Add proper SUID fallback for DEB plugin packages. (#15803)

* Add proper SUID fallback for DEB plugin packages. * Update contrib/debian/netdata-plugin-perf.postinst --------- Co-authored-by: Ilya Mashchenko <ilya@netdata.cloud>
author: Austin S. Hemmelgarn <austin@netdata.cloud> 2023-08-14 10:15:47 -0400
committer: GitHub <noreply@github.com> 2023-08-14 10:15:47 -0400
commit: 0aedcbef6be5deb561b5e6d5292e40b33dd01f87 (patch)
tree: 5fc96e6314152caf2c2c12867f709ac8ce882cb4 /contrib
parent: e12fbc05241243dfe8d8d99ecbc015c546cdb8c8 (diff)
6 files changed, 28 insertions, 5 deletions
diff --git a/contrib/debian/netdata-plugin-apps.postinst b/contrib/debian/netdata-plugin-apps.postinst
index 04f9145385..f2e52a4b37 100644
--- a/contrib/debian/netdata-plugin-apps.postinst
+++ b/contrib/debian/netdata-plugin-apps.postinst
@@ -5,7 +5,10 @@ set -e
 case "$1" in
   configure|reconfigure)
     chown root:netdata /usr/libexec/netdata/plugins.d/apps.plugin
-    setcap "cap_dac_read_search=eip cap_sys_ptrace=eip" /usr/libexec/netdata/plugins.d/apps.plugin
+    chmod 0750 /usr/libexec/netdata/plugins.d/apps.plugin
+    if ! setcap "cap_dac_read_search=eip cap_sys_ptrace=eip" /usr/libexec/netdata/plugins.d/apps.plugin; then
+        chmod -f 4750 /usr/libexec/netdata/plugins.d/apps.plugin
+    fi
     ;;
 esac
 
diff --git a/contrib/debian/netdata-plugin-debugfs.postinst b/contrib/debian/netdata-plugin-debugfs.postinst
index 75d08fd17f..4519dabd38 100644
--- a/contrib/debian/netdata-plugin-debugfs.postinst
+++ b/contrib/debian/netdata-plugin-debugfs.postinst
@@ -5,7 +5,10 @@ set -e
 case "$1" in
   configure|reconfigure)
     chown root:netdata /usr/libexec/netdata/plugins.d/debugfs.plugin
-    setcap "cap_dac_read_search=eip" /usr/libexec/netdata/plugins.d/debugfs.plugin
+    chmod 0750 /usr/libexec/netdata/plugins.d/debugfs.plugin
+    if ! setcap "cap_dac_read_search=eip" /usr/libexec/netdata/plugins.d/debugfs.plugin; then
+        chmod -f 4750 /usr/libexec/netdata/plugins.d/debugfs.plugin
+    fi
     ;;
 esac
 
diff --git a/contrib/debian/netdata-plugin-go.postinst b/contrib/debian/netdata-plugin-go.postinst
index 9cfce16f62..70d67aaa13 100644
--- a/contrib/debian/netdata-plugin-go.postinst
+++ b/contrib/debian/netdata-plugin-go.postinst
@@ -5,7 +5,10 @@ set -e
 case "$1" in
   configure|reconfigure)
     chown root:netdata /usr/libexec/netdata/plugins.d/go.d.plugin
-    setcap "cap_net_admin=eip cap_net_raw=eip" /usr/libexec/netdata/plugins.d/go.d.plugin
+    chmod 0750 /usr/libexec/netdata/plugins.d/go.d.plugin
+    if ! setcap "cap_net_admin=eip cap_net_raw=eip" /usr/libexec/netdata/plugins.d/go.d.plugin; then
+        chmod -f 4750 /usr/libexec/netdata/plugins.d/go.d.plugin
+    fi
     ;;
 esac
 
diff --git a/contrib/debian/netdata-plugin-perf.postinst b/contrib/debian/netdata-plugin-perf.postinst
index 5250275cc2..76905878ef 100644
--- a/contrib/debian/netdata-plugin-perf.postinst
+++ b/contrib/debian/netdata-plugin-perf.postinst
@@ -5,10 +5,18 @@ set -e
 case "$1" in
   configure|reconfigure)
     chown root:netdata /usr/libexec/netdata/plugins.d/perf.plugin
+    chmod 0750 /usr/libexec/netdata/plugins.d/perf.plugin
+
     if capsh --supports=cap_perfmon 2>/dev/null; then
         setcap cap_perfmon+ep /usr/libexec/netdata/plugins.d/perf.plugin
+        ret="$?"
     else
         setcap cap_sys_admin+ep /usr/libexec/netdata/plugins.d/perf.plugin
+        ret="$?"
+    fi
+
+    if [ "${ret}" -ne 0 ]; then
+        chmod -f 4750 /usr/libexec/netdata/plugins.d/perf.plugin
     fi
     ;;
 esac
diff --git a/contrib/debian/netdata-plugin-slabinfo.postinst b/contrib/debian/netdata-plugin-slabinfo.postinst
index b697e724e1..b4aa87baeb 100644
--- a/contrib/debian/netdata-plugin-slabinfo.postinst
+++ b/contrib/debian/netdata-plugin-slabinfo.postinst
@@ -5,7 +5,10 @@ set -e
 case "$1" in
   configure|reconfigure)
     chown root:netdata /usr/libexec/netdata/plugins.d/slabinfo.plugin
-    setcap "cap_dac_read_search=eip" /usr/libexec/netdata/plugins.d/slabinfo.plugin
+    chmod 0750 /usr/libexec/netdata/plugins.d/slabinfo.plugin
+    if ! setcap "cap_dac_read_search=eip" /usr/libexec/netdata/plugins.d/slabinfo.plugin; then
+        chmod -f 4750 /usr/libexec/netdata/plugins.d/slabinfo.plugin
+    fi
     ;;
 esac
 
diff --git a/contrib/debian/netdata-plugin-systemd-journal.postinst b/contrib/debian/netdata-plugin-systemd-journal.postinst
index d2f71970f0..b5e56f7584 100644
--- a/contrib/debian/netdata-plugin-systemd-journal.postinst
+++ b/contrib/debian/netdata-plugin-systemd-journal.postinst
@@ -5,7 +5,10 @@ set -e
 case "$1" in
   configure|reconfigure)
     chown root:netdata /usr/libexec/netdata/plugins.d/systemd-journal.plugin
-    setcap "cap_dac_read_search=eip" /usr/libexec/netdata/plugins.d/systemd-journal.plugin
+    chmod 0750 /usr/libexec/netdata/plugins.d/systemd-journal.plugin
+    if ! setcap "cap_dac_read_search=eip" /usr/libexec/netdata/plugins.d/systemd-journal.plugin; then
+        chmod -f 4750 /usr/libexec/netdata/plugins.d/systemd-journal.plugin
+    fi
     ;;
 esac
author	Austin S. Hemmelgarn <austin@netdata.cloud>	2023-08-14 10:15:47 -0400
committer	GitHub <noreply@github.com>	2023-08-14 10:15:47 -0400
commit	0aedcbef6be5deb561b5e6d5292e40b33dd01f87 (patch)
tree	5fc96e6314152caf2c2c12867f709ac8ce882cb4 /contrib
parent	e12fbc05241243dfe8d8d99ecbc015c546cdb8c8 (diff)