�
Report forwarded to debian-bugs-dist@lists.debian.org, Michael-John Turner <mj@debian.org>:
Bug#76417; Package mrtg.
�
�
debian-bugs-dist@lists.debian.org�Michael-John Turner
�
Subject: Bug#76417: mrtg: why run mrtg with privileged user?
Reply-To: raszi@bigfoot.com, 76417@bugs.debian.org
Resent-From: KARASZI Istvan
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: Michael-John Turner
Resent-Date: Mon, 06 Nov 2000 23:03:32 GMT
Resent-Message-ID:
Resent-Sender: owner@bugs.debian.org
X-Debian-PR-Message: report 76417
X-Debian-PR-Package: mrtg
X-Debian-PR-Keywords:
X-Loop: owner@bugs.debian.org
Received: via spool by bugs@bugs.debian.org id=B.97354818112418
(code B ref -1); Mon, 06 Nov 2000 23:03:32 GMT
From: KARASZI Istvan
To: submit@bugs.debian.org
X-Mailer: bug 3.3.7
Message-Id:
Date: Mon, 06 Nov 2000 23:02:56 +0100
Delivered-To: submit@bugs.debian.org
Package: mrtg
Version: 2.8.12-2
Severity: wishlist
Hello,
i think it's enough, when mrtg run with non-privileged user (like www-data),
because it's already enough for most read things (snmpd, /proc/ files, etc.).
And this is maybe a possible sechole. It's not a coincidence, that i suggest
www-data user, because with apache's default config httpds runs with this.
Thanks:
RASZi
-- System Information
Debian Release: woody
Kernel Version: Linux great.expectations 2.2.17 #1 Sat Oct 28 16:28:41 CEST 2000 i686 unknown
Versions of the packages mrtg depends on:
ii freetype2 1.3.1-1 The FREE TrueType Font Engine, shared librar
ii libc6 2.1.96-1 GNU C Library: Shared libraries and Timezone
ii libgd1 1.8.3-3 GD Graphics Library
ii libjpeg62 6b-1.2 The Independent JPEG Group's JPEG runtime li
ii libpng2 1.0.8-1 PNG library - runtime
ii libsnmp-sessio 0.79-1 Perl support for accessing SNMP-aware device
ii xlib6g 4.0.1-1 pseudopackage providing X libraries
ii zlib1g 1.1.3-11 compression library - runtime
ii xlibs 4.0.1-1 X Window System client libraries
^^^ (Provides virtual package libxpm4)
ii perl-5.005 5.005.03-7.1 Larry Wall's Practical Extracting and Report
^^^ (Provides virtual package perl5)
--- Ignoring conffile /etc/mrtg.cfg (not world readable)
--- Begin /etc/cron.d/mrtg (modified conffile)
0-55/5 * * * * www-data if [ -x /usr/bin/mrtg ]; then /usr/bin/mrtg /etc/mrtg.cfg; fi
--- End /etc/cron.d/mrtg
�
�
Acknowledgement sent to raszi@bigfoot.com:
New Bug report received and forwarded. Copy sent to Michael-John Turner <mj@debian.org>.
�
�
-t
�
From: owner@bugs.debian.org (Debian Bug Tracking System)
To: raszi@bigfoot.com
Subject: Bug#76417: Acknowledgement (mrtg: why run mrtg with privileged user?)
Message-ID:
In-Reply-To:
References:
X-Debian-PR-Message: ack 76417
Thank you for the problem report you have sent regarding Debian.
This is an automatically generated reply, to let you know your message has
been received. It is being forwarded to the developers mailing list for
their attention; they will reply in due course.
Your message has been sent to the package maintainer(s):
Michael-John Turner
If you wish to submit further information on your problem, please send
it to 76417@bugs.debian.org (and *not* to
bugs@bugs.debian.org).
Please do not reply to the address at the top of this message,
unless you wish to report a problem with the Bug-tracking system.
Darren Benham
(administrator, Debian Bugs database)
�
�
Received: (at submit) by bugs.debian.org; 6 Nov 2000 22:03:01 +0000
From raszi@great.expectations.netfoo.org Mon Nov 06 16:03:01 2000
Return-path:
Received: from tty-53.nas1.euroweb.hu (great.expectations) [::ffff:193.226.222.53]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 13suM0-0003E6-00; Mon, 06 Nov 2000 16:03:00 -0600
Received: from raszi by great.expectations with local (Exim 3.16 #1 (Debian))
id 13suLw-0000Tn-00; Mon, 06 Nov 2000 23:02:56 +0100
From: KARASZI Istvan
Subject: mrtg: why run mrtg with privileged user?
