#if HAVE_YAJL_YAJL_VERSION_H
#include <yajl/yajl_version.h>
#endif
+#ifdef HAVE_SYS_CAPABILITY_H
+# include <sys/capability.h>
+#endif
#include <limits.h>
#include <poll.h>
static int ceph_init(void)
{
int ret;
+
+#if defined(HAVE_SYS_CAPABILITY_H) && defined(CAP_DAC_OVERRIDE)
+ if (check_capability (CAP_DAC_OVERRIDE) != 0)
+ {
+ if (getuid () == 0)
+ WARNING ("ceph plugin: Running collectd as root, but the "
+ "CAP_DAC_OVERRIDE capability is missing. The plugin's read "
+ "function will probably fail. Is your init system dropping "
+ "capabilities?");
+ else
+ WARNING ("ceph plugin: collectd doesn't have the CAP_DAC_OVERRIDE "
+ "capability. If you don't want to run collectd as root, try running "
+ "\"setcap cap_dac_override=ep\" on the collectd binary.");
+ }
+#endif
+
ceph_daemons_print();
ret = cconn_main_loop(ASOK_REQ_VERSION);
# include <arpa/inet.h>
#endif
+#ifdef HAVE_SYS_CAPABILITY_H
+# include <sys/capability.h>
+#endif
+
#ifdef HAVE_LIBKSTAT
extern kstat_ctl_t *kc;
#endif
sfree (array[i]);
sfree (array);
} /* }}} void strarray_free */
+
+#ifdef HAVE_SYS_CAPABILITY_H
+int check_capability (int capability) /* {{{ */
+{
+#ifdef _LINUX_CAPABILITY_VERSION_3
+ cap_user_header_t cap_header = calloc(sizeof (*cap_header), 1);
+ if (cap_header == NULL)
+ {
+ ERROR("check_capability: calloc failed");
+ return (-1);
+ }
+
+ cap_user_data_t cap_data = calloc(sizeof (*cap_data), 1);
+ if (cap_data == NULL)
+ {
+ ERROR("check_capability: calloc failed");
+ sfree(cap_header);
+ return (-1);
+ }
+
+ cap_header->pid = getpid();
+ cap_header->version = _LINUX_CAPABILITY_VERSION;
+ if (capget(cap_header, cap_data) < 0)
+ {
+ ERROR("check_capability: capget failed");
+ sfree(cap_header);
+ sfree(cap_data);
+ return (-1);
+ }
+
+ if ((cap_data->effective & (1 << capability)) == 0)
+ {
+ sfree(cap_header);
+ sfree(cap_data);
+ return (-1);
+ }
+ else
+ {
+ sfree(cap_header);
+ sfree(cap_data);
+ return (0);
+ }
+#else
+ WARNING ("check_capability: unsupported capability implementation. "
+ "Some plugin(s) may require elevated privileges to work properly.");
+ return (0);
+#endif /* _LINUX_CAPABILITY_VERSION_3 */
+} /* }}} int check_capability */
+#endif /* HAVE_SYS_CAPABILITY_H */
int strarray_add (char ***ret_array, size_t *ret_array_len, char const *str);
void strarray_free (char **array, size_t array_len);
+#ifdef HAVE_SYS_CAPABILITY_H
+/** Check if the current process benefits from the capability passed in
+ * argument. Returns zero if it does, less than zero if it doesn't or on error.
+ * See capabilities(7) for the list of possible capabilities.
+ * */
+int check_capability (int capability);
+#endif /* HAVE_SYS_CAPABILITY_H */
+
#endif /* COMMON_H */
#include <pcap.h>
+#ifdef HAVE_SYS_CAPABILITY_H
+# include <sys/capability.h>
+#endif
+
/*
* Private data types
*/
listen_thread_init = 1;
+#if defined(HAVE_SYS_CAPABILITY_H) && defined(CAP_NET_RAW)
+ if (check_capability (CAP_NET_RAW) != 0)
+ {
+ if (getuid () == 0)
+ WARNING ("dns plugin: Running collectd as root, but the CAP_NET_RAW "
+ "capability is missing. The plugin's read function will probably "
+ "fail. Is your init system dropping capabilities?");
+ else
+ WARNING ("dns plugin: collectd doesn't have the CAP_NET_RAW capability. "
+ "If you don't want to run collectd as root, try running \"setcap "
+ "cap_net_raw=ep\" on the collectd binary.");
+ }
+#endif
+
return (0);
} /* int dns_init */
#include <grp.h>
#include <signal.h>
+#ifdef HAVE_SYS_CAPABILITY_H
+# include <sys/capability.h>
+#endif
+
#define PL_NORMAL 0x01
#define PL_NOTIF_ACTION 0x02
sigaction (SIGCHLD, &sa, NULL);
+#if defined(HAVE_SYS_CAPABILITY_H) && defined(CAP_SETUID) && defined(CAP_SETGID)
+ if ((check_capability (CAP_SETUID) != 0) ||
+ (check_capability (CAP_SETGID) != 0))
+ {
+ if (getuid () == 0)
+ WARNING ("exec plugin: Running collectd as root, but the CAP_SETUID "
