[collectd] Bug#680660: collectd - runs as root without apparent reason
xani666 at gmail.com
Mon Jul 16 17:14:07 CEST 2012
>> - Maybe set security bit SECBIT_NOROOT. It removes capabilities from all
>> suid-root processes it may try to call.
> This would be in the spirit of the exec plugin which refuses to run any
> external programs / scripts as root. However, I'm not entirely sure if
> that's a good idea, though, as that just limits the possibilities of the
> user while I don't see much security benefits.
Many times I had to write silly wrappers/crons just because some stat
data had to be obtained as root user. What would be nice is a ability
to specify enabled capabilities per exec while allowing to run them on
user root (possibly with IKnowThatIsUnsafe switch ;) )
More information about the collectd