To: submit@bugs.debian.org
X-Mailer: bug 3.3.7
Reply-To: raszi@bigfoot.com
Message-Id:
Date: Mon, 06 Nov 2000 23:02:56 +0100
Delivered-To: submit@bugs.debian.org
Package: mrtg
Version: 2.8.12-2
Severity: wishlist
Hello,
i think it's enough, when mrtg run with non-privileged user (like www-data),
because it's already enough for most read things (snmpd, /proc/ files, etc.).
And this is maybe a possible sechole. It's not a coincidence, that i suggest
www-data user, because with apache's default config httpds runs with this.
Thanks:
RASZi
-- System Information
Debian Release: woody
Kernel Version: Linux great.expectations 2.2.17 #1 Sat Oct 28 16:28:41 CEST 2000 i686 unknown
Versions of the packages mrtg depends on:
ii freetype2 1.3.1-1 The FREE TrueType Font Engine, shared librar
ii libc6 2.1.96-1 GNU C Library: Shared libraries and Timezone
ii libgd1 1.8.3-3 GD Graphics Library
ii libjpeg62 6b-1.2 The Independent JPEG Group's JPEG runtime li
ii libpng2 1.0.8-1 PNG library - runtime
ii libsnmp-sessio 0.79-1 Perl support for accessing SNMP-aware device
ii xlib6g 4.0.1-1 pseudopackage providing X libraries
ii zlib1g 1.1.3-11 compression library - runtime
ii xlibs 4.0.1-1 X Window System client libraries
^^^ (Provides virtual package libxpm4)
ii perl-5.005 5.005.03-7.1 Larry Wall's Practical Extracting and Report
^^^ (Provides virtual package perl5)
--- Ignoring conffile /etc/mrtg.cfg (not world readable)
--- Begin /etc/cron.d/mrtg (modified conffile)
0-55/5 * * * * www-data if [ -x /usr/bin/mrtg ]; then /usr/bin/mrtg /etc/mrtg.cfg; fi
--- End /etc/cron.d/mrtg
�
�
Information forwarded to debian-bugs-dist@lists.debian.org, Michael-John Turner <mj@debian.org>:
Bug#76417; Package mrtg.
�
�
debian-bugs-dist@lists.debian.org�Michael-John Turner
�
Subject: Bug#76417: running mrtg as !root
Reply-To: Peter Palfrader , 76417@bugs.debian.org
Resent-From: Peter Palfrader
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: Michael-John Turner
Resent-Date: Fri, 28 Sep 2001 21:48:03 GMT
Resent-Message-ID:
Resent-Sender: owner@bugs.debian.org
X-Debian-PR-Message: report 76417
X-Debian-PR-Package: mrtg
X-Debian-PR-Keywords:
X-Loop: owner@bugs.debian.org
Received: via spool by 76417-submit@bugs.debian.org id=B76417.100171339323149
(code B ref 76417); Fri, 28 Sep 2001 21:48:03 GMT
Date: Fri, 28 Sep 2001 23:42:51 +0200
From: Peter Palfrader
To: 76417@bugs.debian.org
Message-ID: <20010928234251.E16937@marvin.palfrader.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
User-Agent: Mutt/1.3.22i
X-PGP: 1024R/D1A3A329 BB A2 DC FE D7 D2 09 BF 93 46 36 6F C1 A4 41 1A
X-GPG: 1024D/94C09C7F 5B00 C96D 5D54 AEE1 206B AF84 DE7A AF6E 94C0 9C7F
X-Accept-Language: de, en
Delivered-To: 76417@bugs.debian.org
Hi MJ,
are there any reasons why mrtg is running as root? Running it as it's own
user (not www-data as this user sugested) seems like a Good Idea to me.
In fact I already do this.
Please consider doing it by default.
Thanks
--
Peter
�
�
Acknowledgement sent to Peter Palfrader <weasel@debian.org>:
Extra info received and forwarded to list. Copy sent to Michael-John Turner <mj@debian.org>.
�
�
-t
�
From: owner@bugs.debian.org (Debian Bug Tracking System)
To: Peter Palfrader
Subject: Bug#76417: Info received (was running mrtg as !root)
Message-ID:
In-Reply-To: <20010928234251.E16937@marvin.palfrader.org>
References: <20010928234251.E16937@marvin.palfrader.org>
X-Debian-PR-Message: ack-info 76417
Disabled-Doogie-Reply-To: 76417@bugs.debian.org
Thank you for the additional information you have supplied regarding
this problem report. It has been forwarded to the developer(s) and
to the developers mailing list to accompany the original report.
