<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Thanks Wilfried!<div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Apr 30, 2015, at 1:56 AM, Wilfried Goesgens <<a href="mailto:dothebart@citadel.org" class="">dothebart@citadel.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class=""><p class="">Hi Stuart,</p><p class="">the proper solution is to grant read access to a group on these files (like 'admin' in debian) and add the collectd user to that group.</p><div class=""> <br class="webkit-block-placeholder"></div>
<blockquote class="">
<div class="message_header"><span class="">Wed Apr 29 2015 15:08:25 EDT</span> <span class="">from "Stuart Cracraft" <<a href="mailto:smcracraft@me.com" class="">smcracraft@me.com</a>> </span> <span class="message_subject">Subject: [collectd] collectd restriction</span></div>
<div class="message_content">
<div class="">So, even though collectd runs by default as root,</div>
<div class="">none of its children can be so-configured, due to a decision</div>
<div class="">shown in:</div>
<div class=""> </div>
<div class=""> <a href="https://collectd.org/wiki/index.php/Plugin:Exec" target="webcit01" class="">https://collectd.org/wiki/index.php/Plugin:Exec</a></div>
<div class=""> </div>
<div class="">which restricts Exec-based plugins to using uid!=0 as the</div>
<div class="">uid for the running collectors as children of collectd:</div>
<div class=""> </div>
<div class=""><span style="font-family: sans-serif; font-size: 12.8000001907349px; line-height: 19.2000007629395px;" class="">"The security concerns are addressed by forcing the plugin to check that custom programs are never executed with superuser privileges. If the daemon runs as root, you </span> <em style="font-family: sans-serif; font-size: 12.8000001907349px; line-height: 19.2000007629395px;" class="">have to</em> <span style="font-family: sans-serif; font-size: 12.8000001907349px; line-height: 19.2000007629395px;" class=""> configure another user ID with which the new process is created."</span></div>
<div class=""> </div>
<div class="">This is a half-hearted, strange attempt to draconianly</div>
<div class="">say "all uid=0" is bad and feels suspiciously nannyish, big-government.</div>
<div class=""> </div>
<div class="">In fact, there are many commands which require root to</div>
<div class="">access protected files or devices and which do not have</div>
<div class="">non-Exec collectd-generic-support but constitute invaluable</div>
<div class="">information to have collected, graphed and alarmed on.</div>
<div class=""> </div>
<div class="">I am surprised at the above decision and am asking</div>
<div class="">the community how you collect root-accessible-only data</div>
<div class="">in collectd when there no plugin exec, nor otherwise, to collectd.</div>
<div class=""> </div>
<div class=""> </div>
<div class=""> </div>
</div>
</blockquote>
</div>
<span id="cid:7B30D6F2-96E2-47B1-9505-93CF1AF57E61@oc.cox.net"><Mail Attachment.txt></span></div></blockquote></div><br class=""></div></body></html>