[prev in list] [next in list] [prev in thread] [next in thread]
List: collectd
Subject: Re: [collectd] Bug#680660: collectd - runs as root without apparent reason
From: Mariusz Gronczewski <xani666 () gmail ! com>
Date: 2012-07-16 15:14:07
Message-ID: CAJ9Ak2rDpfMgum92gKDPM6-p87XnLMK4dpWZYZif=AnkEmDi1g () mail ! gmail ! com
[Download RAW message or body]
Hi,
>> - Maybe set security bit SECBIT_NOROOT. It removes capabilities from all
>> suid-root processes it may try to call.
>
> This would be in the spirit of the exec plugin which refuses to run any
> external programs / scripts as root. However, I'm not entirely sure if
> that's a good idea, though, as that just limits the possibilities of the
> user while I don't see much security benefits.
>
> Cheers,
Many times I had to write silly wrappers/crons just because some stat
data had to be obtained as root user. What would be nice is a ability
to specify enabled capabilities per exec while allowing to run them on
user root (possibly with IKnowThatIsUnsafe switch ;) )
--
Mariusz Gronczewski
_______________________________________________
collectd mailing list
collectd@verplant.org
http://mailman.verplant.org/listinfo/collectd
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic