subject:"dedicated user for sysutils\/monit"

dedicated user for sysutils/monit

2019-06-26 Thread Joel Carnat

Hello,

I've just installed sysutils/monit on some new server and noticed there
were no dedicated user created to run the daemon.

I already run it as non-root on serveral servers. So I know it works.
Note that there are cases (service restart for example) that require
configuring doas rules. But once done, everything runs ok.

If you think that's ok, here's a patch to create a dedicated user.
Inspired from net/openvpn port.

Regards,
Jo
--- infrastructure/db/user.list.origWed Jun 26 17:04:43 2019
+++ infrastructure/db/user.list Wed Jun 26 17:06:41 2019
@@ -348,2 +348,3 @@
 837 _thingsd   _thingsdnet/thingsd
 838 _i2pd  _i2pd   net/i2pd
+839 _monit _monit  sysutils/monit

--- sysutils/monit/pkg/PLIST.orig   Wed May  1 21:21:57 2019
+++ sysutils/monit/pkg/PLISTWed Jun 26 17:14:10 2019
@@ -1,3 +1,5 @@
 @comment $OpenBSD: PLIST,v 1.11 2019/05/01 19:21:57 landry Exp $
+@newgroup _monit:839
+@newuser _monit:839:_monit:daemon:Monit Daemon:/var/monit:/sbin/nologin
 @rcscript ${RCDIR}/monit
 @bin bin/monit

Re: dedicated user for sysutils/monit

2019-06-26 Thread Stuart Henderson

On 2019/06/26 17:29, Joel Carnat wrote:
> Hello,
> 
> I've just installed sysutils/monit on some new server and noticed there
> were no dedicated user created to run the daemon.
> 
> I already run it as non-root on serveral servers. So I know it works.
> Note that there are cases (service restart for example) that require
> configuring doas rules. But once done, everything runs ok.
> 
> If you think that's ok, here's a patch to create a dedicated user.
> Inspired from net/openvpn port.
> 
> Regards,
> Jo

> --- infrastructure/db/user.list.orig  Wed Jun 26 17:04:43 2019
> +++ infrastructure/db/user.list   Wed Jun 26 17:06:41 2019
> @@ -348,2 +348,3 @@
>  837 _thingsd _thingsdnet/thingsd
>  838 _i2pd_i2pd   net/i2pd
> +839 _monit   _monit  sysutils/monit
> 
> --- sysutils/monit/pkg/PLIST.orig Wed May  1 21:21:57 2019
> +++ sysutils/monit/pkg/PLIST  Wed Jun 26 17:14:10 2019
> @@ -1,3 +1,5 @@
>  @comment $OpenBSD: PLIST,v 1.11 2019/05/01 19:21:57 landry Exp $
> +@newgroup _monit:839
> +@newuser _monit:839:_monit:daemon:Monit Daemon:/var/monit:/sbin/nologin
>  @rcscript ${RCDIR}/monit
>  @bin bin/monit


I think it really needs more support than just "drop a new uid/gid in
/etc and hope the user configures something to use it" to be worth tieing
up the somewhat limited resource of ports uids..

Re: dedicated user for sysutils/monit

2019-06-26 Thread Joel Carnat

On Wed, Jun 26, 2019 at 05:18:33PM +0100, Stuart Henderson wrote:
> On 2019/06/26 17:29, Joel Carnat wrote:
> > Hello,
> > 
> > I've just installed sysutils/monit on some new server and noticed there
> > were no dedicated user created to run the daemon.
> > 
> > I already run it as non-root on serveral servers. So I know it works.
> > Note that there are cases (service restart for example) that require
> > configuring doas rules. But once done, everything runs ok.
> > 
> > If you think that's ok, here's a patch to create a dedicated user.
> > Inspired from net/openvpn port.
> > 
> > Regards,
> > Jo
> 
> > --- infrastructure/db/user.list.origWed Jun 26 17:04:43 2019
> > +++ infrastructure/db/user.list Wed Jun 26 17:06:41 2019
> > @@ -348,2 +348,3 @@
> >  837 _thingsd   _thingsdnet/thingsd
> >  838 _i2pd  _i2pd   net/i2pd
> > +839 _monit _monit  sysutils/monit
> > 
> > --- sysutils/monit/pkg/PLIST.orig   Wed May  1 21:21:57 2019
> > +++ sysutils/monit/pkg/PLISTWed Jun 26 17:14:10 2019
> > @@ -1,3 +1,5 @@
> >  @comment $OpenBSD: PLIST,v 1.11 2019/05/01 19:21:57 landry Exp $
> > +@newgroup _monit:839
> > +@newuser _monit:839:_monit:daemon:Monit Daemon:/var/monit:/sbin/nologin
> >  @rcscript ${RCDIR}/monit
> >  @bin bin/monit
> 
> I think it really needs more support than just "drop a new uid/gid in
> /etc and hope the user configures something to use it" to be worth tieing
> up the somewhat limited resource of ports uids..
> 
You're right. I forgot to include some manual things I did... Sorry.
Here's another diff. Hopefully complete.

