sflow
commented
4 years ago You could add "-P" to the command line that invokes hsflowd (e.g. in /lib/systemd/system/hsflowd.service). That stops it from dropping privileges from root->nobody.
Maybe we should automatically avoid dropping privileges if we discover that /proc would become unreadable?
Another approach might be to run hsflowd as a container and then you can control how (and where) the server's /proc appears to it.
bigHosting
I was testing hsflowd on one of my CentOS VMs, and it seems that service cannot be started on systems where /proc is not the usual 0755 . On public-facing servers, the procedure is to harden folders and files to break kernel exploits.
When I started hsflowd with /proc 0550, it crashed and strace showed that is was trying to use user nobody and process wanted to read interface information from /proc
Is there an ( easy ) way to change the user through the /etc/ config ? If not, I'll live with it as I realize my environment is not a typical one :)
Feel free to close this ticket is the answer is no :)
Thank you!