> That's what I'm doing for now -- but I wonder if rrdcached could do > setuid instead.
It would have to start as root, acquire a number of group memberships, and then drop privs.. Interesting, but ultimately I think it's too complicated. The same could be accomplished with two instances of the daemon, or by having a separate group for all RRD writes. For the former case, I think we need a way to have a host:port for inet sockets (right now, the daemon always uses port 42217). > Also, for Ganglia, two different processes would potentially require > to access rrdcached -- the frontend which mostly runs the 'graph' > command and gmetad which does the 'update' commands, and the processes > are owned by different users. Is this currently supported? If you connect via inet socket, then any user on the host can issue commands. If you connect via unix socket, you can chmod it to allow for that. > BTW please let me know if this is the right assumption -- if you are > using rrdtool command line, use --daemon option and if you are using > rrdtool's C API, use RRDCACHED_ADDRESS environment variable. Regardless of the access method, you can use either method (env or --daemon) for specifying the daemon address. I set the RRDCACHED_ADDRESS at login so that ordinary users and scripts that are already accessing the files do not need to be made aware that there is a daemon running.. -- kevin brintnall =~ /[EMAIL PROTECTED]/ _______________________________________________ rrd-developers mailing list [email protected] https://lists.oetiker.ch/cgi-bin/listinfo/rrd-developers
