diff options
| author | Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com> | 2020-07-23 19:13:11 +0300 |
|---|---|---|
| committer | Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com> | 2020-07-23 20:00:54 +0300 |
| commit | 2428b6eed51e30a324148529eb6429a9d474f857 (patch) | |
| tree | ea3885d53df4ba1e2090f621d8729ba2c8f57662 /virtual-media.json | |
| parent | 52fe77517629012769b9d59ecdab37cad08b8711 (diff) | |
| download | virtual-media-2428b6eed51e30a324148529eb6429a9d474f857.tar.xz | |
Assure rigth permissions for files
According to security guidelines, files created by service must be
limited to the narrowest set of permissions required. This must be also
true for 3rd party files used by Virtual Media.
- For all regular files and directories created by service umask is
used.
- For sockets, permissions are limited by permissions of parent
directory. For full reference see man unix(7). Below the most important
fragment:
"In the Linux implementation, sockets which are visible in the
filesystem honor the permissions of the directory they are in. Their
owner, group and their permissions can be changed. Creation of a new
socket will fail if the process does not have write and search (execute)
permission on the directory the socket is created in. Connecting to the
socket object requires read/write permission. This behavior differs from
many BSD-derived systems which ignore permissions for UNIX domain
sockets. Portable programs should not rely on this feature for
security."
Change-Id: I22ff531c96c8a6903fecb5d8cc71caf33150a713
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
Diffstat (limited to 'virtual-media.json')
| -rw-r--r-- | virtual-media.json | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/virtual-media.json b/virtual-media.json index 602ba1e..c5c53ed 100644 --- a/virtual-media.json +++ b/virtual-media.json @@ -5,7 +5,7 @@ "EndpointId": "/nbd/0", "Mode": 0, "NBDDevice": "nbd0", - "UnixSocket": "/tmp/nbd0.sock", + "UnixSocket": "/tmp/sock/nbd0.sock", "Timeout": 30, "BlockSize": 512 }, @@ -13,7 +13,7 @@ "EndpointId": "/nbd/1", "Mode": 0, "NBDDevice": "nbd1", - "UnixSocket": "/tmp/nbd1.sock", + "UnixSocket": "/tmp/sock/nbd1.sock", "Timeout": 30, "BlockSize": 512 }, @@ -21,7 +21,7 @@ "EndpointId": "", "Mode": 1, "NBDDevice": "nbd2", - "UnixSocket": "/tmp/nbd2.sock", + "UnixSocket": "/tmp/sock/nbd2.sock", "Timeout": 90, "BlockSize": 512 }, @@ -29,7 +29,7 @@ "EndpointId": "", "Mode": 1, "NBDDevice": "nbd3", - "UnixSocket": "/tmp/nbd3.sock", + "UnixSocket": "/tmp/sock/nbd3.sock", "Timeout": 90, "BlockSize": 512 } |