On 09/05/13 13:50, Nathan Scott wrote:
> Hi Ken,
>
> ----- Original Message -----
>> ...
>>
>> I guess we could try the group permissions thing ... first change would
>> need to be adding setgid in the same place we call setuid in libpcp.
>
> It does a setgid now - src/libpcp/src/util.c::__pmSetProcessIdentity
Correct, don't know how I missed that.
> ...
> Hmmm - that cure (setuid pmdas) sounds alot worse than the disease!
setuid pmda would only be required in the case where the pcp:pcp default was
not appropriate, and these would likely be setuid to some non-root uid ... so I
don't think it is a big deal in the overall scheme of things.
> ...
>> 3. some of our directories are created on the fly and not included in
>> the packages ... this is almost certainly wrong.
>
> I'm not sure we have any in case #3 anymore ... which ones do you have
> in mind there?
Well I found these mkdir references in the code base ... 8^(>
- $PCP_LOG_DIR/pmcd - pmcd/rc_pmcd
- $PCP_LOG_DIR/pmie/<localhostname> - pmie/rc_pmie
- $PCP_LOG_DIR/pmie - pmie/rc_pmie
- $PCP_LOG_DIR - pmpost/pmpost.c
- $PCP_LOG_DIR/pmproxy - pmproxy/rc_pmproxy
- $PCP_LOG_DIR/pmwebd - pmwebapi/rc_pmwebd
- $PCP_LOG_DIR/rsyslog - rsyslog/Install
- $PCP_RUN_DIR - pmcd/rc_pmcd
- $PCP_TMP_DIR/mmv - mmv/Install
- $PCP_TMP_DIR/mmv - pmcd/rc_pmcd
- $PCP_TMP_DIR/pmdabash - bash/Install
- $PCP_TMP_DIR/pmie - pmie/pmie.c
- $PCP_TMP_DIR/pmie - pmie/rc_pmie
- $PCP_TMP_DIR/pmlogger - pmcd/rc_pmcd
- $PCP_TMP_DIR/pmlogger - pmlogger/ports.c
- $PCP_VAR_DIR/config/<iam> - pmdaproc.sh (for pmdas with "configfile"s)
- $PCP_VAR_DIR/config/pmda - libpcp_pmda/cache.c
- $PCP_VAR_DIR/config/web - weblog/Install
- $PCP_VAR_DIR/pmdas/trace/lib - trace pmda GNUmakefile
Most of 'em should be replaced by $(INSTALL) lines in the GNUmakefiles (if not
already there) and then ripping the mkdir out (and possibly replacing it by a
"check if dir exists else abort" if the following open/create does not have
appropriate error reporting and handling).
> It seems we need to undo some of these changes that were pulled in
> earlier today, and re-group (heh) for a post 3.8.0 tilt at the issue?
Yep ... we don't have consensus yet, so retaining the status quo is the best
bet.
> In the short-term, we could address the indom cache problem via some
> judicious Install script tweakery. In fact, I wonder if pmdaOpenLog
> could acquire a helper routine to ensure the log files it creates as
> root initially can be written to by whichever user the PMDA chooses
> to change-user to later? (and keep the status quo)
>
> Given the only PMDA that is seeing the cache issue is pmdasimple, and
> the default for out-of-tree PMDAs is to run-as-root still (hence no
> logfile permissions issues) ... it would seem there's no urgency to
> address this in 3.8.0 - a subsequent point release would be fine, no?
nod x 2
|