Re: Running MRTG as a non-root user - thoughts?

To: debian-devel@lists.debian.org
Subject: Re: Running MRTG as a non-root user - thoughts?
From: ferret@phonewave.net
Date: Sat, 25 Nov 2000 19:08:28 -0800 (PST)
Message-id: <[🔎] Pine.LNX.3.96.1001125185949.748G-100000@tarot.mentasm.org>
In-reply-to: <[🔎] 200011260014.eAQ0EGI22299@gondor.apana.org.au>

On Sun, 26 Nov 2000, Herbert Xu wrote:

> Michael-John Turner <mj@turner.org.za> wrote:
> >
> > Anyone got any thoughts on this? I don't want to go through the whole
> > process of switching to a non-root user if it isn't really necessary.
> 
> You've got this backwards.  This process should only be avoided if root
> privilege is really necessary for MRTG.  Personally I would put MRTG in
> the high risk category since it accepts input from remote hosts.

I see. Not that we might know of any, but it is conceivable for a remote
SNMP server to be compromised, and to exploit an unknown hole in mrtg to
breach local security. On the same token, the remote SNMP server could
also conceivably exploit the local SNMP server, which mrtg depends upon.

; I don't know specifically WHY SNMP would need root privs, but I'm pretty
; sure it does to be able to gather some of the system statistics.
; I also doubt an exploited SNMP server could do much besides feed
; falsified statistics, but that would be enough for a DoS.

Reply to:

Follow-Ups:
- Re: Running MRTG as a non-root user - thoughts?
  - From: Ralph Jennings <ralph@oro.net>

References:
- Re: Running MRTG as a non-root user - thoughts?
  - From: Herbert Xu <herbert@gondor.apana.org.au>

Prev by Date: Re: sony vaio laptops
Next by Date: Further changes to the BTS
Previous by thread: Re: Running MRTG as a non-root user - thoughts?
Next by thread: Re: Running MRTG as a non-root user - thoughts?
Index(es):
- Date
- Thread