ovsdb: Remove read permission of *.db from others.

Currently, when ovsdb *.db is created by ovsdb-tool it grants read permission to others. This may incur security concerns, for example, IPsec Pre-shared keys are stored in ovs-vsitchd.conf.db. This patch addresses the concerns by removing permission for others. Reported-by: Antonin Bas <abas@vmware.com> Acked-by: Mark Gray <mark.d.gray@redhat.com> Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
author: Yi-Hung Wei <yihung.wei@gmail.com> 2020-09-23 13:48:15 -0700
committer: Ilya Maximets <i.maximets@ovn.org> 2020-11-10 01:26:41 +0100
commit: 1090a949ac920b4e7ee901cee36008408a1c2386 (patch)
tree: 4321c2e2da082166c7ecda6aeea73de66491af2e /ovsdb/log.c
parent: 80e3becdc1eea9b92253a391c0071e6218dda7d8 (diff)
download: openvswitch-1090a949ac920b4e7ee901cee36008408a1c2386.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/ovsdb/log.c b/ovsdb/log.c
index 41af77679..4a28fa3db 100644
--- a/ovsdb/log.c
+++ b/ovsdb/log.c
@@ -212,7 +212,7 @@ ovsdb_log_open(const char *name, const char *magic,
     if (!strcmp(name, "/dev/stdin") && open_mode == OVSDB_LOG_READ_ONLY) {
         fd = dup(STDIN_FILENO);
     } else {
-        fd = open(name, flags, 0666);
+        fd = open(name, flags, 0660);
     }
     if (fd < 0) {
         const char *op = (open_mode == OVSDB_LOG_CREATE_EXCL ? "create"
author	Yi-Hung Wei <yihung.wei@gmail.com>	2020-09-23 13:48:15 -0700
committer	Ilya Maximets <i.maximets@ovn.org>	2020-11-10 01:26:41 +0100
commit	1090a949ac920b4e7ee901cee36008408a1c2386 (patch)
tree	4321c2e2da082166c7ecda6aeea73de66491af2e /ovsdb/log.c
parent	80e3becdc1eea9b92253a391c0071e6218dda7d8 (diff)
download	openvswitch-1090a949ac920b4e7ee901cee36008408a1c2386.tar.gz