Package: prometheus-smokeping-prober Version: 0.4.1-2+b4 Severity: important X-Debbugs-Cc: t...@seoss.co.uk
Thanks for packaging this in Debian! Unfortunately it does appear to have an important problem which I think most users will hit, and is actually quite difficult to debug. Installing this package on a default bullseye system results in this debconf database entry being set, without any prompting: prometheus-smokeping-prober/want_cap_net_raw: false This makes the package fail silently, without any errors (even when run with --log.level="debug"). The service appears to run correctly, but is unable to send out any ping probes, and so just records no data (all metrics are zero). No errors are logged, and this debconf database setting is not documented elsewhere in the package. I think this setting should ideally be defaulted to true, since this is the way that e.g. iputils-ping operates (it is always installed with cap_net_raw=ep set). Whilst I understand the possible security implication of this, since the package defaults to executing the binary as the prometheus user, this could perhaps be mitigated by setting the permissions so that /usr/bin/prometheus-smokeping-prober is NOT world-executable, and has group ownership set to the prometheus user. e.g. chmod 750 /usr/bin/prometheus-smokeping-prober chgrp prometheus /usr/bin/prometheus-smokeping-prober If it is preferred for some reason to continue to default this to false, then I think the question should have at least "high" priority. Additionally it would be useful to patch the daemon so that it logs when it is not authorized to send pings, and probably the existance of the setting should be documented (e.g. in: /etc/default/prometheus-smokeping-prober or a README.Debian). -- System Information: Debian Release: 11.0 APT prefers testing-security APT policy: (500, 'testing-security'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-7-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_WARN, TAINT_CRAP Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages prometheus-smokeping-prober depends on: ii adduser 3.118 ii debconf [debconf-2.0] 1.5.75 ii libc6 2.31-12 ii libcap2-bin 1:2.44-1 prometheus-smokeping-prober recommends no packages. prometheus-smokeping-prober suggests no packages. -- debconf information: prometheus-smokeping-prober/want_cap_net_raw: false
