701460 – net-analyzer/netdata-1.19.0: missing capabilities on plugins

Bug 701460 - net-analyzer/netdata-1.19.0: missing capabilities on plugins

Summary: net-analyzer/netdata-1.19.0: missing capabilities on plugins

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Craig Andrews

URL:
Whiteboard:
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2019-11-29 08:57 UTC by Ortwin Glueck
Modified:	2019-12-02 20:52 UTC (History)
CC List:	1 user (show)

See Also:	https://github.com/gentoo/gentoo/pull/13838
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ortwin Glueck 2019-11-29 08:57:08 UTC

see /var/log/netdata/error.log:
2019-11-29 09:45:27: apps.plugin ERROR : MAIN : apps.plugin should run with CAP_DAC_READ_SEARCH.
2019-11-29 09:45:27: apps.plugin ERROR : MAIN : apps.plugin should run with CAP_SYS_PTRACE.
2019-11-29 09:45:27: apps.plugin ERROR : MAIN : apps.plugin should either run as root (now running with uid 290, euid 290) or have special capabilities. Without these, apps.plugin cannot report disk I/O utilization of other processes. To enable capabilities run: sudo setcap cap_dac_read_search,cap_sys_ptrace+ep /usr/libexec/netdata/plugins.d/apps.plugin; To enable setuid to root run: sudo chown root:netdata /usr/libexec/netdata/plugins.d/apps.plugin; sudo chmod 4750 /usr/libexec/netdata/plugins.d/apps.plugin;  (errno 13, Permission denied)

also nfacct plugin doesn't work:
upstream website [1] says 'Keep in mind that NFACCT requires root access, so the plugin is setuid to root.' I guess also that can be fixed with the right caps.

[1] https://docs.netdata.cloud/collectors/nfacct.plugin/

Comment 1 Larry the Git Cow gentoo-dev

2019-12-02 20:52:43 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=629d6fb6477f4b9d90f92e37dd3af6fbaba68240

commit 629d6fb6477f4b9d90f92e37dd3af6fbaba68240
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2019-12-02 18:02:09 +0000
Commit:     Craig Andrews <candrews@gentoo.org>
CommitDate: 2019-12-02 20:52:35 +0000

    net-analyzer/netdata: apply all capabilities correctly
    
    Closes: https://bugs.gentoo.org/701460
    Package-Manager: Portage-2.3.79, Repoman-2.3.16
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Signed-off-by: Craig Andrews <candrews@gentoo.org>

 net-analyzer/netdata/netdata-1.19.0-r1.ebuild | 131 ++++++++++++++++++++++++++
 1 file changed, 131 insertions(+)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7438755e7f1feb0a8455e845da29f985d75ee115

commit 7438755e7f1feb0a8455e845da29f985d75ee115
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2019-12-02 17:59:45 +0000
Commit:     Craig Andrews <candrews@gentoo.org>
CommitDate: 2019-12-02 20:52:35 +0000

    net-analyzer/netdata: fix live by applying all capabilities
    
    Bug: https://bugs.gentoo.org/701460
    Package-Manager: Portage-2.3.79, Repoman-2.3.16
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Closes: https://github.com/gentoo/gentoo/pull/13838
    Signed-off-by: Craig Andrews <candrews@gentoo.org>

 net-analyzer/netdata/netdata-9999.ebuild | 2 ++
 1 file changed, 2 insertions(+)