Hi -
minnus wrote:
> We've just noticed that with recent versions of pcp that run as
> non-root, we've lost access to the /proc/pid/maps information. [...]
As background, several months ago, proc_linux PMDA was removed from
the default pmcd/pmda suite because it exposed sensitive information
about processes to the network. The separated PMDA could be
hand-enabled, but as you notice, when running as a DSO within PMCD in
uid=pcp mode, only a relatively unprivileged subset of information is
available.
The impending default solution to this is the pmcd
authenticated-connection mode, wherein a pcp client can forward user
identity to pmcd, after which the pmda-linux code can setuid to that
user temporarily to service proc requests. The new AF_UNIX pmcd
transport will pass credentials automatically. That should handle
users being able to monitor their own processes, or root monitoring
everyone, without having to run pmcd itself as root.
- FChE
|