Where did the RRD quality graphs go?



  • I had been wondering why the RRD quality graphs hadn't been working for me, but then I was looking through the scripts related to RRD graphs and found no mention of the quality graphs at all in /var/db/rrd/updaterrd.sh nor in the part of /etc/inc/rrd.inc that generates the script.  When did this get removed?  Or is there another script somewhere that is supposed to handle it?

    I am currently using pfSense-2.0-BETA1-512mb-20100122-0133-nanobsd, but I haven't seen it working in any of the builds I've tried in the past month (I hadn't tried any earlier ones, though).



  • They pull their data from apinger now. Mine are all working, I'm not running any embedded 2.0 at the moment though.



  • This is still broken in a fresh install of the nanobsd snap, 20100305-1040.

    apinger is definitely running:

    ps aux | grep apinger
    nobody  1867  0.0  0.6  3304  1360  ??  Ss    8:11PM   0:19.96 /usr/local/sbin/apinger -c /var/etc/apinger.conf
    

    apinger is definitely configured with a rrd file for the wan interface:

    grep -E "(^target|rrd file)" /var/etc/apinger.conf | sed -E "s/([0-9]{1,3}\.{0,1}){4}/x.x.x.x/g"
    target default {
            #rrd file "/var/db/rrd/apinger-%t.rrd"
    target "x.x.x.x" {
            rrd file "/var/db/rrd/wan-quality.rrd"
    

    apinger is definitely not creating the rrd file:

    ls -l /var/db/rrd/wan-quality.rrd
    ls: /var/db/rrd/wan-quality.rrd: No such file or directory
    

    It appears the issue lies in the fact that apinger does a setuid/setgid nobody:nobody, and is therefore unable to create the rrd file in /var/db/rrd/ (which is root:wheel, 755 by default). If I chown nobody /var/db/rrd and restart apinger, the rrd file is created and everything works fine. Once apinger builds the rrd file initially, you can chown root /var/db/rrd, and it continues to work.

    Unfortunately, a simpler workaround of using touch to create an empty /var/db/rrd/wan-quality.rrd file and then chown'ing that to nobody does not work - apinger will not attempt to turn it into a rrd file and use it. That leaves three options for real fixes:

    1. Have apinger create the rrd file and chown nobody prior to giving up root
    2. Prior to running apinger, manually use rrdtool to create the files apinger will be using as root and chown nobody
    3. Create the user rrd, run apinger under rrd:nobody, chown rrd /var/db/rrd

    Personally, I'd rather see option #3 implemented from a security perspective. The idea of having a rrd filed owned by nobody scares me a little, since it's possible for any unprivileged process running under nobody to write to the file, leaving the chance for a process running as root (lighttpd?) to attempt to parse an intentionally corrupt file and exploit some yet-to-be-discovered flaw.



  • Thanks for the detailed report, rewt. Ticket opened.
    http://redmine.pfsense.org/issues/show/409


Log in to reply