[collectd] exec-plugin permission bug (?)

Sebastian Harl sh at tokkee.org
Mon Sep 3 14:07:58 CEST 2007 

Hi,

Sorry, I've somehow missed this message...

On Mon, Sep 03, 2007 at 10:50:52AM +0200, Philipp Giebel wrote:
> Sebastian Harl schrieb:
> > Please try again with the patched version of collectd and provide the error
> > messages. They are so much more helpful than just guessing what might have
> > gone wrong ;-)
> 
> Okay.. Now it's getting really strange (yes! even stranger than before..
> ;) )
> 
> He complains about not finding the script:
> 
>   Sep  3 10:42:41 localhost collectd[4385]: exec plugin: exec failed: \
>     No such file or directory

You've probably specified <user>:<group> without any quotes. As the colon is
not an alphanumerical character, it needs to be quoted in the configfile:

  Exec "<user>:<group>" "<file>"

If you miss the quoting, the config parser screws up and the script ends up to
be "<group> <file>" which obviously cannot be executed ;-)

Flo, imho a colon (:) and a dot (.) should also be allowed unquoted in the
config file. This should prevent a lot of similar errors. What do you think?

> When removing the "adm" from the config-file, so it only sais: 'Exec
> rrduser: "/foo/bar"' the script is found, but doesn't work (as explained
> before..)

There is another error in my original patch. Despite what I originally
assumed, an unprivileged user is not allowed to change the group ID of a
process to anything besides the effective GID or the saved set GID of the
process (the default group might be allowed as well).

If you quote the <user> <group> pair in your configfile you should get a
permission denied error when trying to change the GID.

A patch will be available shortly.

Cheers,
Sebastian

-- 
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/

Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety.         -- Benjamin Franklin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.verplant.org/pipermail/collectd/attachments/20070903/7be3cf34/attachment.pgp

More information about the collectd mailing list