Hi, On Sat, Jul 07, 2012 at 10:23:00PM +0200, Bastian Blank wrote: > All the informations recorded by default are available for normal users > or at most need CAP_DAC_READSEARCH. There is no reason to run collectd > with the highest permissions on the system.
Agreed. Another (I suppose) commonly required capability is CAP_NET_RAW (required by the ping plugin. I suggest to do the following: run collectd as nobody (or a newly created user 'collectd') by default; make that user configurable through /etc/default/collectd and make it possible to provide a list of capabilities (through /etc/default/collectd) that would be applied to the collectd binary in the init script. Does that sound sane to you? Cheers, Sebastian -- Sebastian "tokkee" Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/ Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin
signature.asc
Description: Digital signature
