Red Hat Summit7.5. Running the Agent as a Non-Root User
To access some resource information, the agent must have root access to the resource itself. However, for security, many administrators do not want to run the agent process as root.
On Red Hat Enterprise Linux, it is possible to grant access to the agent to specific resources while running the agent as a non-root user. This is done by setting local access control rules to the local directories or files for the resource.
Note
This example sets ACLs for a PostgreSQL database; the directories and files to specify in the setfacl command will vary depending on the resource type.
- Log into the system as root.
- Make sure that the acl package is installed on the system.
rpm -q acl
# rpm -q acl acl-2.2.39-6.el5Copy to Clipboard Copied! Toggle word wrap Toggle overflow Theacloption must be applied to the filesystem. This can be done by editing the/etc/fstabfile or using tune2fs. For example:vim /etc/fstab
# vim /etc/fstab LABEL=/ / ext3 defaults,acl 1 1 ...Copy to Clipboard Copied! Toggle word wrap Toggle overflow Then re-mount the filesystem.mount -o remount /
# mount -o remount /Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Optionally, create a system user to use for the agent.
useradd jbosson-agent
useradd jbosson-agentCopy to Clipboard Copied! Toggle word wrap Toggle overflow - For PostgreSQL, the agent needs to be able to access the
postgresql.conffile. Open the PostgreSQL directory:cd /var/lib/pgsql
# cd /var/lib/pgsqlCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Grant read and write access to the
postgresql.conffile to the agent user. For example:setfacl -m u:jbosson-agent:rw $PGDATA/postgresql.conf
# setfacl -m u:jbosson-agent:rw $PGDATA/postgresql.confCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Then, grant access to the
data/directory to the agent user. For example:setfacl -m u:jbosson-agent:x $PGDATA
# setfacl -m u:jbosson-agent:x $PGDATACopy to Clipboard Copied! Toggle word wrap Toggle overflow - Check that the new ACLs were added properly using the getfacl command:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}