Your message has been sent to the package maintainer(s):
Michael-John Turner
If you wish to continue to submit further information on your problem,
please send it to 76417@bugs.debian.org, as before.
Please do not reply to the address at the top of this message,
unless you wish to report a problem with the Bug-tracking system.
Darren Benham
(administrator, Debian Bugs database)
�
�
Received: (at 76417) by bugs.debian.org; 28 Sep 2001 21:43:13 +0000
From weasel@debian.org Fri Sep 28 16:43:13 2001
Return-path:
Received: from (nautilus.noreply.org) [138.232.34.77]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 15n5Pd-00061A-00; Fri, 28 Sep 2001 16:43:13 -0500
Received: by nautilus.noreply.org (Postfix, from userid 10)
id 1478B3581D; Fri, 28 Sep 2001 23:43:07 +0200 (CEST)
Received: by marvin.palfrader.org (Postfix, from userid 1000)
id 5037B8479; Fri, 28 Sep 2001 23:42:51 +0200 (CEST)
Date: Fri, 28 Sep 2001 23:42:51 +0200
From: Peter Palfrader
To: 76417@bugs.debian.org
Subject: running mrtg as !root
Message-ID: <20010928234251.E16937@marvin.palfrader.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
User-Agent: Mutt/1.3.22i
X-PGP: 1024R/D1A3A329 BB A2 DC FE D7 D2 09 BF 93 46 36 6F C1 A4 41 1A
X-GPG: 1024D/94C09C7F 5B00 C96D 5D54 AEE1 206B AF84 DE7A AF6E 94C0 9C7F
X-Accept-Language: de, en
Delivered-To: 76417@bugs.debian.org
Hi MJ,
are there any reasons why mrtg is running as root? Running it as it's own
user (not www-data as this user sugested) seems like a Good Idea to me.
In fact I already do this.
Please consider doing it by default.
Thanks
--
Peter
�
�
Information forwarded to debian-bugs-dist@lists.debian.org, Michael-John Turner <mj@debian.org>:
Bug#76417; Package mrtg.
�
�
debian-bugs-dist@lists.debian.org�Michael-John Turner
�
Subject: Bug#76417: running mrtg as !root
Reply-To: Michael-John Turner , 76417@bugs.debian.org
Resent-From: Michael-John Turner
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: Michael-John Turner
Resent-Date: Sun, 28 Oct 2001 12:03:03 GMT
Resent-Message-ID:
Resent-Sender: owner@bugs.debian.org
X-Debian-PR-Message: report 76417
X-Debian-PR-Package: mrtg
X-Debian-PR-Keywords:
X-Loop: owner@bugs.debian.org
Received: via spool by 76417-submit@bugs.debian.org id=B76417.100427015730676
(code B ref 76417); Sun, 28 Oct 2001 12:03:03 GMT
Date: Sun, 28 Oct 2001 14:01:38 +0200
From: Michael-John Turner
To: Peter Palfrader , 76417@bugs.debian.org
Message-ID: <20011028140137.A21323@energetic.uct.ac.za>
References: <20010928234251.E16937@marvin.palfrader.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.3i
In-Reply-To: <20010928234251.E16937@marvin.palfrader.org>; from Peter Palfrader on Fri, Sep 28, 2001 at 11:42:51PM +0200
X-URL: http://www.edr.uct.ac.za/~mj/
Delivered-To: 76417@bugs.debian.org
Apologies for the late reply - somehow this message got lost in my inbox.
On Fri, Sep 28, 2001 at 11:42:51PM +0200, Peter Palfrader wrote:
> are there any reasons why mrtg is running as root? Running it as it's own
> user (not www-data as this user sugested) seems like a Good Idea to me.
The only reason it's not done currently is that there are a few issues with
switching from running as root to running as non-root (mostly to do with
existing scripts, etc and also updating the existing config, which is
problematic). I am still planning on moving away from root, however, once I
have a solution that fits everyone.
-mj
--
Michael-John Turner | http://www.edr.uct.ac.za/~mj/
mj@debian.org | Open Source in WC ZA - http://www.clug.org.za/
mj@phantom.eri.uct.ac.za | GPG/PGP key via mail, WWW or finger @phantom
�
�
Acknowledgement sent to Michael-John Turner <mj@energetic.uct.ac.za>:
Extra info received and forwarded to list. Copy sent to Michael-John Turner <mj@debian.org>.
