On Sun, Jul 08, 2012 at 02:50:02PM +0200, Sebastian Harl wrote:
> On Sat, Jul 07, 2012 at 10:23:00PM +0200, Bastian Blank wrote:
> > All the informations recorded by default are available for normal users
> > or at most need CAP_DAC_READSEARCH.
I thought about it and no plugin should need this permission ever. All
this stuff should be done by group permissions.
> I suggest to do the following: run collectd as nobody (or a newly
> created user 'collectd') by default; make that user configurable through
> /etc/default/collectd
This works with start-stop-daemon. I have one test system run this way.
> make it possible to provide a list of
> capabilities (through /etc/default/collectd) that would be applied to
> the collectd binary in the init script.
This does not work without code modifications. Capabilities in the
effective and permitted set do not survive execve(2) if not set in the
filesystem.
What collectd should do IMHO:
- General capability support:
- Capabilities not known safe are dropped immediately even if run by
root. It never needs to modify network setup or mount stuff.
Yes, this may break setups if stuff is not root-owned.
- Plugins can specify what capabilities they need, they will be
retained, all others dropped.
- Support to set user:
- The process needs to set SECBIT_KEEP_CAPS to retain capabilities
while changing user from root.
- Maybe set security bit SECBIT_NOROOT. It removes capabilities from all
suid-root processes it may try to call.
Bastian
--
Killing is wrong.
-- Losira, "That Which Survives", stardate unknown
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
