Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Running exporter as non-root? sudo for calls to smartctl? #146

Open
frittentheke opened this issue Aug 14, 2023 · 6 comments
Open

Running exporter as non-root? sudo for calls to smartctl? #146

frittentheke opened this issue Aug 14, 2023 · 6 comments

Comments

@frittentheke
Copy link

I was wondering if it was really necessary to run the whole smartctl_exporter as root. This is even promoted via the provided systemd unit https://github.com/prometheus-community/smartctl_exporter/blob/master/systemd/smartctl_exporter.service

I know smartctl does seem to require this (smartmontools/smartmontools#205).
But maybe there is a way to not require for the exporter to run as root but to just call a privileged smartctl?
Is the good old sudo the right approach? Just by setting smartctl.path to sudo smartctl.path maybe?
@lahwaacz
Copy link
Contributor

lahwaacz commented Aug 14, 2023
edited
Loading

You can easily switch various security features of the systemd service to see what works and what not. I don't see an advantage in adding another layer with sudo...

@NiceGuyIT
Copy link
Member

Adding sudo to the exporter is not going to happen.

As suggested by @lahwaacz, if you figure out how to configure systemd to improve the security, PRs are welcome!

@k0ste
Copy link
Contributor

k0ste commented Aug 14, 2023

@frittentheke FYI prometheus-smartctl-exporter.service in AUR
If you can test it, tune it, PR it - it can be part of smartctl_exporter tarball

@frittentheke
Copy link
Author

I see my provocation of creativity by just mentioning sudo worked :-). Thanks for taking the quest to reduce the privileges seriously and let's see if there is something that could work for most installs.

@NiceGuyIT NiceGuyIT mentioned this issue Aug 26, 2023
Closed
@DaAwesomeP
Copy link
Contributor

The AUR service unit looks very promising! Unfortunately I am not able to test/pull at this time.

The full documentation of these options can he found here: https://www.freedesktop.org/software/systemd/man/systemd.exec.html

Note that not all distros ship the latest Systemd, so newer options may result in warnings in the journal. However, in my experience it is backward-compatible without issue (you may not get all of the security features but still as many as possible).

@subnix
Copy link

subnix commented Jan 26, 2024

I'm looking for a secure way to run the exporter too. These privileges are required for smartctl:

  1. CAP_SYS_RAWIO capability to be able to access raw devices;
  2. disk user group, which owns all the disks.

So you can add these lines to the systemd unit:

[Service]
...
CapabilityBoundingSet=CAP_SYS_RAWIO
AmbientCapabilities=CAP_SYS_RAWIO
Group=disk
...

But this set of privileges may lead to privilege escalation since root filesystem is accessible for writing. So sudo with limiting sudoers configuration still looks more secure.

@kennethso168 kennethso168 mentioned this issue Feb 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@lahwaacz @DaAwesomeP @k0ste @NiceGuyIT @subnix @frittentheke