On 01/19/2015 12:40 PM, Frank Ch. Eigler wrote:
Mark Goodwin <mgoodwin@xxxxxxxxxx> writes:
[...]
e.g. on a fresh install, after running :
# sudo -u root pminfo -f -L hinv.map.scsi
$ sudo -u pcp pminfo -f -L -DLIBPMDA hinv.map.scsi
[...]
If this conflict can occur even for the ordinary-user -vs- pcp case,
then we'd have a security problem.
Only if 'ordinary-user' has effective gid 'pcp' (or $PCP_GROUP) since
the cache directory is mode 775 pcp/pcp. (or $PCP_USER/$PCP_GROUP).
But that group privilege would have to be assigned, or they'd need to
know the group password, right?
If it's only root -vs- pcp, it's
not so bad. (I'd be tempted to make local-mode pmdas to avoid mucking
with system $PCP_*_DIR directories entirely, and just use $HOME/.pcp
or somesuch.)
I guess that would be more inherently secure. Not sure how libpcp_pmda
would know it was invoked via a local context (?).
-- Mark
|