Re: Running MRTG as a non-root user - thoughts?
On Sat, Nov 25, 2000 at 07:08:28PM -0800, firstname.lastname@example.org wrote:
> On Sun, 26 Nov 2000, Herbert Xu wrote:
> > Michael-John Turner <email@example.com> wrote:
> > > Anyone got any thoughts on this? I don't want to go through the whole
> > > process of switching to a non-root user if it isn't really necessary.
> > You've got this backwards. This process should only be avoided if root
> > privilege is really necessary for MRTG. Personally I would put MRTG in
> > the high risk category since it accepts input from remote hosts.
> I see. Not that we might know of any, but it is conceivable for a remote
> SNMP server to be compromised, and to exploit an unknown hole in mrtg to
> breach local security. On the same token, the remote SNMP server could
> also conceivably exploit the local SNMP server, which mrtg depends upon.
OK, I'm confused... I've got MRTG running as non-root, without a
local SNMP server. I never had any problems except that the files
it created needed to be readable by "www-data", and weren't by
default created that way. Easy to fix...