[collectd] Bug#680660: collectd - runs as root without apparent reason

Mariusz Gronczewski xani666 at gmail.com
Mon Jul 16 17:14:07 CEST 2012


Hi,

>> - Maybe set security bit SECBIT_NOROOT. It removes capabilities from all
>>   suid-root processes it may try to call.
>
> This would be in the spirit of the exec plugin which refuses to run any
> external programs / scripts as root. However, I'm not entirely sure if
> that's a good idea, though, as that just limits the possibilities of the
> user while I don't see much security benefits.
>
> Cheers,
Many times I had to write silly wrappers/crons just because some stat
data had to be obtained as root user. What would be nice is a ability
to specify enabled capabilities per exec while allowing to run them on
user root (possibly with IKnowThatIsUnsafe switch ;) )

-- 
Mariusz Gronczewski



More information about the collectd mailing list