On Fri, Jun 28, 2019 at 08:11:31AM +0200, Antoine Jacoutot wrote:
> On Wed, Jun 26, 2019 at 05:29:14PM +0200, Joel Carnat wrote:
> > Hello,
> >
> > I've just installed sysutils/monit on some new server and noticed there
> > were no dedicated user created to run the daemon.
> >
> > I already run it as non-root on serveral servers. So I know it works.
> > Note that there are cases (service restart for example) that require
> > configuring doas rules. But once done, everything runs ok.
> >
> > If you think that's ok, here's a patch to create a dedicated user.
> > Inspired from net/openvpn port.
> >
> > Regards,
> > Jo
>
> > --- infrastructure/db/user.list.orig Wed Jun 26 17:04:43 2019
> > +++ infrastructure/db/user.list Wed Jun 26 17:06:41 2019
> > @@ -348,2 +348,3 @@
> > 837 _thingsd _thingsd net/thingsd
> > 838 _i2pd _i2pd net/i2pd
> > +839 _monit _monit sysutils/monit
> >
> > --- sysutils/monit/pkg/PLIST.orig Wed May 1 21:21:57 2019
> > +++ sysutils/monit/pkg/PLIST Wed Jun 26 17:14:10 2019
> > @@ -1,3 +1,5 @@
> > @comment $OpenBSD: PLIST,v 1.11 2019/05/01 19:21:57 landry Exp $
> > +@newgroup _monit:839
> > +@newuser _monit:839:_monit:daemon:Monit Daemon:/var/monit:/sbin/nologin
>
> Can't we use /nonexistent for HOME like most other daemons do?
>
I have just changed the home directory to /nonexistent and the daemon
seem to start and work ok that way.
BTW, following stu@'s "(...) I think it really needs more support (...)"
remark, I searched for things that would break if Monit would not run as
root. I found that the "network ping test" requires root access to run.
I don't use it myself so I didn't notice it when running as _monit.
Documentation says: "Monit must also run as the root user in order to be
able to perform the ping test (because the ping test must use raw
sockets which usually only the super user is allowed to)."
No comments:
Post a Comment