Have monit change UID while running tasks if the include file is not owned by root
Issue #300
closed
I would like to add a feature to support multiple teams on the same box - But have the same behaviors in production.
Currently, we run Monit in a few teams as a nonprivileged user. I would like to move the ownership of Monit to the systems team and include service directories. This will allow services to publish their own RC files, and play nicely in collapsed testing environments.
If I made such a change would a pull request be welcome (sorry if the verb different on bitbucket)?
Comments (4)
-
repo owner
-
reporter
So a switch plus file ownership would be a go.. assuming I get it working...
-
repo owner
- changed status to closed
We were thinking about the feature, it could be little bit dangerous from the security point of view. Monit would have to switch the uid/gid even when running the test itself, so the user won't be able to read data or create socket which he is not entitled for.
Simple and secure solution is to let each team run their own monit instance. Each monit instance just needs its own set of the following files:
the following file locations needs to be customized per-instance:
set idfile <path> set statefile <path> set pidfile <path> set logfile <path> #note: only if a path to a file is used - if "set logfile syslog" is used, no customization is necessary set eventqueue <path> #note: only if eventqueue is enabledand the httpd interface needs its own port where it can listen.
It is possible to use M/Monit to control all these Monit instances centrally (for super-admin).
-
repo owner
- removed version
Removing version: 5.10 (automated comment)
- Log in to comment
Interesting suggestion. I wonder if this can be made more explicit as relaying on file owner is easy to forget and can become a bit magical. Maybe with a special --switch when starting Monit or with a .monitrc statement? A good PR is always welcome. Please see the contribution guidelines on the front page first.