Bug 238530 - net-mgmt/netdata: Set plugin setuid bit
Summary: net-mgmt/netdata: Set plugin setuid bit
Status: Closed Feedback Timeout
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Mahdi Mokhtari
URL: https://github.com/netdata/netdata/bl...
Keywords: needs-qa
Depends on:
Reported: 2019-06-12 20:12 UTC by Christian Baltini
Modified: 2020-04-27 23:49 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (mmokhi)
koobs: merge-quarterly?

updated pkg-plist with plugin setuid (1.23 KB, text/plain)
2019-06-12 20:12 UTC, Christian Baltini
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Baltini 2019-06-12 20:12:43 UTC
Created attachment 205018 [details]
updated pkg-plist with plugin setuid

The Netdata install script runs chmod 4750 on plugins that require root privileges.

I have updated pkg-plist to apply the same permissions.

I have tested FreeIPMI functionality working out-of-the box with the updated pkg-plist.
Comment 1 Christian Baltini 2019-06-12 20:14:33 UTC
For reference, see Netdata installation script:
Comment 2 Christian Baltini 2019-07-04 20:32:12 UTC
I noticed that my patch actually doesn't work because the plugins are not owned by netdata.  Therefore the 4750 permissions don't allow the daemon to access the plugins.
Changing to 4755, but it gives arbitrary users the ability to run the plugins as root, which strikes me as a security risk.

I am wondering if the correct way to handle this is to change the ownership to root:netdata and stick with the 4750 permissions.
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2019-12-18 05:21:18 UTC
Hi Christian,

It would be great if you could provide additional context and information to help this make progress

Q: What is the impact of the current state of the port, specifically not having those plugins setuid, or chmod'd as proposed? Is this a complete, partial, or specific failure mode?

Can you include all the ownership/chmod details of the relevant files/dirs in question, as an attachment

You may be correct that changing ownership/groups may also be required, so as not to allow arbitrary users to run plugins (per your comment 2)