Hi, Ken -
kenj wrote:
> [...]
> And I suspect Frank may want to have a discussion about the mode 1777
> directories change.
Yup!
> commit ba9904e69067ded451e632938a4f27cdf76fbcfc
> Author: Ken McDonell <kenj@xxxxxxxxxxxxxxxx>
> Date: Wed May 8 16:29:21 2013 +1000
>
> Non-root PMDA access control changes
>
> PMDAs may run as root, or the user pcp, or some other user and/or
> group (e.g. the dbms PMDAs).
>
> There are two places an arbitrary PMDA needs to be able to write
> 1) $PCP_LOG_DIR/pmcd to create its log file, and
> 2) (optionally) $PCP_VAR_DIR/config/pmda to manage any persistant
> instance domain cache files
>
> Both directories need to be mode 1777, but because packaging
> restrictions may get in the way, we uncoditionally set the mode
> on these two directories in the pmcd start up script.
>
> Some PMDAs may need to take additional care with ownership of
> their indom cache files, as the simple PMDA's Install script
> demonstrates.
There are a couple of problems with this. The worst one is that these
1777 directories open up the system to interference from malicious
local users, leading to DoS or worse. If these PMDAs really must run
under userids that can't share a supplemental group (to allow 0770
privileges), then perchance have the pmda/Install files create a
config/pmda/$PMDA or log/pmcd/$PMDA subdirectory for each, with proper
permissions. More work, but it's Righter.
Also, rc.d/init.d files should not chmod files or directories at run
time. Permissions should be set by the installation scripts, and
maintained thence; else routine package-verification will fail and set
off alarms.
- FChE
|