diff options
| author | Costa Tsaousis (ktsaou) <costa@tsaousis.gr> | 2018-01-11 23:20:53 +0200 |
|---|---|---|
| committer | Costa Tsaousis (ktsaou) <costa@tsaousis.gr> | 2018-01-11 23:20:53 +0200 |
| commit | 776c1e719645713b1cd828dc74d65fda657380c7 (patch) | |
| tree | 01fda0ab4db66a4662288b8088ae028694e51200 /netdata-installer.sh | |
| parent | 21e19450f1e6ddf597b395c42e6d892a0d356219 (diff) | |
strict netdata files permissions
Diffstat (limited to 'netdata-installer.sh')
| -rwxr-xr-x | netdata-installer.sh | 36 |
1 files changed, 23 insertions, 13 deletions
diff --git a/netdata-installer.sh b/netdata-installer.sh index ef7a9c3a0a..3903f05706 100755 --- a/netdata-installer.sh +++ b/netdata-installer.sh @@ -683,6 +683,7 @@ if [ "${UID}" = "0" ] else NETDATA_USER="${USER}" fi +NETDATA_GROUP="${NETDATA_USER}" # the owners of the web files NETDATA_WEB_USER="$( config_option "web" "web files owner" "${NETDATA_USER}" )" @@ -720,9 +721,9 @@ do run mkdir -p "${NETDATA_CONF_DIR}/${x}" || exit 1 fi done -run chown -R "${NETDATA_USER}:${NETDATA_USER}" "${NETDATA_CONF_DIR}" -run find "${NETDATA_CONF_DIR}" -type f -exec chmod 0660 {} \; -run find "${NETDATA_CONF_DIR}" -type d -exec chmod 0775 {} \; +run chown -R "root:${NETDATA_GROUP}" "${NETDATA_CONF_DIR}" +run find "${NETDATA_CONF_DIR}" -type f -exec chmod 0640 {} \; +run find "${NETDATA_CONF_DIR}" -type d -exec chmod 0755 {} \; # --- web dir ---- @@ -760,7 +761,7 @@ if [ ${UID} -eq 0 ] admin_group= test -z "${admin_group}" && getent group root >/dev/null 2>&1 && admin_group="root" test -z "${admin_group}" && getent group daemon >/dev/null 2>&1 && admin_group="daemon" - test -z "${admin_group}" && admin_group="${NETDATA_USER}" + test -z "${admin_group}" && admin_group="${NETDATA_GROUP}" run chown "${NETDATA_USER}:${admin_group}" "${NETDATA_LOG_DIR}" run chown -R root "${NETDATA_PREFIX}/usr/libexec/netdata" @@ -774,6 +775,8 @@ if [ ${UID} -eq 0 ] then if [ ! -z "${setcap}" ] then + run chown root:${NETDATA_GROUP} "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/apps.plugin" + run chmod 0750 "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/apps.plugin" run setcap cap_dac_read_search,cap_sys_ptrace+ep "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/apps.plugin" setcap_ret=$? fi @@ -791,25 +794,32 @@ if [ ${UID} -eq 0 ] if [ ${setcap_ret} -ne 0 ] then # fix apps.plugin to be setuid to root - run chown root "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/apps.plugin" - run chmod 4755 "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/apps.plugin" + run chown root:${NETDATA_GROUP} "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/apps.plugin" + run chmod 4750 "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/apps.plugin" fi if [ -f "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/freeipmi.plugin" ] then - run chown root "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/freeipmi.plugin" - run chmod 4755 "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/freeipmi.plugin" + run chown root:${NETDATA_GROUP} "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/freeipmi.plugin" + run chmod 4750 "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/freeipmi.plugin" fi if [ -f "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/cgroup-network" ] then - run chown root "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/cgroup-network" - run chmod 4755 "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/cgroup-network" + run chown root:${NETDATA_GROUP} "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/cgroup-network" + run chmod 4750 "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/cgroup-network" + fi + + if [ -f "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/cgroup-network-helper.sh" ] + then + run chown root "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/cgroup-network-helper.sh" + run chmod 0500 "${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/cgroup-network-helper.sh" fi else - run chown "${NETDATA_USER}:${NETDATA_USER}" "${NETDATA_LOG_DIR}" - run chown -R "${NETDATA_USER}:${NETDATA_USER}" "${NETDATA_PREFIX}/usr/libexec/netdata" + # non-privileged user installation + run chown "${NETDATA_USER}:${NETDATA_GROUP}" "${NETDATA_LOG_DIR}" + run chown -R "${NETDATA_USER}:${NETDATA_GROUP}" "${NETDATA_PREFIX}/usr/libexec/netdata" run find "${NETDATA_PREFIX}/usr/libexec/netdata" -type f -exec chmod 0755 {} \; run find "${NETDATA_PREFIX}/usr/libexec/netdata" -type d -exec chmod 0755 {} \; fi @@ -937,7 +947,7 @@ either of the following sets of commands: To run apps.plugin with escalated capabilities: - ${TPUT_YELLOW}${TPUT_BOLD}sudo chown root:${NETDATA_USER} \"${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/apps.plugin\"${TPUT_RESET} + ${TPUT_YELLOW}${TPUT_BOLD}sudo chown root:${NETDATA_GROUP} \"${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/apps.plugin\"${TPUT_RESET} ${TPUT_YELLOW}${TPUT_BOLD}sudo chmod 0750 \"${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/apps.plugin\"${TPUT_RESET} ${TPUT_YELLOW}${TPUT_BOLD}sudo setcap cap_dac_read_search,cap_sys_ptrace+ep \"${NETDATA_PREFIX}/usr/libexec/netdata/plugins.d/apps.plugin\"${TPUT_RESET} |