Comments (27)
FYI, from new install docs:
chown -R librenms:librenms /opt/librenms
setfacl -d -m g::rwx /opt/librenms/rrd
setfacl -R -m g::rwx /opt/librenms/rrd
#SELinux
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/rrd(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/rrd(/.*)?'
restorecon -RFvv /opt/librenms/rrd/
from librenms.
This can be solved with two ways...
suid
on the rrd folder to make all (future) files be owned by thewww-data
(or equivalent)- let the poller, which is being executed as root, drop privileges before saving the rrds (or chown'ing after creation)
Method 1 would require an additional chmod
step in the config.
Method 2 would require a config directive to let poller know the UID/GID.
from librenms.
Does 1) do what we need?
I've just given it a quick test by creating a folder as root, setting suid then trying to create a file within that folder and it doesn't work :(
from librenms.
sorry it was sgid hehe
here a quick example on the box I'm currently on...
root@web:/var/www# umask 007
root@web:/var/www# mkdir tmp
root@web:/var/www# chown root:www-data tmp
root@web:/var/www# chmod 6775 tmp
root@web:/var/www# touch tmp/newfile
root@web:/var/www# ls -la tmp/
total 8
drwsrwsr-x 2 root www-data 4096 Nov 7 13:07 .
drwxr-xr-x 3 root root 4096 Nov 7 13:07 ..
-rw-rw---- 1 root www-data 0 Nov 7 13:07 newfile
root@web:/var/www# sudo -u www-data rm -v tmp/newfile
removed `tmp/newfile'
Note: That umask is just Quick'n'Dirty, would put more than 1s thought into it for productive ;)
from librenms.
I'm struggling to get this working in an install, when the rrd directory is created the permissions still don't include group write access for www-data (apache in my case) to remove the directory. The rrd files within are also created with permissions which won't allow the web server user to remove them :(
from librenms.
To me, it seems easier simply to mark the host as deleted, then let the poller clean up the RRDs and remove the entry from the database.
from librenms.
shell_exec("rm -rf ".trim($config['rrd_dir'])."/$host");
This is included in delete_device($id)
(File: includes/functions.php
Line: 249)
So really the fix relies in POSIX permissions.
I suggest:
- create a librenms user
- add the httpd's user to the librenms group
- let the cronfile run with that uid/gid
- let the poller
chmod 775
all new files
If that's too much to ask for, we can add a very ugly chmod 777
over all newly created rrds. I wouldnt like this!
from librenms.
Let's just forget you ever mentioned chmod 777 and move along. :-)
from librenms.
lol, also those steps are manual for existing installs.
What about dealing with it in the poller like blahdeblah said? May require another column to the DB though.
from librenms.
yes, it requires another column. Not that it would be an issue, I just think that on the long-run we shouldnt let the poller run as root... it's not really sane...
from librenms.
I fully agree that running the poller as root is undesirable, but I think that it may have to due to use of fping.
from librenms.
@paulgear : fping has suid flag on upstream debian and centos. This shouldnt be an issue then
I also recall somebody on the IRC saying he uses the cron as nonroot already.. Will ask for bugs or wether it works outofthebox
from librenms.
Shorty from IRC said it worked outofthebox, he's running the cronjobs with same user as his apache.
from librenms.
Is it worth looking at how we can migrate people to running as a non-root user?
One of the challenges will be that we had in the docs to symlink the cron file for quite a while, this means if we updated that file then it would break a lot of installs. We could have a second cron file we reference from now on and have that as part of the instructions creating a librenms user (people can change this user).
Thoughts?
from librenms.
I agree - we need to aim for migrating the poller to non-root.
from librenms.
@f0o would you mind re-opening the PR you did for this with a few changes:
create a new file called cron.librenms (or another name that fits?) and also add a note to the top:
# Using this cron file requires an additional user on your system, please see install docs.
update the install docs to tell people to copy that new file rather than librenms.cron
Add a note into librenms.cron that says:
# It's recommended not to run this cron anymore - please see cron.librenms
from librenms.
Ok, tested. works fine. Current installs will continue to function but instructions show how to install with separate user.
from librenms.
So, Closing?
from librenms.
Yeah :)
from librenms.
Actually, still having issues with it removing rrd files :/
from librenms.
So @f0o actually I've had to make some changes. The device I tested it on had lax perms so it just deleted :/
umask(0000);
chmod 776 rrd/
With those it now works for me - thoughts?
from librenms.
All sorted thanks to @f0o :)
from librenms.
This is still an issue FYI
from librenms.
Yeah,just messed whole graphing for me.
After I deleted device all of graphing just broke.
from librenms.
still have this issue
from librenms.
It's most definitely a config issue. Be sure that the user running the GUI has enough privileges to delete files created by the librenms user.
from librenms.
This thread has been automatically locked since there has not been any recent activity after it was closed.
from librenms.
Related Issues (20)
- NAC pool on Cisco 9200 (4 switch in stack) HOT 3
- This is not a valid setting. Please check your input HOT 1
- Poller Cluster Heath page not displaying correct worker information HOT 1
- Meraki MR28 wrong SNMP string sysDescr HOT 1
- Discord alert transport shows "Error: Invalid Field" HOT 4
- Aten KN1108v not more discovered as Aten Device
- Error in availability module
- icmp-perf.rrd file not being created by poller HOT 2
- Port API returns status=ok for invalid names
- Missing recoveries
- Output of adding Device by API doenst hide passwords HOT 5
- 'The packet loss macros were broken recently.' Who also received this notice? HOT 1
- Bills Module get_bill broken when used with period=previous
- Upon most recent update db migration related to the bills fails HOT 3
- Bugs after apply commit https://github.com/librenms/librenms/pull/15940 HOT 4
- Custom map feature will not reflect a name change of devices HOT 4
- default_poller_group vs distributed_poller_group HOT 1
- Dashboard graphs not working correctly in chromium HOT 1
- librenms log flood - Error polling os module - ErrorException: Undefined array key "panGPGWUtilizationActiveTunnels" in Panos.php:150 Stack trace: #0 HOT 1
- SMART app not parsing data HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from librenms.