--- infrastructure/db/user.list.origWed Jun 26 17:04:43 2019
+++ infrastructure/db/user.list Wed Jun 26 17:06:41 2019
@@ -348,2 +348,3 @@
 837 _thingsd   _thingsdnet/thingsd
 838 _i2pd  _i2pd   net/i2pd
+839 _monit _monit  sysutils/monit
--- sysutils/monit/pkg/monit.rc.origThu Jan 11 20:27:10 2018
+++ sysutils/monit/pkg/monit.rc Wed Jun 26 18:33:27 2019
@@ -4,4 +4,5 @@
 
 daemon="${TRUEPREFIX}/bin/monit"
+daemon_user="_monit"
 
 . /etc/rc.d/rc.subr
--- sysutils/monit/pkg/PLIST.orig   Wed May  1 21:21:57 2019
+++ sysutils/monit/pkg/PLISTWed Jun 26 18:49:32 2019
@@ -1,3 +1,5 @@
 @comment $OpenBSD: PLIST,v 1.11 2019/05/01 19:21:57 landry Exp $
+@newgroup _monit:839
+@newuser _monit:839:_monit:daemon:Monit Daemon:/var/monit:/sbin/nologin
 @rcscript ${RCDIR}/monit
 @bin bin/monit
@@ -8,5 +10,9 @@
 share/examples/monit/monitrc
 @mode 0600
+@owner _monit
+@group _monit
 @sample ${SYSCONFDIR}/monitrc
 @mode
 @sample ${LOCALSTATEDIR}/monit/
+@owner
+@group

Re: dedicated user for sysutils/monit

2019-06-27 Thread Antoine Jacoutot

On Wed, Jun 26, 2019 at 05:29:14PM +0200, Joel Carnat wrote:
> Hello,
> 
> I've just installed sysutils/monit on some new server and noticed there
> were no dedicated user created to run the daemon.
> 
> I already run it as non-root on serveral servers. So I know it works.
> Note that there are cases (service restart for example) that require
> configuring doas rules. But once done, everything runs ok.
> 
> If you think that's ok, here's a patch to create a dedicated user.
> Inspired from net/openvpn port.
> 
> Regards,
> Jo

> --- infrastructure/db/user.list.orig  Wed Jun 26 17:04:43 2019
> +++ infrastructure/db/user.list   Wed Jun 26 17:06:41 2019
> @@ -348,2 +348,3 @@
>  837 _thingsd _thingsdnet/thingsd
>  838 _i2pd_i2pd   net/i2pd
> +839 _monit   _monit  sysutils/monit
> 
> --- sysutils/monit/pkg/PLIST.orig Wed May  1 21:21:57 2019
> +++ sysutils/monit/pkg/PLIST  Wed Jun 26 17:14:10 2019
> @@ -1,3 +1,5 @@
>  @comment $OpenBSD: PLIST,v 1.11 2019/05/01 19:21:57 landry Exp $
> +@newgroup _monit:839
> +@newuser _monit:839:_monit:daemon:Monit Daemon:/var/monit:/sbin/nologin

Can't we use /nonexistent for HOME like most other daemons do?

>  @rcscript ${RCDIR}/monit
>  @bin bin/monit


-- 
Antoine

Re: dedicated user for sysutils/monit

2019-06-30 Thread Caspar Schutijser

On Fri, Jun 28, 2019 at 02:49:26PM +0200, Joel Carnat wrote:
> BTW, following stu@'s "(...) I think it really needs more support (...)"
> remark, I searched for things that would break if Monit would not run as
> root. I found that the "network ping test" requires root access to run.
> I don't use it myself so I didn't notice it when running as _monit.
> Documentation says: "Monit must also run as the root user in order to be
> able to perform the ping test (because the ping test must use raw
> sockets which usually only the super user is allowed to)."

For the reason that you mentioned above, I don't think it is a good
idea to make monit run as a non-root user by default. As you noticed,
monit doesn't appear to be designed to be run as a non-root user.

Best regards,
Caspar Schutijser

dedicated user for sysutils/monit

Re: dedicated user for sysutils/monit

Re: dedicated user for sysutils/monit

Re: dedicated user for sysutils/monit

Re: dedicated user for sysutils/monit

5 matches

Site Navigation

Mail list logo

Footer information