[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Running MRTG as a non-root user - thoughts?

On Sat, Nov 25, 2000 at 07:08:28PM -0800, ferret@phonewave.net wrote:
> On Sun, 26 Nov 2000, Herbert Xu wrote:
> > Michael-John Turner <mj@turner.org.za> wrote:
> > > Anyone got any thoughts on this? I don't want to go through the whole
> > > process of switching to a non-root user if it isn't really necessary.
> > 
> > You've got this backwards.  This process should only be avoided if root
> > privilege is really necessary for MRTG.  Personally I would put MRTG in
> > the high risk category since it accepts input from remote hosts.
> 
> I see. Not that we might know of any, but it is conceivable for a remote
> SNMP server to be compromised, and to exploit an unknown hole in mrtg to
> breach local security. On the same token, the remote SNMP server could
> also conceivably exploit the local SNMP server, which mrtg depends upon.

OK, I'm confused...  I've got MRTG running as non-root, without a
local SNMP server.  I never had any problems except that the files
it created needed to be readable by "www-data", and weren't by
default created that way.  Easy to fix...

-Ralph
Reply to: