Consistently start the agent as root and rely on it to drop privileges properly. (#14890)
* Consolidate preparation of required directories. The only differences between cases where the prep is done is how we derive the UID and GID that get passed to some of the functions. By just encapsulating the preparation in a function like this, we make this differentiation obvious while also making it easier to modify what directories need to be created or prepared. * Create the log directory if it does not already exist. We treat the log directory not existing as a fatal error, but we can (in most cases) just create it on startup, so just do so. * Trust netdata to handle dropping privileges itself. This allows more correct behavior with respect to handling of required directories, and also ensures that our system service scripts properly support running the agent as arbitrary users instead of requiring it to run as the user configured at build time. * Fix build issues. * Move directory creation to be done alongside directory existence checks. * Fix syntax errors and address review feedback.
This commit is contained in:
Austin S. Hemmelgarn
GitHub
parent
4ce6422c9f
commit
39e629e24c
|
|
@ -632,6 +632,17 @@ static const char *verify_required_directory(const char *dir)
|
|||
return dir;
|
||||
}
|
||||
|
||||
static const char *verify_or_create_required_directory(const char *dir) {
|
||||
int result;
|
||||
|
||||
result = mkdir(dir, 0755);
|
||||
|
||||
if (result != 0 && errno != EEXIST)
|
||||
fatal("Cannot create required directory '%s'", dir);
|
||||
|
||||
return verify_required_directory(dir);
|
||||
}
|
||||
|
||||
/*
|
||||
* This is called after the rrdinit
|
||||
* These values will be sent on the START event
|
||||
|
|
@ -827,11 +838,11 @@ void set_global_environment()
|
|||
setenv("NETDATA_STOCK_CONFIG_DIR", verify_required_directory(netdata_configured_stock_config_dir), 1);
|
||||
setenv("NETDATA_PLUGINS_DIR", verify_required_directory(netdata_configured_primary_plugins_dir), 1);
|
||||
setenv("NETDATA_WEB_DIR", verify_required_directory(netdata_configured_web_dir), 1);
|
||||
setenv("NETDATA_CACHE_DIR", verify_required_directory(netdata_configured_cache_dir), 1);
|
||||
setenv("NETDATA_LIB_DIR", verify_required_directory(netdata_configured_varlib_dir), 1);
|
||||
setenv("NETDATA_LOCK_DIR", netdata_configured_lock_dir, 1);
|
||||
setenv("NETDATA_LOG_DIR", verify_required_directory(netdata_configured_log_dir), 1);
|
||||
setenv("HOME", verify_required_directory(netdata_configured_home_dir), 1);
|
||||
setenv("NETDATA_CACHE_DIR", verify_or_create_required_directory(netdata_configured_cache_dir), 1);
|
||||
setenv("NETDATA_LIB_DIR", verify_or_create_required_directory(netdata_configured_varlib_dir), 1);
|
||||
setenv("NETDATA_LOCK_DIR", verify_or_create_required_directory(netdata_configured_lock_dir), 1);
|
||||
setenv("NETDATA_LOG_DIR", verify_or_create_required_directory(netdata_configured_log_dir), 1);
|
||||
setenv("HOME", verify_or_create_required_directory(netdata_configured_home_dir), 1);
|
||||
setenv("NETDATA_HOST_PREFIX", netdata_configured_host_prefix, 1);
|
||||
|
||||
{
|
||||
|
|
|
|||
|
|
@ -43,19 +43,10 @@ static void chown_open_file(int fd, uid_t uid, gid_t gid) {
|
|||
}
|
||||
}
|
||||
|
||||
void create_needed_dir(const char *dir, uid_t uid, gid_t gid)
|
||||
void change_dir_ownership(const char *dir, uid_t uid, gid_t gid)
|
||||
{
|
||||
// attempt to create the directory
|
||||
if(mkdir(dir, 0755) == 0) {
|
||||
// we created it
|
||||
|
||||
// chown it to match the required user
|
||||
if(chown(dir, uid, gid) == -1)
|
||||
error("Cannot chown directory '%s' to %u:%u", dir, (unsigned int)uid, (unsigned int)gid);
|
||||
}
|
||||
else if(errno != EEXIST)
|
||||
// log an error only if the directory does not exist
|
||||
error("Cannot create directory '%s'", dir);
|
||||
if (chown(dir, uid, gid) == -1)
|
||||
