Bug#679771: run vnstatd as non-root
Package: vnstat
Version: 1.11-1
Severity: wishlist
Hi,
I think it would be really nice security-wise to run vnstatd as a normal user.
Not requiring root privlidges is one of the advertised features
of vnstatd.
I just tried it:
1. as root: useradd -r vnstat -d /var/lib/vnstat
2. chown vnstat /var/lib/vnstat -R
3. add the following two lines in /etc/init.d/vnstat in the start branch:
PIDDIR=/var/run/vnstat
PIDFILE=$PIDDIR/vnstat.pid
USER=vnstat
mkdir -p $PIDDIR
chown -R $USER $PIDDIR
and add --chuid $USER to start-stop-daemon
4. change the pidfile in /etc/vnstat.conf
Seems to work fine.
Thanks,
Zbyszek
-- System Information:
Debian Release: 6.0.5
APT prefers stable
APT policy: (990, 'stable'), (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages vnstat depends on:
ii libc6 2.13-33 Embedded GNU C Library: Shared lib
vnstat recommends no packages.
Versions of packages vnstat suggests:
pn vnstati <none> (no description available)
-- Configuration Files:
/etc/init.d/vnstat changed:
PATH=/usr/sbin:/usr/bin:/sbin:/bin
DESC="vnStat daemon"
NAME=vnstatd
DAEMON=/usr/sbin/$NAME
DAEMON_ARGS="-d"
PIDDIR=/var/run/vnstat/
PIDFILE=$PIDDIR/vnstat.pid
SCRIPTNAME=/etc/init.d/vnstat
USER=vnstat
. /lib/lsb/init-functions
[ -x "$DAEMON" ] || exit 0
case "$1" in
start)
log_daemon_msg "Starting $DESC" "$NAME"
mkdir -p $PIDDIR
chown $USER $PIDDIR
start-stop-daemon --chuid $USER --start --quiet --oknodo --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS
log_end_msg $?
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
start-stop-daemon --stop --quiet --oknodo --retry=TERM/15/KILL/5 --pidfile $PIDFILE \
--name $NAME
log_end_msg $?
rm -f $PIDFILE
;;
status)
pidofproc -p $PIDFILE $DAEMON >/dev/null
status=$?
if [ $status -eq 0 ]; then
log_success_msg "$DESC is running"
else
log_failure_msg "$DESC is not running"
fi
exit $status
;;
reload|force-reload)
log_daemon_msg "Reloading $DESC configuration..."
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
log_end_msg 0
;;
restart)
$0 stop
sleep 1
$0 start
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload|status}"
exit 1
;;
esac
exit 0
/etc/vnstat.conf changed:
Interface "eth0"
DatabaseDir "/var/lib/vnstat"
Locale "-"
MonthRotate 1
DayFormat "%x"
MonthFormat "%b '%y"
TopFormat "%x"
RXCharacter "%"
TXCharacter ":"
RXHourCharacter "r"
TXHourCharacter "t"
UnitMode 0
OutputStyle 3
RateUnit 1
MaxBandwidth 0
Sampletime 5
QueryMode 0
CheckDiskSpace 1
UseFileLocking 1
BootVariation 15
TrafficlessDays 1
UpdateInterval 30
PollInterval 5
SaveInterval 5
OfflineSaveInterval 30
SaveOnStatusChange 1
UseLogging 2
LogFile "/var/log/vnstat.log"
PidFile "/var/run/vnstat/vnstat.pid"
HeaderFormat "%x %H:%M"
HourlyRate 1
SummaryRate 1
SummaryLayout 1
TransparentBg 0
CBackground "FFFFFF"
CEdge "AEAEAE"
CHeader "606060"
CHeaderTitle "FFFFFF"
CHeaderDate "FFFFFF"
CText "000000"
CLine "B0B0B0"
CLineL "-"
CRx "92CF00"
CTx "606060"
CRxD "-"
CTxD "-"
-- no debconf information
Reply to: