[collectd] collectd restriction

[Stuart Cracraft]

Thanks Wilfried!

> On Apr 30, 2015, at 1:56 AM, Wilfried Goesgens <dothebart at citadel.org> wrote:
> 
> Hi Stuart,
> 
> the proper solution is to grant read access to a group on these files (like 'admin' in debian) and add the collectd user to that group.
> 
>  
> Wed Apr 29 2015 15:08:25 EDT from "Stuart Cracraft" <smcracraft at me.com> Subject: [collectd] collectd restriction
> So, even though collectd runs by default as root,
> none of its children can be so-configured, due to a decision
> shown in:
>  
>   https://collectd.org/wiki/index.php/Plugin:Exec <https://collectd.org/wiki/index.php/Plugin:Exec>
>  
> which restricts Exec-based plugins to using uid!=0 as the
> uid for the running collectors as children of collectd:
>  
> "The security concerns are addressed by forcing the plugin to check that custom programs are never executed with superuser privileges. If the daemon runs as root, you  have to  configure another user ID with which the new process is created."
>  
> This is a half-hearted, strange attempt to draconianly
> say "all uid=0" is bad and feels suspiciously nannyish, big-government.
>  
> In fact, there are many commands which require root to
> access protected files or devices and which do not have
> non-Exec collectd-generic-support but constitute invaluable
> information to have collected, graphed and alarmed on.
>  
> I am surprised at the above decision and am asking
> the community how you collect root-accessible-only data
> in collectd when there no plugin exec, nor otherwise, to collectd.
>  
>  
>  
> <Mail Attachment.txt>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.verplant.org/pipermail/collectd/attachments/20150430/93bc6748/attachment.html>