[Bug]: incorrect plugin permissions in RPM packages

[ilyam8]

Bug description

I guess because we are setting permissions (install -m ...) which are later overwritten with %defattr(0750,root,netdata,0750)

netdata/netdata.spec.in

Lines 488 to 492 in d127c10

	%defattr(0750,root,netdata,0750)
	%dir %{_libexecdir}/%{name}/python.d
	%dir %{_libexecdir}/%{name}/charts.d
	%dir %{_libexecdir}/%{name}/plugins.d

As you can see all the plugins have 0750:

bash-5.2$ ls -l
total 75016
-rwxr-x---. 1 root netdata     4873 Dec  5 16:32 acl.sh
-rwxr-x---. 1 root netdata      154 Dec  5 16:32 alarm-email.sh
-rwxr-x---. 1 root netdata   137717 Dec  5 16:32 alarm-notify.sh
-rwxr-x---. 1 root netdata     2143 Dec  5 16:32 alarm.sh
-rwxr-x---. 1 root netdata      301 Dec  5 16:32 alarm-test.sh
-rwxr-x---. 1 root netdata     7968 Dec  5 16:32 anonymous-statistics.sh
-rwxr-x---. 1 root netdata  2634256 Dec  5 16:32 apps.plugin
-rwxr-x---. 1 root netdata    21010 Dec  5 16:32 cgroup-name.sh
-rwxr-x---. 1 root netdata  2342664 Dec  5 16:32 cgroup-network
-rwxr-x---. 1 root netdata     8768 Dec  5 16:32 cgroup-network-helper.sh
-rwxr-x---. 1 root netdata     1259 Dec  5 16:32 charts.d.dryrun-helper.sh
-rwxr-x---. 1 root netdata    20102 Dec  5 16:32 charts.d.plugin
drwxr-x---. 2 root netdata    16384 Dec 12 20:39 ebpf.d
-rwxr-x---. 1 root netdata  3853040 Dec  5 16:32 ebpf.plugin
-rwxr-x---. 1 root netdata     5653 Dec  5 16:32 fping.plugin
-rwxr-x---. 1 root netdata     2139 Dec  5 16:32 get-kubernetes-labels.sh
-rwxr-x---. 1 root netdata 60551168 Nov 28 11:08 go.d.plugin
-rwxr-x---. 1 root netdata     7318 Dec  5 16:32 health-cmdapi-test.sh
-rwxr-x---. 1 root netdata     5380 Dec  5 16:32 ioping.plugin
-rwxr-x---. 1 root netdata     6860 Dec  5 16:32 loopsleepms.sh.inc
-rwxr-x---. 1 root netdata  2345064 Dec  5 16:32 nfacct.plugin
-rwxr-x---. 1 root netdata  2359488 Dec  5 16:32 perf.plugin
-rwxr-x---. 1 root netdata    27141 Dec  5 16:32 python.d.plugin
-rwxr-x---. 1 root netdata    11020 Dec  5 16:32 request.sh
-rwxr-x---. 1 root netdata  2351400 Dec  5 16:32 slabinfo.plugin
-rwxr-x---. 1 root netdata    21920 Dec  5 16:32 system-info.sh
-rwxr-x---. 1 root netdata     7334 Dec  5 16:32 tc-qos-helper.sh
-rwxr-x---. 1 root netdata     2903 Dec  5 16:32 template_dim.sh

Expected behavior

Plugins permissions don't get overwritten. I didn't check all the plugins, but from what I see all of them work (because of capabilities) except the ebpf plugin which fails to start

2022-12-12 19:51:36: ERROR : MAIN : ebpf.plugin should either run as root (now running with uid 998, euid 998) or have special capabilities.. (errno 2, No such file or directory)

Steps to reproduce

1. install netdata RPM package
2. check plugins permissions

Installation method

native binary packages (.deb/.rpm)