�
�
-t
�
From: owner@bugs.debian.org (Debian Bug Tracking System)
To: Michael-John Turner
Subject: Bug#76417: Info received (was Bug#76417: running mrtg as !root)
Message-ID:
In-Reply-To: <20011028140137.A21323@energetic.uct.ac.za>
References: <20011028140137.A21323@energetic.uct.ac.za>
X-Debian-PR-Message: ack-info 76417
Disabled-Doogie-Reply-To: 76417@bugs.debian.org
Thank you for the additional information you have supplied regarding
this problem report. It has been forwarded to the developer(s) and
to the developers mailing list to accompany the original report.
Your message has been sent to the package maintainer(s):
Michael-John Turner
If you wish to continue to submit further information on your problem,
please send it to 76417@bugs.debian.org, as before.
Please do not reply to the address at the top of this message,
unless you wish to report a problem with the Bug-tracking system.
Darren Benham
(administrator, Debian Bugs database)
�
�
Received: (at 76417) by bugs.debian.org; 28 Oct 2001 11:55:57 +0000
From mj@energetic.uct.ac.za Sun Oct 28 05:55:57 2001
Return-path:
Received: from energetic.uct.ac.za [137.158.132.141] (mail)
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 15xoXj-0007yh-00; Sun, 28 Oct 2001 05:55:55 -0600
Received: from mj by energetic.uct.ac.za with local (Exim 2.05 #4)
id 15xodG-0005YN-00; Sun, 28 Oct 2001 14:01:38 +0200
Date: Sun, 28 Oct 2001 14:01:38 +0200
From: Michael-John Turner
To: Peter Palfrader , 76417@bugs.debian.org
Subject: Re: Bug#76417: running mrtg as !root
Message-ID: <20011028140137.A21323@energetic.uct.ac.za>
References: <20010928234251.E16937@marvin.palfrader.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.3i
In-Reply-To: <20010928234251.E16937@marvin.palfrader.org>; from Peter Palfrader on Fri, Sep 28, 2001 at 11:42:51PM +0200
X-URL: http://www.edr.uct.ac.za/~mj/
Delivered-To: 76417@bugs.debian.org
Apologies for the late reply - somehow this message got lost in my inbox.
On Fri, Sep 28, 2001 at 11:42:51PM +0200, Peter Palfrader wrote:
> are there any reasons why mrtg is running as root? Running it as it's own
> user (not www-data as this user sugested) seems like a Good Idea to me.
The only reason it's not done currently is that there are a few issues with
switching from running as root to running as non-root (mostly to do with
existing scripts, etc and also updating the existing config, which is
problematic). I am still planning on moving away from root, however, once I
have a solution that fits everyone.
-mj
--
Michael-John Turner | http://www.edr.uct.ac.za/~mj/
mj@debian.org | Open Source in WC ZA - http://www.clug.org.za/
mj@phantom.eri.uct.ac.za | GPG/PGP key via mail, WWW or finger @phantom
�
�
Tags added: security
Request was from Josip Rodin <joy@cibalia.gkvk.hr>
to control@bugs.debian.org.
�
�
Received: (at control) by bugs.debian.org; 23 Jan 2002 20:45:28 +0000
From joy@cibalia.gkvk.hr Wed Jan 23 14:45:28 2002
Return-path:
Received: from cibalia.gkvk.hr [161.53.211.3]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 16TUGr-00036l-00; Wed, 23 Jan 2002 14:45:28 -0600
Received: from joy by cibalia.gkvk.hr with local (Exim 3.33 #1 (Debian))
id 16TUIT-0000xU-00
for ; Wed, 23 Jan 2002 21:47:05 +0100
Date: Wed, 23 Jan 2002 21:47:05 +0100
To: control@bugs.debian.org
Subject: stuff
Message-ID: <20020123214705.A3476@cibalia.gkvk.hr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
From: Josip Rodin
Delivered-To: control@bugs.debian.org
retitle 20641 race condition: creates zero length GIF files during updates
reassign 43949 mrtg-contrib
tag 43949 patch
retitle 45017 mrtg should depend on libgd1g (>= 1.6) not libgd1g (>= 1.3)
tag 45017 fixed
severity 68862 minor
retitle 69204 uptime statistics are for the SNMP device and not for the machine
severity 69204 minor
severity 93140 minor
severity 114388 wishlist
tag 76417 security
--
2. That which causes joy or happiness.
