[collectd] exec-plugin permission bug (?)

Sebastian Harl sh at tokkee.org
Sun Sep 2 15:45:54 CEST 2007

Hi Philipp,

On Sun, Sep 02, 2007 at 02:54:42PM +0200, Philipp Giebel wrote:
> But: The group of the executing user still isn't getting changed.. Is it
> me being dumb or is it really not working..?
> I took a look at the source and found some lines about finding the
> defined group (format: <user>:<group>), something about changing the
> group but when I use the following config-line to enable the exec-script:
>   Exec rrduser:adm "/usr/local/bin/rrdscripts/rrd-postfix.sh"

Is the user "rrduser" a member of the "adm" group? setuid(2) is called before
setgid(2) and thus only groups that the specified user is a member of might be
used. Florian suggested to switch that around to make it possible to specify
any group, however, I think it makes more sense to keep the current behavior -
it might be slightly more secure as well. If people complain about that, I
will change it though ;-)

> collectd complains:
>   Sep  2 00:23:22 localhost collectd[6940]: exec plugin: exec failed:

exec() usually fails, if the user/group is not allowed to execute the
specified script or if it has not been found. Do you depend on changing the
group to be able to execute the script? If not, you should double check, if
you supplied the correct script name/path.

Anyway, there is still a bug in the usage of the strerror_r() funktion (which
should provide an error message after "exec failed:"). GNU did some strange
things when implementing this function - I will provide a patch for that later

> In his "patch-post" Sebastian is writing somewhere that, when the
> group-parameter is omitted at the config-file, the group will
> automatically be changed to the users default-group.

This is only valid if you keep the colon (:). The config line should look

  Exec <user>: <script>

(see collectd.conf(5): "If only the colon follows the user name ...")

> So I tried to remove the ":adm" and changed rrdusers default-group to
> "4" / "adm" (is this possible anyway..?).

You can set the default group to anything you want, using the numerical group
ID in /etc/passwd.


Sebastian "tokkee" Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/

Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety.         -- Benjamin Franklin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.verplant.org/pipermail/collectd/attachments/20070902/9d08990b/attachment.pgp 

More information about the collectd mailing list