Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Any way to run smartctl without (unrestricted) root privileges? #205

Closed
frittentheke opened this issue Aug 14, 2023 · 3 comments
Closed

Any way to run smartctl without (unrestricted) root privileges? #205

frittentheke opened this issue Aug 14, 2023 · 3 comments
Labels
question

Comments

@frittentheke
Copy link

I was wondering if there any way to run smartctl without full root permissions?
There are posts like https://medium.com/opsops/why-smartctl-could-not-be-run-without-root-7ea0583b1323 which even attempt to explain why it cannot be used without root.

Especially when running persistent monitoring tools like the https://github.com/prometheus-community/smartctl_exporter running them as root can become a security issue or unnecessary attach surface.
With all those features of recent kernels and also systemd to run processes such as the with certain CAPS or other restrictions and limitation I was wondering if it really is not possible to at least narrow down the access rights.
@frittentheke frittentheke mentioned this issue Aug 14, 2023
Open
@chrfranke
Copy link

Smartctl need to use pass-through I/O controls on raw disk devices. These need root privileges, which is good, because you could send arbitrary commands to the device. There are usually no limited (read-only) variants of such I/O controls available which work also with normal user privileges.
There is one known exception: On Windows, ATA SMART Attributes (without Thresholds) and NVMe controller/namespace/SMART info could be read without admin rights.

Conclusion: It depends on the available functionality of the OS kernel. Such enhancement requests need first to be addressed to the kernel developers. If such functionality is available, it could be added to smartctl.

@samm-git
Copy link
Contributor

samm-git commented Aug 18, 2023
edited
Loading

As was mentioned before - depends on OS. E.g. in macOS for the SMART API root is not required, as a downside - it is very limited compared to other operating systems. You may also run smartctl in the container and pass only the device you will want to monitor, which will reduce access to the other system parts. Another possible option is to play with capabilities() on linux to see if CAP_SYS_RAWIO is enough for your task. Anyway, there is nothing todo in the smartctl for that, we are just consuming kernel interfaces provided by the system, so closing this ticket.

@chrfranke
Copy link

You could also try to run a private copy of smartctl which is owned by root and has setuid bit set. A monitoring wrapper could then be run without root privileges The copy of smartctl should then be placed in a restricted directory only accessible by monitoring user/group.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@samm-git @frittentheke @chrfranke