[collectd] collectd restriction

Wilfried Goesgens dothebart at citadel.org
Thu Apr 30 10:56:17 CEST 2015


Hi Stuart,  

the proper solution is to grant read access to a group on these files (like
'admin' in debian) and add the collectd user to that group.  

   
>  Wed Apr 29 2015 15:08:25 EDT from "Stuart Cracraft" <smcracraft at me.com> 
>Subject: [collectd] collectd restriction
>
>    So, even though collectd runs by default as root,
>
>  none of its children can be so-configured, due to a decision
>
>  shown in:
>
>   
>
>    https://collectd.org/wiki/index.php/Plugin:Exec
>
>   
>
>  which restricts Exec-based plugins to using uid!=0 as the
>
>  uid for the running collectors as children of collectd:
>
>   
>
>  "The security concerns are addressed by forcing the plugin to check that
>custom programs are never executed with superuser privileges. If the daemon
>runs as root, you  /have to/  configure another user ID with which the new
>process is created."
>
>   
>
>  This is a half-hearted, strange attempt to draconianly
>
>  say "all uid=0" is bad and feels suspiciously nannyish, big-government.
>
>   
>
>  In fact, there are many commands which require root to
>
>  access protected files or devices and which do not have
>
>  non-Exec collectd-generic-support but constitute invaluable
>
>  information to have collected, graphed and alarmed on.
>
>   
>
>  I am surprised at the above decision and am asking
>
>  the community how you collect root-accessible-only data
>
>  in collectd when there no plugin exec, nor otherwise, to collectd.
>
>   
>
>   
>
>   
>
>  
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.verplant.org/pipermail/collectd/attachments/20150430/41ef09b4/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 
URL: <http://mailman.verplant.org/pipermail/collectd/attachments/20150430/41ef09b4/attachment.ksh>


More information about the collectd mailing list