Bug 229335 - net-mgmt/telegraf: should probably not run as root ..?
Summary: net-mgmt/telegraf: should probably not run as root ..?
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Palle Girgensohn
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-25 13:48 UTC by Julien Cigar
Modified: 2018-09-04 15:11 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (girgen)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Julien Cigar 2018-06-25 13:48:16 UTC 
Hello,

I'm wondering if running Telegraf as root by default is really appropriate ? I understand that it could cause a lot of permission "issues" to read certains metrics, but still, running arbitrary scripts as root through the exec plugin for instance looks scary to me ..

I'm wondering if it would it be possible to add the creation of a dedicated user in the ports, and a telegraf_user="telegraf" in the rc.d script ?

Thanks!
Comment 1 Palle Girgensohn freebsd_committer freebsd_triage 2018-06-25 14:48:59 UTC 
It might work to run it as `nobody`. I need to check. It shouldn't really need a special user, but as you say, that depends on what metrics you read from the system.

Barring that is doesn't work, I'm inclined to add an option telegraf_user and default to nobody.
Comment 2 Julien Cigar 2018-06-25 15:04:01 UTC 
(In reply to Palle Girgensohn from comment #1)

Thank you for your quick reply.

Adding a special (dedicated) user would be easier for usage with sudo (as suggested by many plugins, see https://github.com/influxdata/telegraf/tree/master/plugins/inputs/pf for example)
Comment 3 Palle Girgensohn freebsd_committer freebsd_triage 2018-06-25 15:50:37 UTC 
(In reply to Julien Cigar from comment #2)

Ah, of course. I see. I haven't used any of the modules suggesting sudo... I'll look into it.