[collectd] How to store MySQL statistics?
Florian Forster
octo at verplant.org
Tue Dec 20 17:19:01 CET 2005
Hey :)
On Tue, Dec 20, 2005 at 02:29:56PM +0100, Niki Waibel wrote:
> this directory thing is pretty hairy from a security point of view!!!
> ../../.. and symbolic links schould be checked.
I don't think it's that big of a problem actually. Most of the filename
comes from the plugins themselfes. They may fill in the `instance', so
that should be checked for slashes..
I'll still check and refuse to create directories that begin with a dot.
As far as symbolic links are concerned I'd say that's the responsibility
of the administrator or whoever is running the program. I myself want to
be able to use symbolic links within the data directory..
> a nice possability for a buffer overflow.
collectd handles with strings from the outside almost everywhere, I
don't think that's any worse here.. (Nor will it be any better.. ;)
> we have to keep in mind that collectd runs as root all the time.
It doesn't need root unless you want to use the `ping' or `serial'
plugins.
> maybe it would make sense to switch user and group for writing a files
> ... i think there was a way to switch and then continue work as root.
Hmhm..
> maybe the default should be that all privilegues are dropped,
> and only for special modules that need it those are kept.
> most things the modules do can be done as user!
Yeah, that's much better.. Still, _real_ privilege seperation would be
better, i.e. have one process collecting ping (and serial) statistics,
another to collect the rest (possibly without any privileges) and a
third one to write the RRD files. With the upcoming configfile that
should be easily possible..
Regards,
-octo
--
Florian octo Forster
Hacker in training
GnuPG: 0x91523C3D
http://verplant.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.verplant.org/pipermail/collectd/attachments/20051220/23e5efb6/attachment.pgp
More information about the Collectd
mailing list