[collectd] [PATCH] Network plugin access control improvements

Grzegorz Nosek root at localdomain.pl
Mon Jun 6 11:20:25 CEST 2011 

Hi,

I need to collect some data from semi-untrusted clients. I can only 
allow them to publish a specified subset of data, e.g. a single plugin 
but cannot be 100% sure what they _do_ publish.

Signing and encryption only protect from untrusted network, not 
untrusted publishers. So I decided to extend collectd a bit. First, the 
collectd network plugin may now listen on unix sockets too (via a rather 
gross hack around getaddrinfo). The UnixSock plugin offers way too much 
access for my use case. Second, I extended the metadata attached to the 
collected values to contain the socket name on which a specific value 
arrived. Third, I extended the regex match to allow metadata comparisons.

The end result is that I can now say something like this:

---------------------------------------------------
<Plugin network>
         <Listen "/local" "/tmp/collectd.sock">
                 SocketPerms "666"
                 SocketGroup "1000"
                 DeleteSocket true
         </Listen>
</Plugin>

<Chain "PreCache">
         <Rule "example_filter">
                 <Match "regex">
                         Metadata "network:node" "^/local$"
                         Metadata "network:service" "^/tmp/collectd\.sock$"
                 </Match>
                 <Match "regex">
                         PluginInstance "^example_instance$"
                         Invert true
                 </Match>
                 Target "stop"
         </Rule>
</Chain>
---------------------------------------------------

to restrict samples sent over /tmp/collectd.sock to a single plugin 
instance (realistic filters and socket permissions would be slightly 
different). The /local convention comes from Stevens' Unix Network 
Programming, so I can't take neither blame nor credit for that ;)

If anybody is interested in these patches, feel free to grab them from 
my github tree based on git://git.verplant.org/collectd.git#master:

https://github.com/gnosek/collectd/tree/network_unix_sockets

(it also contains an unrelated build fix related to libiptc). Comments 
gladly accepted.

I'd send a github pull request but it seems the upstream github tree is 
a bit outdated.

Best regards,
  Grzegorz Nosek

More information about the collectd mailing list