lib: allow group access to Unix domain sockets
By default, Unix domain sockets are created with file system permission
mode of 0700. This means that only processes that runs under the same
user can access this socket.
For OVS, it may be more convenient to control access at the group
level rather than at the user level, since other processes need to
access OVSDB and UNIXCTL sockets while running under different users.
This patch changes Unix domain sockets' file system permission to 0770,
to grant group access.
It has not been an issue in the past since OVS, until very recently,
had to run as root. If a process needed to access OVSDB or UNIXCTL
sockets, it had to be a root process as well.
With the added --user option to OVS daemons and this change, system
administrators can deploy OVS more securely: OVS daemons can run as
a non root user. Various processes that need to talk to OVS does not
have to run as root process anymore.
Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Ansis Atteka <aatteka@nicira.com>