From 0aedcbef6be5deb561b5e6d5292e40b33dd01f87 Mon Sep 17 00:00:00 2001
From: "Austin S. Hemmelgarn" <austin@netdata.cloud>
Date: Mon, 14 Aug 2023 10:15:47 -0400
Subject: [PATCH] Add proper SUID fallback for DEB plugin packages. (#15803)

* Add proper SUID fallback for DEB plugin packages.

* Update contrib/debian/netdata-plugin-perf.postinst

---------

Co-authored-by: Ilya Mashchenko <ilya@netdata.cloud>
---
 contrib/debian/netdata-plugin-apps.postinst            | 5 ++++-
 contrib/debian/netdata-plugin-debugfs.postinst         | 5 ++++-
 contrib/debian/netdata-plugin-go.postinst              | 5 ++++-
 contrib/debian/netdata-plugin-perf.postinst            | 8 ++++++++
 contrib/debian/netdata-plugin-slabinfo.postinst        | 5 ++++-
 contrib/debian/netdata-plugin-systemd-journal.postinst | 5 ++++-
 6 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/contrib/debian/netdata-plugin-apps.postinst b/contrib/debian/netdata-plugin-apps.postinst
index 04f9145385..f2e52a4b37 100644
--- a/contrib/debian/netdata-plugin-apps.postinst
+++ b/contrib/debian/netdata-plugin-apps.postinst
@@ -5,7 +5,10 @@ set -e
 case "$1" in
   configure|reconfigure)
     chown root:netdata /usr/libexec/netdata/plugins.d/apps.plugin
-    setcap "cap_dac_read_search=eip cap_sys_ptrace=eip" /usr/libexec/netdata/plugins.d/apps.plugin
+    chmod 0750 /usr/libexec/netdata/plugins.d/apps.plugin
+    if ! setcap "cap_dac_read_search=eip cap_sys_ptrace=eip" /usr/libexec/netdata/plugins.d/apps.plugin; then
+        chmod -f 4750 /usr/libexec/netdata/plugins.d/apps.plugin
+    fi
     ;;
 esac
 
diff --git a/contrib/debian/netdata-plugin-debugfs.postinst b/contrib/debian/netdata-plugin-debugfs.postinst
index 75d08fd17f..4519dabd38 100644
--- a/contrib/debian/netdata-plugin-debugfs.postinst
+++ b/contrib/debian/netdata-plugin-debugfs.postinst
@@ -5,7 +5,10 @@ set -e
 case "$1" in
   configure|reconfigure)
     chown root:netdata /usr/libexec/netdata/plugins.d/debugfs.plugin
-    setcap "cap_dac_read_search=eip" /usr/libexec/netdata/plugins.d/debugfs.plugin
+    chmod 0750 /usr/libexec/netdata/plugins.d/debugfs.plugin
+    if ! setcap "cap_dac_read_search=eip" /usr/libexec/netdata/plugins.d/debugfs.plugin; then
+        chmod -f 4750 /usr/libexec/netdata/plugins.d/debugfs.plugin
+    fi
     ;;
 esac
 
diff --git a/contrib/debian/netdata-plugin-go.postinst b/contrib/debian/netdata-plugin-go.postinst
index 9cfce16f62..70d67aaa13 100644
--- a/contrib/debian/netdata-plugin-go.postinst
+++ b/contrib/debian/netdata-plugin-go.postinst
@@ -5,7 +5,10 @@ set -e
 case "$1" in
   configure|reconfigure)
     chown root:netdata /usr/libexec/netdata/plugins.d/go.d.plugin
-    setcap "cap_net_admin=eip cap_net_raw=eip" /usr/libexec/netdata/plugins.d/go.d.plugin
+    chmod 0750 /usr/libexec/netdata/plugins.d/go.d.plugin
+    if ! setcap "cap_net_admin=eip cap_net_raw=eip" /usr/libexec/netdata/plugins.d/go.d.plugin; then
+        chmod -f 4750 /usr/libexec/netdata/plugins.d/go.d.plugin
+    fi
     ;;
 esac
 
diff --git a/contrib/debian/netdata-plugin-perf.postinst b/contrib/debian/netdata-plugin-perf.postinst
index 5250275cc2..76905878ef 100644
--- a/contrib/debian/netdata-plugin-perf.postinst
+++ b/contrib/debian/netdata-plugin-perf.postinst
@@ -5,10 +5,18 @@ set -e
 case "$1" in
   configure|reconfigure)
     chown root:netdata /usr/libexec/netdata/plugins.d/perf.plugin
+    chmod 0750 /usr/libexec/netdata/plugins.d/perf.plugin
+
     if capsh --supports=cap_perfmon 2>/dev/null; then
         setcap cap_perfmon+ep /usr/libexec/netdata/plugins.d/perf.plugin
+        ret="$?"
     else
         setcap cap_sys_admin+ep /usr/libexec/netdata/plugins.d/perf.plugin
+        ret="$?"
+    fi
+
+    if [ "${ret}" -ne 0 ]; then
+        chmod -f 4750 /usr/libexec/netdata/plugins.d/perf.plugin
     fi
     ;;
 esac
diff --git a/contrib/debian/netdata-plugin-slabinfo.postinst b/contrib/debian/netdata-plugin-slabinfo.postinst
index b697e724e1..b4aa87baeb 100644
--- a/contrib/debian/netdata-plugin-slabinfo.postinst
+++ b/contrib/debian/netdata-plugin-slabinfo.postinst
@@ -5,7 +5,10 @@ set -e
 case "$1" in
   configure|reconfigure)
     chown root:netdata /usr/libexec/netdata/plugins.d/slabinfo.plugin
-    setcap "cap_dac_read_search=eip" /usr/libexec/netdata/plugins.d/slabinfo.plugin
+    chmod 0750 /usr/libexec/netdata/plugins.d/slabinfo.plugin
+    if ! setcap "cap_dac_read_search=eip" /usr/libexec/netdata/plugins.d/slabinfo.plugin; then
+        chmod -f 4750 /usr/libexec/netdata/plugins.d/slabinfo.plugin
+    fi
     ;;
 esac
 
diff --git a/contrib/debian/netdata-plugin-systemd-journal.postinst b/contrib/debian/netdata-plugin-systemd-journal.postinst
index d2f71970f0..b5e56f7584 100644
--- a/contrib/debian/netdata-plugin-systemd-journal.postinst
+++ b/contrib/debian/netdata-plugin-systemd-journal.postinst
@@ -5,7 +5,10 @@ set -e
 case "$1" in
   configure|reconfigure)
     chown root:netdata /usr/libexec/netdata/plugins.d/systemd-journal.plugin
-    setcap "cap_dac_read_search=eip" /usr/libexec/netdata/plugins.d/systemd-journal.plugin
+    chmod 0750 /usr/libexec/netdata/plugins.d/systemd-journal.plugin
+    if ! setcap "cap_dac_read_search=eip" /usr/libexec/netdata/plugins.d/systemd-journal.plugin; then
+        chmod -f 4750 /usr/libexec/netdata/plugins.d/systemd-journal.plugin
+    fi
     ;;
 esac