diff options
| author | Timothy Redaelli <tredaelli@redhat.com> | 2017-06-19 16:50:21 +0200 |
|---|---|---|
| committer | Ben Pfaff <blp@ovn.org> | 2017-07-10 11:25:45 -0700 |
| commit | 03736a6726cb1faf2584ad2536625471ab6d17c5 (patch) | |
| tree | c5c51cfbd48e54806ef1a976e53df180de6a405f | |
| parent | b34cd6119aa1ce50d910252202e5eaa13b5fce5e (diff) | |
| download | openvswitch-03736a6726cb1faf2584ad2536625471ab6d17c5.tar.gz | |
make logs not readable by other
The Open vSwitch log directory and files are currently set world readable.
However, since only Open vSwitch users and processes need to access this
directory and these files there is no need to allow the world to access them,
since it can result in the exposure of sensitive information.
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
| -rw-r--r-- | lib/vlog.c | 2 | ||||
| -rw-r--r-- | rhel/openvswitch-fedora.spec.in | 2 | ||||
| -rw-r--r-- | utilities/ovs-lib.in | 5 | ||||
| -rwxr-xr-x | utilities/ovs-pki.in | 2 |
4 files changed, 6 insertions, 5 deletions
diff --git a/lib/vlog.c b/lib/vlog.c index 333337b10..2a60ca34a 100644 --- a/lib/vlog.c +++ b/lib/vlog.c @@ -360,7 +360,7 @@ vlog_set_log_file(const char *file_name) new_log_file_name = (file_name ? xstrdup(file_name) : xasprintf("%s/%s.log", ovs_logdir(), program_name)); - new_log_fd = open(new_log_file_name, O_WRONLY | O_CREAT | O_APPEND, 0666); + new_log_fd = open(new_log_file_name, O_WRONLY | O_CREAT | O_APPEND, 0660); if (new_log_fd < 0) { VLOG_WARN("failed to open %s for logging: %s", new_log_file_name, ovs_strerror(errno)); diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in index f822ad3ca..3a045d304 100644 --- a/rhel/openvswitch-fedora.spec.in +++ b/rhel/openvswitch-fedora.spec.in @@ -231,7 +231,7 @@ rm -rf $RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT install -d -m 0755 $RPM_BUILD_ROOT%{_rundir}/openvswitch -install -d -m 0755 $RPM_BUILD_ROOT%{_localstatedir}/log/openvswitch +install -d -m 0750 $RPM_BUILD_ROOT%{_localstatedir}/log/openvswitch install -d -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch install -p -D -m 0644 \ diff --git a/utilities/ovs-lib.in b/utilities/ovs-lib.in index 93085ca58..8665698bb 100644 --- a/utilities/ovs-lib.in +++ b/utilities/ovs-lib.in @@ -150,13 +150,14 @@ version_geq() { install_dir () { DIR="$1" + INSTALL_MODE="${2:-755}" INSTALL_USER="root" INSTALL_GROUP="root" [ "$OVS_USER" != "" ] && INSTALL_USER="${OVS_USER%:*}" [ "${OVS_USER##*:}" != "" ] && INSTALL_GROUP="${OVS_USER##*:}" if test ! -d "$DIR"; then - install -d -m 755 -o "$INSTALL_USER" -g "$INSTALL_GROUP" "$DIR" + install -d -m "$INSTALL_MODE" -o "$INSTALL_USER" -g "$INSTALL_GROUP" "$DIR" restorecon "$DIR" >/dev/null 2>&1 fi } @@ -174,7 +175,7 @@ start_daemon () { cd "$DAEMON_CWD" # log file - install_dir "$logdir" + install_dir "$logdir" "750" set "$@" --log-file="$logdir/$daemon.log" # pidfile and monitoring diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in index d5ce1dccf..4f6941865 100755 --- a/utilities/ovs-pki.in +++ b/utilities/ovs-pki.in @@ -206,7 +206,7 @@ esac logdir=$(dirname "$log") if test ! -d "$logdir"; then - mkdir -p -m755 "$logdir" 2>/dev/null || true + mkdir -p -m750 "$logdir" 2>/dev/null || true if test ! -d "$logdir"; then echo "$0: log directory $logdir does not exist and cannot be created" >&2 exit 1 |