Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to run cli without root #4947

Closed
psteffen opened this issue Jan 24, 2017 · 12 comments · Fixed by #7074
Closed

Allow to run cli without root #4947

psteffen opened this issue Jan 24, 2017 · 12 comments · Fixed by #7074
Assignees
@dnsmichi
Labels
area/cli Command line helpers bug Something isn't working help wanted Extra attention is needed ref/NC
Milestone
2.11.0

Comments

@psteffen
Copy link

psteffen commented Jan 24, 2017
edited
Loading

Hi,

i'm build my icinga installation in a userspace and run it in the same :)

My problem is this code blog: https://github.com/Icinga/icinga2/blob/master/icinga-app/icinga.cpp#L377-L381

When i install the complete icinga installation in the user space, the cli need no access to files there are not located in my user space. So, the binary needs no root access.

Can we remove this block or make a build variable to deactive the uid check?

Best,
Patric
@dgoetz
Copy link
Contributor

dgoetz commented Jan 24, 2017

👍
I like the idea of checking actual permissions rather than uid as capabilities could also be removed from root.

@psteffen
Copy link
Author

My actual solution is so set the uid with fakeroot, but i think it is not the best way, because the binary need no root permissions.

@dnsmichi dnsmichi mentioned this issue Jan 25, 2017
Closed
@dnsmichi dnsmichi added bug Something isn't working area/cli Command line helpers labels Jan 25, 2017
@Al2Klimov Al2Klimov mentioned this issue Feb 15, 2017
Closed
@kobmaki
Copy link
Contributor

kobmaki commented Mar 5, 2017

@CobbleCity another solution is to modify the source code from the extracted code directory by:

sed -i s/"getuid() != 0"/"getuid() == 0"/g icinga-app/icinga.cpp
sed -i s/"must be run as root"/"must NOT be run as root"/g icinga-app/icinga.cpp

So you shouldn't need the fakeroot.

@kobmaki kobmaki mentioned this issue Mar 5, 2017
Closed
@psteffen
Copy link
Author

psteffen commented Mar 7, 2017

@kobmaki patches by myself are a workaround, but not a solution :)

@dnsmichi dnsmichi mentioned this issue Mar 22, 2017
Closed
@dnsmichi dnsmichi added the help wanted Extra attention is needed label Apr 26, 2017
@Al2Klimov Al2Klimov mentioned this issue May 5, 2017
Closed
@dnsmichi dnsmichi mentioned this issue May 10, 2017
Closed
@ip1981
Copy link

ip1981 commented Apr 13, 2018

The question is why does it need root in the first place? I my setups (99.99% automated) icinga2 always runs as an unprivileged user. This "enable feature" feature is just about manipulations with files (isn't it?), icinga2's home directory always has proper owner and permissions. I ended up with fakeroot.

All this situation with root does not look sane.

@widhalmt
Copy link
Member

widhalmt commented Mar 6, 2019

ref/NC/603163

@Al2Klimov
Copy link
Member

Please could anyone describe a real-world example of how does Icinga 2 run in a production setup w/o root?

@ip1981
Copy link

ip1981 commented Mar 7, 2019

Please could anyone describe a real-world example of how does Icinga 2 run in a production setup w/o root?

https://github.com/ip1981/nixsap/blob/f030c9a9d1dad41e84e034ff4b8c6ee75d5bf3fe/modules/apps/icinga2.nix#L263 :)

@Al2Klimov
Copy link
Member

Had to do with packaging, Docker, Puppet, ... but what the heck is that?

@Al2Klimov
Copy link
Member

Al2Klimov commented Mar 7, 2019
edited
Loading

If this is something like packaging, then it's for none of the officially supported OSes – so please stick with fakeroot (in this case).

@Al2Klimov
Copy link
Member

... or include a custom patch in your packager repo.

@dnsmichi
Copy link
Contributor

I will deal with this in a customer project which is tbd.

@dnsmichi dnsmichi self-assigned this Mar 11, 2019
dnsmichi pushed a commit that referenced this issue Apr 2, 2019
Impersonate as Icinga user, not root
7ca8c3e 
This requires write permissions for

- etc/features-*
- etc/*.conf
- var/{lib,cache}/icinga2/*

Typically permissions are handled by prepare-dirs,
or the respective CLI commands are run as root either way.

fixes #4947
@dnsmichi dnsmichi mentioned this issue Apr 2, 2019
Merged
@dnsmichi dnsmichi added this to the 2.11.0 milestone Apr 2, 2019
@dnsmichi dnsmichi mentioned this issue Jul 18, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dnsmichi dnsmichi

Labels
area/cli Command line helpers bug Something isn't working help wanted Extra attention is needed ref/NC
Projects
None yet
Milestone
2.11.0
7 participants
@ip1981 @dnsmichi @widhalmt @psteffen @dgoetz @Al2Klimov @kobmaki