System info

Linux shared-fedora37 6.0.12-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Dec 8 16:58:47 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
/etc/fedora-release:Fedora release 37 (Thirty Seven)
/etc/os-release:NAME="Fedora Linux"
/etc/os-release:VERSION="37 (Server Edition)"
/etc/os-release:ID=fedora
/etc/os-release:VERSION_ID=37
/etc/os-release:VERSION_CODENAME=""
/etc/os-release:PLATFORM_ID="platform:f37"
/etc/os-release:PRETTY_NAME="Fedora Linux 37 (Server Edition)"
/etc/os-release:ANSI_COLOR="0;38;2;60;110;180"
/etc/os-release:LOGO=fedora-logo-icon
/etc/os-release:CPE_NAME="cpe:/o:fedoraproject:fedora:37"
/etc/os-release:REDHAT_BUGZILLA_PRODUCT="Fedora"
/etc/os-release:REDHAT_BUGZILLA_PRODUCT_VERSION=37
/etc/os-release:REDHAT_SUPPORT_PRODUCT="Fedora"
/etc/os-release:REDHAT_SUPPORT_PRODUCT_VERSION=37
/etc/os-release:SUPPORT_END=2023-11-14
/etc/os-release:VARIANT="Server Edition"
/etc/os-release:VARIANT_ID=server
/etc/redhat-release:Fedora release 37 (Thirty Seven)
/etc/system-release:Fedora release 37 (Thirty Seven)

Netdata build info

Version: netdata v1.37.1
Configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--datadir=/usr/share' '--includedir=/usr/include' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--prefix=/usr' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/usr/libexec' '--libdir=/usr/lib' '--with-zlib' '--with-math' '--with-user=netdata' '--disable-dependency-tracking' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' 'CFLAGS=-O2  -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64  -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes' 'CXX=g++' 'CXXFLAGS=-O2  -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64  -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'PKG_CONFIG_PATH=:/usr/lib/pkgconfig:/usr/share/pkgconfig'
Install type: binpkg-rpm
    Binary architecture: x86_64
    Packaging distro:
Features:
    dbengine:                   YES
    Native HTTPS:               YES
    Netdata Cloud:              YES
    ACLK:                       YES
    TLS Host Verification:      YES
    Machine Learning:           YES
    Stream Compression:         YES
Libraries:
    protobuf:                YES (system)
    jemalloc:                NO
    JSON-C:                  YES
    libcap:                  NO
    libcrypto:               YES
    libm:                    YES
    tcalloc:                 NO
    zlib:                    YES
Plugins:
    apps:                    YES
    cgroup Network Tracking: YES
    CUPS:                    YES
    EBPF:                    YES
    IPMI:                    YES
    NFACCT:                  YES
    perf:                    YES
    slabinfo:                YES
    Xen:                     NO
    Xen VBD Error Tracking:  NO
Exporters:
    AWS Kinesis:             NO
    GCP PubSub:              NO
    MongoDB:                 NO
    Prometheus Remote Write: YES
Debug/Developer Features:
    Trace Allocations:       NO

Additional info

No response

[Ferroin]

The exact permissions are indeed not entirely correct, but the reliance on file capabilities instead of SUID is intentional and expected.

I’m not sure what’s up with the eBPF plugin here though (@thiagoftsm any thoughts on this?).

[ilyam8]

@Ferroin I think the ebpf.plugin should have setuid bit (which we set and later unset).

but the reliance on file capabilities instead of SUID is intentional and expected.

I didn't mean it was a problem, the problem is permissions overwriting.

[thiagoftsm]

@ilyam8 is right, eBPF needs root permission to run.

Updating, this is the normal installation permission:

root@hades:~# ls -l /usr/libexec/netdata/plugins.d/ebpf.plugin 
-rwsr-x--- 1 root netdata 3322216 Dec 12 13:36 /usr/libexec/netdata/plugins.d/ebpf.plugin*
root@hades:~# 

@Ferroin it is necessary to use root permission because we are loading data (ebpf programs) inside kernel ring.

[Ferroin]

@thiagoftsm Are we absolutely certain it needs to be root specifically and that some combination of capabilities will not work? I’m really trying to move us away from SUID whenever possible as capabilities are more secure.

[thiagoftsm]

@thiagoftsm Are we absolutely certain it needs to be root specifically and that some combination of capabilities will not work? I’m really trying to move us away from SUID whenever possible as capabilities are more secure.

It is possible to load some eBPF programs without root permission, but our plugin loads all possible eBPF programs, this is the main reason we need root permissions.