Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 450674

Summary: net-analyzer/rrdtool needs a group for rrdcached
Product: Gentoo Linux Reporter: Thomas Deutschmann <whissi>
Component: Current packagesAssignee: Netmon Herd <netmon>
Status: UNCONFIRMED ---    
Severity: normal CC: bug, jdavid.ibp, jlec
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: rrdtool ebuild file with new user rrdcached:rrdcached
files/rrdcached.init
files/rrdcached.confd

Description Thomas Deutschmann gentoo-dev Security 2013-01-07 02:20:54 UTC
Hi,

the current net-analyzer/rrdtool-1.4.7-r1 ebuild added an init script for rrdcached (thanks to https://bugs.gentoo.org/show_bug.cgi?id=327447).

Note that running rrdcached not as root is not support (at least not by the provided scripts). So the configuration in "/etc/conf.d/rrdcached" is misleading!

Please remove the USER/GROUP line. Also check if MODE really works - I don't think that rrdcached checks environment variables at all.

But rrdcached supports a group for the socket.

From "man rrdcached":
  -s group_name|gid
    Set the group permissions of a UNIX domain socket. The option accepts either a numeric
    group id or group name. That group will then have both read and write permissions (the
    socket will have file permissions 0750) for the socket and, therefore, is able to send
    commands to the daemon. This may be useful in cases where you cannot easily run all RRD
    processes with the same user privileges (e.g. graph generating CGI scripts that
    typically run in the permission context of the web server).

This is really useful and should be default:

Please add a group "rrdcached" and change

  RRCACHE_ARGS="-l unix:/var/run/rrdcached.sock -j /var/lib/rrdcached/journal/ -F  -b /var/lib/rrdcached/db/ -B"

into

  RRCACHE_ARGS="-s rrdcached -l unix:/var/run/rrdcached.sock -j /var/lib/rrdcached/journal/ -F  -b /var/lib/rrdcached/db/ -B"

Please note the argument order - that's important :)


Reproducible: Always
Comment 1 Juan David Ibáñez Palomar 2013-05-23 14:38:43 UTC
It is perfectly possible to run rrdcached with another user, just add the --user option to start_stop_daemon_args in the init script:

   start_stop_daemon_args="--quiet --user rrdcached"

And that's the way it should be done, since apparently running it as root is a security hazard, see
http://oss.oetiker.ch/rrdtool/doc/rrdcached.en.html#ISanity_checking

So:

- the ebuild should create the rrdcached user & group
- the /var/lib/rrdcached/ folder ownership should be changed to rrdcached:rrdcached
- the init script should be changed to run with the rrdcached user & group

Since we are at it the service should use /run/rrdcached.sock and not /var/run/rrdcached.sock
Comment 2 YiKai 2014-05-27 10:20:37 UTC
Hi, Developers,

It is my first time to try to write an init script. I am not a shell script guy. The implementation may not so well.

What I have done are:
1. add a new user:group rrdcached:rrdcached
2. change the owner of folder /var/lib/rrdcached{,/db,/journal} to rrdcached:rrdcached
3. write a new rrdcached init script that will run as user rrdcached:rrdcached
4. write a rrdcached confd file, based on rrdcached man page

Please help to review the files, Thanks.


--

--- /usr/portage/net-analyzer/rrdtool/rrdtool-1.4.8-r1.ebuild   2014-05-20 14:01:00.000000000 +0800
+++ rrdtool-1.4.8-r1.ebuild     2014-05-27 15:31:05.288464877 +0800
@@ -7,7 +7,7 @@
 DISTUTILS_OPTIONAL="true"
 GENTOO_DEPEND_ON_PERL="no"
 PYTHON_COMPAT=( python2_7 )
-inherit eutils distutils-r1 flag-o-matic multilib perl-module autotools
+inherit eutils distutils-r1 flag-o-matic multilib perl-module autotools user
 
 DESCRIPTION="A system to store and display time-series data"
 HOMEPAGE="http://oss.oetiker.ch/rrdtool/"
@@ -55,6 +55,11 @@
        distutils-r1_python_install
 }
 