+ "or CAP_SETGID capabilities are missing. The plugin's read function "
+ "will probably fail. Is your init system dropping capabilities?");
+ else
+ WARNING ("exec plugin: collectd doesn't have the CAP_SETUID or "
+ "CAP_SETGID capabilities. If you don't want to run collectd as root, "
+ "try running \"setcap 'cap_setuid=ep cap_setgid=ep'\" on the "
+ "collectd binary.");
+ }
+#endif
+
return (0);
} /* int exec_init }}} */
#include <libiptc/libiptc.h>
#include <libiptc/libip6tc.h>
+#ifdef HAVE_SYS_CAPABILITY_H
+# include <sys/capability.h>
+#endif
+
/*
* iptc_handle_t was available before libiptc was officially available as a
* shared library. Note, that when the shared lib was introduced, the API and
return (0);
} /* int iptables_shutdown */
+static int iptables_init (void)
+{
+#if defined(HAVE_SYS_CAPABILITY_H) && defined(CAP_NET_ADMIN)
+ if (check_capability (CAP_NET_ADMIN) != 0)
+ {
+ if (getuid () == 0)
+ WARNING ("iptables plugin: Running collectd as root, but the "
+ "CAP_NET_ADMIN capability is missing. The plugin's read "
+ "function will probably fail. Is your init system dropping "
+ "capabilities?");
+ else
+ WARNING ("iptables plugin: collectd doesn't have the CAP_NET_ADMIN "
+ "capability. If you don't want to run collectd as root, try "
+ "running \"setcap cap_net_admin=ep\" on the collectd binary.");
+ }
+#endif
+ return (0);
+} /* int iptables_init */
+
void module_register (void)
{
plugin_register_config ("iptables", iptables_config,
config_keys, config_keys_num);
+ plugin_register_init ("iptables", iptables_init);
plugin_register_read ("iptables", iptables_read);
plugin_register_shutdown ("iptables", iptables_shutdown);
} /* void module_register */
# include <netdb.h> /* NI_MAXHOST */
#endif
+#ifdef HAVE_SYS_CAPABILITY_H
+# include <sys/capability.h>
+#endif
+
#include <oping.h>
#ifndef NI_MAXHOST
"Will use a timeout of %gs.", ping_timeout);
}
+#if defined(HAVE_SYS_CAPABILITY_H) && defined(CAP_NET_RAW)
+ if (check_capability (CAP_NET_RAW) != 0)
+ {
+ if (getuid () == 0)
+ WARNING ("ping plugin: Running collectd as root, but the CAP_NET_RAW "
+ "capability is missing. The plugin's read function will probably "
+ "fail. Is your init system dropping capabilities?");
+ else
+ WARNING ("ping plugin: collectd doesn't have the CAP_NET_RAW capability. "
+ "If you don't want to run collectd as root, try running \"setcap "
+ "cap_net_raw=ep\" on the collectd binary.");
+ }
+#endif
+
return (start_thread ());
} /* }}} int ping_init */
static int
check_permissions(void)
{
-#ifdef HAVE_SYS_CAPABILITY_H
- struct __user_cap_header_struct cap_header_data;
- cap_user_header_t cap_header = &cap_header_data;
- struct __user_cap_data_struct cap_data_data;
- cap_user_data_t cap_data = &cap_data_data;
- int ret = 0;
-#endif /* HAVE_SYS_CAPABILITY_H */
if (getuid() == 0) {
/* We have everything we need */
return 0;
-#ifndef HAVE_SYS_CAPABILITY_H
+#if !defined(HAVE_SYS_CAPABILITY_H) && !defined(CAP_SYS_RAWIO)
} else {
ERROR("turbostat plugin: Initialization failed: this plugin "
"requires collectd to run as root");
return -1;
}
-#else /* HAVE_SYS_CAPABILITY_H */
+#else /* HAVE_SYS_CAPABILITY_H && CAP_SYS_RAWIO */
}
- /* check for CAP_SYS_RAWIO */
- cap_header->pid = getpid();
- cap_header->version = _LINUX_CAPABILITY_VERSION;
- if (capget(cap_header, cap_data) < 0) {
- ERROR("turbostat plugin: capget failed");
- return -1;
- }
+ int ret = 0;
- if ((cap_data->effective & (1 << CAP_SYS_RAWIO)) == 0) {
+ if (check_capability(CAP_SYS_RAWIO) != 0) {
WARNING("turbostat plugin: Collectd doesn't have the "
"CAP_SYS_RAWIO capability. If you don't want to run "
"collectd as root, try running \"setcap "
"collectd a special capability (CAP_SYS_RAWIO) and read "
"access to /dev/cpu/*/msr (see previous warnings)");
return ret;
-#endif /* HAVE_SYS_CAPABILITY_H */
+#endif /* HAVE_SYS_CAPABILITY_H && CAP_SYS_RAWIO */
}
static int