backported down to 2.13 as it's our new LTS. If you think that this should be backported further, please, let me know. Best regards, Ilya Maximets.
diff --git a/ovsdb/log.c b/ovsdb/log.c index 41af77679178..4a28fa3db6da 100644 --- a/ovsdb/log.c +++ b/ovsdb/log.c @@ -212,7 +212,7 @@ ovsdb_log_open(const char *name, const char *magic, if (!strcmp(name, "/dev/stdin") && open_mode == OVSDB_LOG_READ_ONLY) { fd = dup(STDIN_FILENO); } else { - fd = open(name, flags, 0666); + fd = open(name, flags, 0660); } if (fd < 0) { const char *op = (open_mode == OVSDB_LOG_CREATE_EXCL ? "create"
Currently, when ovsdb *.db is created by ovsdb-tool it grants read permission to others. This may incur security concerns, for example, IPsec Pre-shared keys are stored in ovs-vsitchd.conf.db. This patch addresses the concerns by removing permission for others. Reported-by: Antonin Bas <abas@vmware.com> Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> --- ovsdb/log.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)