puppet-prometheus icon indicating copy to clipboard operation
puppet-prometheus copied to clipboard

Published 20 hours ago verified publisher icon voxpupuli

Exporters unpacked to /opt are not root:root

Open TomaszUrugOlszewski opened this issue 8 years ago • 1 comments
trafficstars

Hello,

Most of exporters pulled from github after unpacking have owner/group different than root:root. In some specific cases non-root user can replace binary with malicious code, and run it with (sometimes, maybe) more permissions as exporter user. Or just fake diagnostic data, which can lead to other issues.

TomaszUrugOlszewski avatar Nov 16 '17 09:11 TomaszUrugOlszewski

Hi @TomaszUrugOlszewski. thanks for rising this issue. Are you able to provide a patch for this? Should the user always be root or prometheus?

bastelfreak avatar Nov 16 '17 10:11 bastelfreak

IMHO this is not an issue at all. The archive is extracted as is, and the ownership for the actually binary is set uid: root, gid:0 (https://github.com/voxpupuli/puppet-prometheus/blob/master/manifests/daemon.pp#L122-L125)

If the archive comes with weird file ownerships this should be reported to the upstream providing the archive.

TheMeier avatar Dec 30 '24 12:12 TheMeier

Closing due to inactivity

TheMeier avatar Apr 19 '25 08:04 TheMeier