![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6e8d9b2)
raw | patch | inline | side by side (parent: 6e8d9b2)
| author | Marc Fournier <marc.fournier@camptocamp.com> | |
| Tue, 26 Jan 2016 20:46:59 +0000 (21:46 +0100) | ||
| committer | Marc Fournier <marc.fournier@camptocamp.com> | |
| Wed, 10 Aug 2016 06:07:33 +0000 (08:07 +0200) |
Add WARNING() statements to a bunch of plugins which require special
privileges to work properly. They would be emitted once at startup time,
if running as root with privileges dropped, or if running as a normal
users without the needed capabilities explicitly set.
Related to #1444
privileges to work properly. They would be emitted once at startup time,
if running as root with privileges dropped, or if running as a normal
users without the needed capabilities explicitly set.
Related to #1444
| src/ceph.c | patch | blob | history | |
| src/dns.c | patch | blob | history | |
| src/exec.c | patch | blob | history | |
| src/iptables.c | patch | blob | history | |
| src/ping.c | patch | blob | history |
diff --git a/src/ceph.c b/src/ceph.c
index cbfdd22c39e4da5f3314b497bea1cc67834bb88d..e9bb960d9492958992dfabe336b3cfcd1e5d6bea 100644 (file)
--- a/src/ceph.c
+++ b/src/ceph.c
#if HAVE_YAJL_YAJL_VERSION_H
#include <yajl/yajl_version.h>
#endif
+#ifdef HAVE_SYS_CAPABILITY_H
+# include <sys/capability.h>
+#endif
#include <limits.h>
#include <poll.h>
static int ceph_init(void)
{
int ret;
+
+#ifdef HAVE_SYS_CAPABILITY_H
+ if (check_capability (CAP_DAC_OVERRIDE) != 0)
+ {
+ if (getuid () == 0)
+ WARNING ("ceph plugin: Running collectd as root, but the "
+ "CAP_DAC_OVERRIDE capability is missing. The plugin's read "
+ "function will probably fail. Is your init system dropping "
+ "capabilities ?");
+ else
+ WARNING ("ceph plugin: collectd doesn't have the CAP_DAC_OVERRIDE "
+ "capability. If you don't want to run collectd as root, try running "
+ "\"setcap cap_dac_override=ep\" on the collectd binary.");
+ }
+#endif
+
ceph_daemons_print();
ret = cconn_main_loop(ASOK_REQ_VERSION);
diff --git a/src/dns.c b/src/dns.c
index 15fa15a79099b1faf28af0a20ef9a629eacc2ad2..be6d0dcb4223684e31c62e51a903ae0f853e83ef 100644 (file)
--- a/src/dns.c
+++ b/src/dns.c
#include <pcap.h>
+#ifdef HAVE_SYS_CAPABILITY_H
+# include <sys/capability.h>
+#endif
+
/*
* Private data types
*/
listen_thread_init = 1;
+#ifdef HAVE_SYS_CAPABILITY_H
+ if (check_capability (CAP_NET_RAW) != 0)
+ {
+ if (getuid () == 0)
+ WARNING ("dns plugin: Running collectd as root, but the CAP_NET_RAW "
+ "capability is missing. The plugin's read function will probably "
+ "fail. Is your init system dropping capabilities ?");
+ else
+ WARNING ("dns plugin: collectd doesn't have the CAP_NET_RAW capability. "
+ "If you don't want to run collectd as root, try running \"setcap "
+ "cap_net_raw=ep\" on the collectd binary.");
+ }
+#endif
+
return (0);
} /* int dns_init */
diff --git a/src/exec.c b/src/exec.c
index e90f83c94ad4aa46169f6c827ee741ca9c5d9575..c51465b810064162517a4e3f53bae9107a7a5b19 100644 (file)
--- a/src/exec.c
+++ b/src/exec.c
#include <grp.h>
