ports icon indicating copy to clipboard operation
ports copied to clipboard

Published 20 hours ago verified publisher icon opnsense

sysutils/node_exporter runs as user 'nobody'

Open jkellerer opened this issue 3 years ago • 10 comments

node_exporter runs as user nobody, while the similar sysutil telegraph runs on its own user.

That is in general not a problem but it prevents to implement TLS and auth support as requested in https://github.com/opnsense/plugins/issues/2497 as private keys should not be readable by nobody and node_exporter cannot start as root and drop its privileges later.

The user that node_exporter will be started with can be configured in rc.d, but I've not found an adequate user to replace nobody with. Also, there doesn't seem to be any plugin that dynamically creates a system user as it would be a bad idea to have an ID outside of the range of UIDs.

Question: Is this something that can (or should) be changed in the ports (e.g. introduce a user like _node-exporter)?

jkellerer avatar Sep 11 '21 15:09 jkellerer

As far as I understand this has to be fixed in upstream (not to have conflicts in user IDs).

jkellerer avatar Feb 06 '22 22:02 jkellerer

@jkellerer thanks for the info... is that an upstream version not yet in OPNsense or already merged?

fichtner avatar Feb 07 '22 06:02 fichtner

Not that I would be aware of and in fact the node_exporter pkg has a config option for the service user. However without an assigned user in UIDs, this is not easy to use and the UIDs list is imported from FreeBSD, that's why I think we cannot fix it here if we want to avoid conflicts on user IDs.

jkellerer avatar Feb 07 '22 11:02 jkellerer

ah ok that would mean we would have to enhance the FreeBSD port for it?

fichtner avatar Feb 07 '22 11:02 fichtner

Yes that's what I'm thinking, unless there is an other option to create a service user.

jkellerer avatar Feb 07 '22 11:02 jkellerer

We could add the user register/unregister hooks in our plugin but FreeBSD ports integrated for specific user/group works really well so it would be best to use that.

fichtner avatar Feb 07 '22 11:02 fichtner

Fully agree, I also thought about creating a user dynamically but this would be the only plugin doing that and it wouldn't be very clean. For the moment I'd just keep it that way, maybe I'll request this change in FreeBSD instead.

jkellerer avatar Feb 07 '22 11:02 jkellerer

It's unlikely much changes there just from requesting. How about we both work on it in our ports tree and upstream it?

Cheers, Franco

fichtner avatar Feb 07 '22 11:02 fichtner

Ok. I'll check what needs to be changed and prepare a PR.

jkellerer avatar Feb 07 '22 12:02 jkellerer

Just found this entry: prometheus:*:478:478::0:0:Prometheus Daemon:/var/tmp/prometheus:/usr/sbin/nologin

Looks like this case is already fixed partially with the move to FreeBSD. Seems to originate from the Prometheus daemon that collects input from exporters but on Linux this user is also used for node_exporter so should be ok to use it.

This would mean the remaining change is to ensure the user is added when the package is installed.

jkellerer avatar Feb 07 '22 14:02 jkellerer