sysutils/node_exporter runs as user 'nobody'

[jkellerer]

node_exporter runs as user nobody, while the similar sysutil telegraph runs on its own user.

That is in general not a problem but it prevents to implement TLS and auth support as requested in https://github.com/opnsense/plugins/issues/2497 as private keys should not be readable by nobody and node_exporter cannot start as root and drop its privileges later.

The user that node_exporter will be started with can be configured in rc.d, but I've not found an adequate user to replace nobody with. Also, there doesn't seem to be any plugin that dynamically creates a system user as it would be a bad idea to have an ID outside of the range of UIDs.

Question: Is this something that can (or should) be changed in the ports (e.g. introduce a user like _node-exporter)?

[jkellerer]

As far as I understand this has to be fixed in upstream (not to have conflicts in user IDs).

[fichtner]

@jkellerer thanks for the info... is that an upstream version not yet in OPNsense or already merged?

[jkellerer]

Not that I would be aware of and in fact the node_exporter pkg has a config option for the service user. However without an assigned user in UIDs, this is not easy to use and the UIDs list is imported from FreeBSD, that's why I think we cannot fix it here if we want to avoid conflicts on user IDs.

[fichtner]

ah ok that would mean we would have to enhance the FreeBSD port for it?

[jkellerer]

Yes that's what I'm thinking, unless there is an other option to create a service user.

[fichtner]

We could add the user register/unregister hooks in our plugin but FreeBSD ports integrated for specific user/group works really well so it would be best to use that.

[jkellerer]

Fully agree, I also thought about creating a user dynamically but this would be the only plugin doing that and it wouldn't be very clean. For the moment I'd just keep it that way, maybe I'll request this change in FreeBSD instead.

[fichtner]

It's unlikely much changes there just from requesting. How about we both work on it in our ports tree and upstream it?

Cheers, Franco

[jkellerer]

Ok. I'll check what needs to be changed and prepare a PR.

[jkellerer]

Just found this entry: prometheus:*:478:478::0:0:Prometheus Daemon:/var/tmp/prometheus:/usr/sbin/nologin

Looks like this case is already fixed partially with the move to FreeBSD. Seems to originate from the Prometheus daemon that collects input from exporters but on Linux this user is also used for node_exporter so should be ok to use it.

This would mean the remaining change is to ensure the user is added when the package is installed.