+pkg_setup() {
+       enewgroup rrdcached
+       enewuser rrdcached -1 -1 /var/lib/${PN} rrdcached
+}
+
 src_prepare() {
        epatch "${FILESDIR}"/${PN}-1.4.7-configure.ac.patch
 
@@ -137,8 +142,10 @@
 
        find "${ED}"usr -name '*.la' -exec rm -f {} +
 
-       keepdir /var/lib/rrdcached/journal/
-       keepdir /var/lib/rrdcached/db/
+       for x in /var/lib/rrdcached{,/db,/journal}; do
+               keepdir "${x}"
+               fowners rrdcached:rrdcached "${x}"
+       done
 
        newconfd "${FILESDIR}"/rrdcached.confd rrdcached
        newinitd "${FILESDIR}"/rrdcached.init rrdcached
Comment 3 YiKai 2014-05-27 10:22:15 UTC
Created attachment 377698 [details]
rrdtool ebuild file with new user rrdcached:rrdcached
Comment 4 YiKai 2014-05-27 10:23:08 UTC
Created attachment 377700 [details]
files/rrdcached.init
Comment 5 YiKai 2014-05-27 10:24:12 UTC
Created attachment 377702 [details]
files/rrdcached.confd
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2014-05-27 12:50:03 UTC
Comment on attachment 377698 [details]
rrdtool ebuild file with new user rrdcached:rrdcached

--- rrdtool-1.4.8-r1.ebuild     2014-05-20 08:01:00.000000000 +0200
+++ -   2014-05-27 14:49:37.409579781 +0200
@@ -7,7 +7,7 @@
 DISTUTILS_OPTIONAL="true"
 GENTOO_DEPEND_ON_PERL="no"
 PYTHON_COMPAT=( python2_7 )
-inherit eutils distutils-r1 flag-o-matic multilib perl-module autotools
+inherit eutils distutils-r1 flag-o-matic multilib perl-module autotools user
 DESCRIPTION="A system to store and display time-series data"
 HOMEPAGE="http://oss.oetiker.ch/rrdtool/"
@@ -55,6 +55,11 @@
        distutils-r1_python_install
 }
+pkg_setup() {
+       enewgroup rrdcached
+       enewuser rrdcached -1 -1 /var/lib/${PN} rrdcached
+}
+
 src_prepare() {
        epatch "${FILESDIR}"/${PN}-1.4.7-configure.ac.patch
@@ -137,8 +142,10 @@
        find "${ED}"usr -name '*.la' -exec rm -f {} +
-       keepdir /var/lib/rrdcached/journal/
-       keepdir /var/lib/rrdcached/db/
+       for x in /var/lib/rrdcached{,/db,/journal}; do
+               keepdir "${x}"
+               fowners rrdcached:rrdcached "${x}"
+       done
        newconfd "${FILESDIR}"/rrdcached.confd rrdcached
        newinitd "${FILESDIR}"/rrdcached.init rrdcached
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2014-05-27 12:56:53 UTC
(In reply to Jeroen Roovers from comment #6)
> Comment on attachment 377698 [details]
> rrdtool ebuild file with new user rrdcached:rrdcached
> 
> --- rrdtool-1.4.8-r1.ebuild     2014-05-20 08:01:00.000000000 +0200
> +++ -   2014-05-27 14:49:37.409579781 +0200

> +pkg_setup() {
> +       enewgroup rrdcached
> +       enewuser rrdcached -1 -1 /var/lib/${PN} rrdcached
> +}

You would need the group/user at install time, not compile time, so this should move to pkg_postinst().

> @@ -137,8 +142,10 @@
>         find "${ED}"usr -name '*.la' -exec rm -f {} +
> -       keepdir /var/lib/rrdcached/journal/
> -       keepdir /var/lib/rrdcached/db/
> +       for x in /var/lib/rrdcached{,/db,/journal}; do
> +               keepdir "${x}"
> +               fowners rrdcached:rrdcached "${x}"
> +       done

Likewise, fowners can be run in pkg_postinst() with better results.