error("Cannot chown directory '%s' to %u:%u", dir, (unsigned int)uid, (unsigned int)gid);
|
||||
}
|
||||
|
||||
void clean_directory(char *dirname)
|
||||
|
|
@ -74,6 +65,16 @@ void clean_directory(char *dirname)
|
|||
closedir(dir);
|
||||
}
|
||||
|
||||
void prepare_required_directories(uid_t uid, gid_t gid) {
|
||||
change_dir_ownership(netdata_configured_cache_dir, uid, gid);
|
||||
change_dir_ownership(netdata_configured_varlib_dir, uid, gid);
|
||||
change_dir_ownership(netdata_configured_lock_dir, uid, gid);
|
||||
change_dir_ownership(netdata_configured_log_dir, uid, gid);
|
||||
change_dir_ownership(claimingdirectory, uid, gid);
|
||||
|
||||
clean_directory(netdata_configured_lock_dir);
|
||||
}
|
||||
|
||||
int become_user(const char *username, int pid_fd) {
|
||||
int am_i_root = (getuid() == 0)?1:0;
|
||||
|
||||
|
|
@ -86,12 +87,7 @@ int become_user(const char *username, int pid_fd) {
|
|||
uid_t uid = pw->pw_uid;
|
||||
gid_t gid = pw->pw_gid;
|
||||
|
||||
create_needed_dir(netdata_configured_cache_dir, uid, gid);
|
||||
create_needed_dir(netdata_configured_varlib_dir, uid, gid);
|
||||
create_needed_dir(netdata_configured_lock_dir, uid, gid);
|
||||
create_needed_dir(claimingdirectory, uid, gid);
|
||||
|
||||
clean_directory(netdata_configured_lock_dir);
|
||||
prepare_required_directories(uid, gid);
|
||||
|
||||
if(pidfile[0]) {
|
||||
if(chown(pidfile, uid, gid) == -1)
|
||||
|
|
@ -487,12 +483,7 @@ int become_daemon(int dont_fork, const char *user)
|
|||
else debug(D_SYSTEM, "Successfully became user '%s'.", user);
|
||||
}
|
||||
else {
|
||||
create_needed_dir(netdata_configured_cache_dir, getuid(), getgid());
|
||||
create_needed_dir(netdata_configured_varlib_dir, getuid(), getgid());
|
||||
create_needed_dir(netdata_configured_lock_dir, getuid(), getgid());
|
||||
create_needed_dir(claimingdirectory, getuid(), getgid());
|
||||
|
||||
clean_directory(netdata_configured_lock_dir);
|
||||
prepare_required_directories(getuid(), getgid());
|
||||
}
|
||||
|
||||
if(pidfd != -1)
|
||||
|
|
|
|||
|
|
@ -15,7 +15,6 @@ command_prefix="@sbindir_POST@"
|
|||
command="${command_prefix}/netdata"
|
||||
command_args="-P ${NETDATA_PIDFILE} ${NETDATA_EXTRA_ARGS}"
|
||||
command_args_foreground="-D"
|
||||
start_stop_daemon_args="-u ${NETDATA_OWNER}"
|
||||
|
||||
depend() {
|
||||
use logger
|
||||
|
|
@ -24,7 +23,7 @@ depend() {
|
|||
}
|
||||
|
||||
start_pre() {
|
||||
checkpath -o ${NETDATA_OWNER} -d @localstatedir_POST@/cache/netdata @localstatedir_POST@/run/netdata
|
||||
checkpath -o ${NETDATA_OWNER} -d @localstatedir_POST@/run/netdata
|
||||
|
||||
if [ -z "${supervisor}" ]; then
|
||||
pidfile="${NETDATA_PIDFILE}"
|
||||
|
|
|
|||
|
|
@ -3,14 +3,10 @@
|
|||
piddir="@localstatedir_POST@/run/netdata/netdata.pid"
|
||||
pidfile="${piddir}/netdata.pid"
|
||||
|
||||
cachedir="@localstatedir_POST@/cache/netdata"
|
||||
|
||||
command="@sbindir_POST@/netdata"
|
||||
command_args="-P ${pidfile} -D"
|
||||
|
||||
[ ! -d "${piddir}" ] && mkdir -p "${piddir}"
|
||||
[ ! -d "${cachedir}" ] && mkdir -p "${cachedir}"
|
||||
chown -R @netdata_user_POST@ "${piddir}"
|
||||
chown -R @netdata_user_POST@ "${cachedir}"
|
||||
|
||||
exec ${command} ${command_args}
|
||||
|
|
|
|||
|
|
@ -7,8 +7,7 @@ After=network.target httpd.service squid.service nfs-server.service mysqld.servi
|
|||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=@netdata_user_POST@
|
||||
Group=netdata
|
||||
User=root
|
||||
RuntimeDirectory=netdata
|
||||
RuntimeDirectoryMode=0775
|
||||
PIDFile=/run/netdata/netdata.pid
|
||||
|
|
|
|||
|
|
@ -7,8 +7,7 @@ After=network.target httpd.service squid.service nfs-server.service mysqld.servi
|
|||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=@netdata_user_POST@
|
||||
Group=netdata
|
||||
User=root
|
||||
RuntimeDirectory=netdata
|
||||
CacheDirectory=netdata
|
||||
StateDirectory=netdata
|
||||
|
|
|
|||
Loading…
Reference in New Issue