Commit 03736a67 authored by Timothy Redaelli's avatar Timothy Redaelli Committed by Ben Pfaff

make logs not readable by other

The Open vSwitch log directory and files are currently set world readable.

However, since only Open vSwitch users and processes need to access this
directory and these files there is no need to allow the world to access them,
since it can result in the exposure of sensitive information.
Signed-off-by: default avatarTimothy Redaelli <tredaelli@redhat.com>
Signed-off-by: default avatarBen Pfaff <blp@ovn.org>
parent b34cd611
......@@ -360,7 +360,7 @@ vlog_set_log_file(const char *file_name)
new_log_file_name = (file_name
? xstrdup(file_name)
: xasprintf("%s/%s.log", ovs_logdir(), program_name));
new_log_fd = open(new_log_file_name, O_WRONLY | O_CREAT | O_APPEND, 0666);
new_log_fd = open(new_log_file_name, O_WRONLY | O_CREAT | O_APPEND, 0660);
if (new_log_fd < 0) {
VLOG_WARN("failed to open %s for logging: %s",
new_log_file_name, ovs_strerror(errno));
......
......@@ -231,7 +231,7 @@ rm -rf $RPM_BUILD_ROOT
make install DESTDIR=$RPM_BUILD_ROOT
install -d -m 0755 $RPM_BUILD_ROOT%{_rundir}/openvswitch
install -d -m 0755 $RPM_BUILD_ROOT%{_localstatedir}/log/openvswitch
install -d -m 0750 $RPM_BUILD_ROOT%{_localstatedir}/log/openvswitch
install -d -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch
install -p -D -m 0644 \
......
......@@ -150,13 +150,14 @@ version_geq() {
install_dir () {
DIR="$1"
INSTALL_MODE="${2:-755}"
INSTALL_USER="root"
INSTALL_GROUP="root"
[ "$OVS_USER" != "" ] && INSTALL_USER="${OVS_USER%:*}"
[ "${OVS_USER##*:}" != "" ] && INSTALL_GROUP="${OVS_USER##*:}"
if test ! -d "$DIR"; then
install -d -m 755 -o "$INSTALL_USER" -g "$INSTALL_GROUP" "$DIR"
install -d -m "$INSTALL_MODE" -o "$INSTALL_USER" -g "$INSTALL_GROUP" "$DIR"
restorecon "$DIR" >/dev/null 2>&1
fi
}
......@@ -174,7 +175,7 @@ start_daemon () {
cd "$DAEMON_CWD"
# log file
install_dir "$logdir"
install_dir "$logdir" "750"
set "$@" --log-file="$logdir/$daemon.log"
# pidfile and monitoring
......
......@@ -206,7 +206,7 @@ esac
logdir=$(dirname "$log")
if test ! -d "$logdir"; then
mkdir -p -m755 "$logdir" 2>/dev/null || true
mkdir -p -m750 "$logdir" 2>/dev/null || true
if test ! -d "$logdir"; then
echo "$0: log directory $logdir does not exist and cannot be created" >&2
exit 1
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment