diff options
author | Austin S. Hemmelgarn <austin@netdata.cloud> | 2023-05-05 12:48:42 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-05-05 12:48:42 -0400 |
commit | 3f9449bb2641a52788376cb5520a7f5eef9e64cc (patch) | |
tree | ee5824ecfee9222f44e3e5d594d08e31473e1116 | |
parent | 2b391d131b6527ed27417e33f3c919dbb4f9f09a (diff) |
Set file capabilities correctly on static installs. (#15018)
Instead of just making all the files SUID 0, set capabilities when we
know which ones are needed and `setcap` is installed.
If setcap is not available, we still fall back properly to SUID on
plugins that truly need it.
-rwxr-xr-x | packaging/makeself/install-or-update.sh | 27 |
1 files changed, 21 insertions, 6 deletions
diff --git a/packaging/makeself/install-or-update.sh b/packaging/makeself/install-or-update.sh index 62089f4e98..8992770927 100755 --- a/packaging/makeself/install-or-update.sh +++ b/packaging/makeself/install-or-update.sh @@ -208,9 +208,28 @@ run chown -R ${NETDATA_USER}:${NETDATA_GROUP} /opt/netdata # ----------------------------------------------------------------------------- -progress "changing plugins ownership and setting setuid" +progress "changing plugins ownership and permissions" -for x in apps.plugin freeipmi.plugin ioping cgroup-network ebpf.plugin perf.plugin slabinfo.plugin nfacct.plugin xenstat.plugin; do +if command -v setcap >/dev/null 2>&1; then + run setcap "cap_dac_read_search,cap_sys_ptrace=ep" "usr/libexec/netdata/plugins.d/apps.plugin" + run setcap "cap_dac_read_search=ep" "usr/libexec/netdata/plugins.d/slabinfo.plugin" + + if command -v capsh >/dev/null 2>&1 && capsh --supports=cap_perfmon 2>/dev/null ; then + run setcap "cap_perfmon=ep" "usr/libexec/netdata/perf.plugin" + else + run setcap "cap_sys_admin=ep" "usr/libexec/netdata/perf.plugin" + fi + + run setcap "cap_net_admin,cap_net_raw=eip" "usr/libexec/netdata/plugins.d/go.d.plugin" +else + for x in apps.plugin perf.plugin slabinfo.plugin; do + f="usr/libexec/netdata/plugins.d/${x}" + run chown root:${NETDATA_GROUP} "${f}" + run chmod 4750 "${f}" + done +fi + +for x in freeipmi.plugin ioping cgroup-network ebpf.plugin nfacct.plugin xenstat.plugin; do f="usr/libexec/netdata/plugins.d/${x}" if [ -f "${f}" ]; then @@ -219,10 +238,6 @@ for x in apps.plugin freeipmi.plugin ioping cgroup-network ebpf.plugin perf.plug fi done -if [ -f "usr/libexec/netdata/plugins.d/go.d.plugin" ] && command -v setcap 1>/dev/null 2>&1; then - run setcap "cap_net_admin+epi cap_net_raw=eip" "usr/libexec/netdata/plugins.d/go.d.plugin" -fi - # ----------------------------------------------------------------------------- echo "Configure TLS certificate paths" |