Hi all,
I've been looking into making all of the PCP daemons run
as regular, unprivileged users. This covers pmcd, those
PMDAs we own that are daemons, pmlogger, pmie & pmproxy.
There are difficulties which make the more simple "change
the init scripts to sudo to another user" approach not an
option (to my mind anyway).
Some of the bigger issues are:
- peoples existing production setups should not break, or
at worst only break in small, well-known, well-documented,
easily fixable ways, after their next upgrade.
- some agents need to run as specific users, or have chosen
to run as unprivileged users already. As the agents are all
children of pmcd (well, 99.999% of the time), pmcd needs to
be root when it starts them.
- the PMDA Install scripts (via pmdaproc.sh which backs em)
will issue a SIGHUP to pmcd to get it to re-read pmcd.conf,
and start the new PMDA without disrupting existing client
connections. If pmcd has dropped privileges, this wont work
for starting PMDAs that need to run as root or change user.
On the other hand, it is highly desirable to:
- keep it simple, the simpler the better (more audit-able)
- have everything default to unprivileged, so going forward
all new work is done with this assumption/requirement. as a
fallback, allow old root-user behaviour (easily, in case of
issues).
Attached patch is an initial stab at solving the problem. It
takes the following tack:
- add a new "pcp" user and group (packaging mechanisms will
automate this, not tackled yet). I *think* it has to be a
fixed ID, as we'll be persisting pmlogger logs, etc with this
UID/GID. Not 100% sure on that though, perhaps it'd be ok if
dynamically assigned (by useradd). The latter would certainly
make life easier.
- when running in daemon modes, all of pmcd, pmlogger, pmie &
pmproxy run their main loop as user "pcp" (maybe pmproxy is
ok to stay as user "nobody"? could go either way I guess)
- also via packaging trickery, recursively change ownership of
/var/log/pcp/pmlogger/<hosts> dirs (else, pmlogger is no longer
functional in daemon mode, with this patch) [not yet tackled]
- adds __pmSetProcessIdentity() used by everyone (changes the
existing perl PMDAs to use it, uses it in pmcd & co too). Add
thread safety to the existing (perl wrapper) code while at it.
In the end, all callers use the same code to switch user.
- adds a "forced_restart" variable to pmdaproc.sh which allows
an agent to request pmcd be restarted rather than SIGHUP'd when
it is ./Install'd. This is used by agents that have to change
user (database PMDAs, third party PMDAs). Thought about making
the default the other way around (see pmdaproc.sh in patch) but
decided on default to the current behaviour, which means pmcd
will only be able to start pmdas that run as "pcp" or "nobody".
- adds -U <username> to all daemons so that root could be gone
back to temporarily, easily, if theres some problem or maybe if
someone wants some other unusual setup.
Comments?
Thanks!
--
Nathan
initial-non-root-daemons.patch
Description: Text Data
|