Add proper SUID fallback for DEB plugin packages. (#15803)

* Add proper SUID fallback for DEB plugin packages. * Update contrib/debian/netdata-plugin-perf.postinst --------- Co-authored-by: Ilya Mashchenko <ilya@netdata.cloud>
2025-04-27 06:10:43 +00:00 · 2023-08-14 10:15:47 -04:00 · 2023-08-14 10:15:47 -04:00 · 0aedcbef6b
commit 0aedcbef6b
parent e12fbc0524
6 changed files with 28 additions and 5 deletions
--- a/contrib/debian/netdata-plugin-apps.postinst
+++ b/contrib/debian/netdata-plugin-apps.postinst
@ -5,7 +5,10 @@ set -e
 case "$1" in
  configure|reconfigure)
    chown root:netdata /usr/libexec/netdata/plugins.d/apps.plugin
-    setcap "cap_dac_read_search=eip cap_sys_ptrace=eip" /usr/libexec/netdata/plugins.d/apps.plugin
+    chmod 0750 /usr/libexec/netdata/plugins.d/apps.plugin
+    if ! setcap "cap_dac_read_search=eip cap_sys_ptrace=eip" /usr/libexec/netdata/plugins.d/apps.plugin; then
+        chmod -f 4750 /usr/libexec/netdata/plugins.d/apps.plugin
+    fi
    ;;
 esac

--- a/contrib/debian/netdata-plugin-debugfs.postinst
+++ b/contrib/debian/netdata-plugin-debugfs.postinst
@ -5,7 +5,10 @@ set -e
 case "$1" in
  configure|reconfigure)
    chown root:netdata /usr/libexec/netdata/plugins.d/debugfs.plugin
-    setcap "cap_dac_read_search=eip" /usr/libexec/netdata/plugins.d/debugfs.plugin
+    chmod 0750 /usr/libexec/netdata/plugins.d/debugfs.plugin
+    if ! setcap "cap_dac_read_search=eip" /usr/libexec/netdata/plugins.d/debugfs.plugin; then
+        chmod -f 4750 /usr/libexec/netdata/plugins.d/debugfs.plugin
+    fi
    ;;
 esac

--- a/contrib/debian/netdata-plugin-go.postinst
+++ b/contrib/debian/netdata-plugin-go.postinst
@ -5,7 +5,10 @@ set -e
 case "$1" in
  configure|reconfigure)
    chown root:netdata /usr/libexec/netdata/plugins.d/go.d.plugin
-    setcap "cap_net_admin=eip cap_net_raw=eip" /usr/libexec/netdata/plugins.d/go.d.plugin
+    chmod 0750 /usr/libexec/netdata/plugins.d/go.d.plugin
+    if ! setcap "cap_net_admin=eip cap_net_raw=eip" /usr/libexec/netdata/plugins.d/go.d.plugin; then
+        chmod -f 4750 /usr/libexec/netdata/plugins.d/go.d.plugin
+    fi
    ;;
 esac

--- a/contrib/debian/netdata-plugin-perf.postinst
+++ b/contrib/debian/netdata-plugin-perf.postinst
@ -5,10 +5,18 @@ set -e
 case "$1" in
  configure|reconfigure)
    chown root:netdata /usr/libexec/netdata/plugins.d/perf.plugin
+    chmod 0750 /usr/libexec/netdata/plugins.d/perf.plugin
+
    if capsh --supports=cap_perfmon 2>/dev/null; then
        setcap cap_perfmon+ep /usr/libexec/netdata/plugins.d/perf.plugin
+        ret="$?"
    else
        setcap cap_sys_admin+ep /usr/libexec/netdata/plugins.d/perf.plugin
+        ret="$?"
+    fi
+
+    if [ "${ret}" -ne 0 ]; then
+        chmod -f 4750 /usr/libexec/netdata/plugins.d/perf.plugin
    fi
    ;;
 esac
--- a/contrib/debian/netdata-plugin-slabinfo.postinst
+++ b/contrib/debian/netdata-plugin-slabinfo.postinst
@ -5,7 +5,10 @@ set -e
 case "$1" in
  configure|reconfigure)
    chown root:netdata /usr/libexec/netdata/plugins.d/slabinfo.plugin
-    setcap "cap_dac_read_search=eip" /usr/libexec/netdata/plugins.d/slabinfo.plugin
+    chmod 0750 /usr/libexec/netdata/plugins.d/slabinfo.plugin
+    if ! setcap "cap_dac_read_search=eip" /usr/libexec/netdata/plugins.d/slabinfo.plugin; then
+        chmod -f 4750 /usr/libexec/netdata/plugins.d/slabinfo.plugin
+    fi
    ;;
 esac

--- a/contrib/debian/netdata-plugin-systemd-journal.postinst
+++ b/contrib/debian/netdata-plugin-systemd-journal.postinst
@ -5,7 +5,10 @@ set -e
 case "$1" in
  configure|reconfigure)
    chown root:netdata /usr/libexec/netdata/plugins.d/systemd-journal.plugin
-    setcap "cap_dac_read_search=eip" /usr/libexec/netdata/plugins.d/systemd-journal.plugin
+    chmod 0750 /usr/libexec/netdata/plugins.d/systemd-journal.plugin
+    if ! setcap "cap_dac_read_search=eip" /usr/libexec/netdata/plugins.d/systemd-journal.plugin; then
+        chmod -f 4750 /usr/libexec/netdata/plugins.d/systemd-journal.plugin
+    fi
    ;;
 esac