#include <signal.h>
+#ifdef HAVE_SYS_CAPABILITY_H
+# include <sys/capability.h>
+#endif
+
#define PL_NORMAL 0x01
#define PL_NOTIF_ACTION 0x02
sigaction (SIGCHLD, &sa, NULL);
+#ifdef HAVE_SYS_CAPABILITY_H
+ if ((check_capability (CAP_SETUID) != 0) ||
+ (check_capability (CAP_SETGID) != 0))
+ {
+ if (getuid () == 0)
+ WARNING ("exec plugin: Running collectd as root, but the CAP_SETUID "
+ "or CAP_SETGID capabilities are missing. The plugin's read function "
+ "will probably fail. Is your init system dropping capabilities ?");
+ else
+ WARNING ("exec plugin: collectd doesn't have the CAP_SETUID or "
+ "CAP_SETGID capabilities. If you don't want to run collectd as root, "
+ "try running \"setcap 'cap_setuid=ep cap_setgid=ep'\" on the "
+ "collectd binary.");
+ }
+#endif
+
return (0);
} /* int exec_init }}} */
diff --git a/src/iptables.c b/src/iptables.c
index e035a88818f7069c9575beb6beae42d4e64e561a..a2ed4c731e11bda9dfa9d7af92d18a09f90ccd27 100644 (file)
--- a/src/iptables.c
+++ b/src/iptables.c
#include "plugin.h"
#include "configfile.h"
+#ifdef HAVE_SYS_CAPABILITY_H
+# include <sys/capability.h>
+#endif
+
#include <libiptc/libiptc.h>
#include <libiptc/libip6tc.h>
return (0);
} /* int iptables_shutdown */
+static int iptables_init (void)
+{
+#ifdef HAVE_SYS_CAPABILITY_H
+ if (check_capability (CAP_NET_ADMIN) != 0)
+ {
+ if (getuid () == 0)
+ WARNING ("iptables plugin: Running collectd as root, but the "
+ "CAP_NET_ADMIN capability is missing. The plugin's read "
+ "function will probably fail. Is your init system dropping "
+ "capabilities ?");
+ else
+ WARNING ("iptables plugin: collectd doesn't have the CAP_NET_ADMIN "
+ "capability. If you don't want to run collectd as root, try "
+ "running \"setcap cap_net_admin=ep\" on the collectd binary.");
+ }
+#endif
+ return (0);
+} /* int iptables_init */
+
void module_register (void)
{
plugin_register_config ("iptables", iptables_config,
config_keys, config_keys_num);
+ plugin_register_init ("iptables", iptables_init);
plugin_register_read ("iptables", iptables_read);
plugin_register_shutdown ("iptables", iptables_shutdown);
} /* void module_register */
diff --git a/src/ping.c b/src/ping.c
index 4932bae57e14b8c234a664c5efb03e6e39c1d39e..9b5d5ca581a04b6e43820992545efedf2cad759f 100644 (file)
--- a/src/ping.c
+++ b/src/ping.c
# include <netdb.h> /* NI_MAXHOST */
#endif
+#ifdef HAVE_SYS_CAPABILITY_H
+# include <sys/capability.h>
+#endif
+
#include <oping.h>
#ifndef NI_MAXHOST
"Will use a timeout of %gs.", ping_timeout);
}
+#ifdef HAVE_SYS_CAPABILITY_H
+ if (check_capability (CAP_NET_RAW) != 0)
+ {
+ if (getuid () == 0)
+ WARNING ("ping plugin: Running collectd as root, but the CAP_NET_RAW "
+ "capability is missing. The plugin's read function will probably "
+ "fail. Is your init system dropping capabilities ?");
+ else
+ WARNING ("ping plugin: collectd doesn't have the CAP_NET_RAW capability. "
+ "If you don't want to run collectd as root, try running \"setcap "
+ "cap_net_raw=ep\" on the collectd binary.");
+ }
+#endif
+
return (start_thread ());
} /* }}} int ping_init */