diff options
author | Austin S. Hemmelgarn <austin@netdata.cloud> | 2023-06-15 07:33:26 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-06-15 07:33:26 -0400 |
commit | 39e629e24cf176963d112ec54fd1db1a24afc5b5 (patch) | |
tree | 2b99b8abe8a302970722d778d668470f8566ace7 /system | |
parent | 4ce6422c9fac738138842b332b54bcc75ae82e3d (diff) |
Consistently start the agent as root and rely on it to drop privileges properly. (#14890)
* Consolidate preparation of required directories.
The only differences between cases where the prep is done is how we
derive the UID and GID that get passed to some of the functions. By just
encapsulating the preparation in a function like this, we make this
differentiation obvious while also making it easier to modify what
directories need to be created or prepared.
* Create the log directory if it does not already exist.
We treat the log directory not existing as a fatal error, but we can (in
most cases) just create it on startup, so just do so.
* Trust netdata to handle dropping privileges itself.
This allows more correct behavior with respect to handling of required
directories, and also ensures that our system service scripts properly
support running the agent as arbitrary users instead of requiring it to
run as the user configured at build time.
* Fix build issues.
* Move directory creation to be done alongside directory existence checks.
* Fix syntax errors and address review feedback.
Diffstat (limited to 'system')
-rw-r--r-- | system/openrc/init.d/netdata.in | 3 | ||||
-rw-r--r-- | system/runit/run.in | 4 | ||||
-rw-r--r-- | system/systemd/netdata.service.in | 3 | ||||
-rw-r--r-- | system/systemd/netdata.service.v235.in | 3 |
4 files changed, 3 insertions, 10 deletions
diff --git a/system/openrc/init.d/netdata.in b/system/openrc/init.d/netdata.in index 74242b3cbd..8dede179c7 100644 --- a/system/openrc/init.d/netdata.in +++ b/system/openrc/init.d/netdata.in @@ -15,7 +15,6 @@ command_prefix="@sbindir_POST@" command="${command_prefix}/netdata" command_args="-P ${NETDATA_PIDFILE} ${NETDATA_EXTRA_ARGS}" command_args_foreground="-D" -start_stop_daemon_args="-u ${NETDATA_OWNER}" depend() { use logger @@ -24,7 +23,7 @@ depend() { } start_pre() { - checkpath -o ${NETDATA_OWNER} -d @localstatedir_POST@/cache/netdata @localstatedir_POST@/run/netdata + checkpath -o ${NETDATA_OWNER} -d @localstatedir_POST@/run/netdata if [ -z "${supervisor}" ]; then pidfile="${NETDATA_PIDFILE}" diff --git a/system/runit/run.in b/system/runit/run.in index 4ea783cc6c..d7f39fb69a 100644 --- a/system/runit/run.in +++ b/system/runit/run.in @@ -3,14 +3,10 @@ piddir="@localstatedir_POST@/run/netdata/netdata.pid" pidfile="${piddir}/netdata.pid" -cachedir="@localstatedir_POST@/cache/netdata" - command="@sbindir_POST@/netdata" command_args="-P ${pidfile} -D" [ ! -d "${piddir}" ] && mkdir -p "${piddir}" -[ ! -d "${cachedir}" ] && mkdir -p "${cachedir}" chown -R @netdata_user_POST@ "${piddir}" -chown -R @netdata_user_POST@ "${cachedir}" exec ${command} ${command_args} diff --git a/system/systemd/netdata.service.in b/system/systemd/netdata.service.in index 25d95b2b81..c82307b478 100644 --- a/system/systemd/netdata.service.in +++ b/system/systemd/netdata.service.in @@ -7,8 +7,7 @@ After=network.target httpd.service squid.service nfs-server.service mysqld.servi [Service] Type=simple -User=@netdata_user_POST@ -Group=netdata +User=root RuntimeDirectory=netdata RuntimeDirectoryMode=0775 PIDFile=/run/netdata/netdata.pid diff --git a/system/systemd/netdata.service.v235.in b/system/systemd/netdata.service.v235.in index e3232056fb..07cef229f5 100644 --- a/system/systemd/netdata.service.v235.in +++ b/system/systemd/netdata.service.v235.in @@ -7,8 +7,7 @@ After=network.target httpd.service squid.service nfs-server.service mysqld.servi [Service] Type=simple -User=@netdata_user_POST@ -Group=netdata +User=root RuntimeDirectory=netdata CacheDirectory=netdata StateDirectory=netdata |