monit-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[monit-dev] [monit] r293 committed - bug #31129: do not require root to

From: monit
Subject: [monit-dev] [monit] r293 committed - bug #31129: do not require root to use ping test. Privilege to create...
Date: Tue, 28 Sep 2010 22:23:18 +0000 
Revision: 293
Author: martin2812
Date: Tue Sep 28 15:09:00 2010
Log: bug #31129: do not require root to use ping test. Privilege to create
raw socket is still required, but on some platforms such as Solaris it
can be granted to non-root users too. If the user has no permission to
perform ping, monit will skip the icmp test and log message (in debug
mode only).



http://code.google.com/p/monit/source/detail?r=293

Modified:
 /trunk/CHANGES.txt
 /trunk/net.c
 /trunk/p.y
 /trunk/validate.c

=======================================
--- /trunk/CHANGES.txt  Tue Sep 28 13:53:24 2010
+++ /trunk/CHANGES.txt  Tue Sep 28 15:09:00 2010
@@ -13,6 +13,11 @@

 * ICMP echo test (ping):
      - bug #31128: do not log error if different response type is received
+ - bug #31129: do not require root to use ping test. Privilege to create + raw socket is still required, but on some platforms such as Solaris it + can be granted to non-root users too. If the user has no permission to + perform ping, monit will skip the icmp test and log message (in debug 
+       mode only).

 * Fix crash on MacOSX

=======================================
--- /trunk/net.c        Tue Sep 28 13:42:31 2010
+++ /trunk/net.c        Tue Sep 28 15:09:00 2010
@@ -648,7 +648,9 @@
  * @param hostname The host to open a socket at
  * @param timeout If response will not come within timeout seconds abort
  * @param count How many pings to send
- * @return response time on succes, -1 on error
+ * @return response time on succes, -1 on error, -2 when monit has no
+ * permissions for raw socket (normally requires root or net_icmpaccess
+ * privilege on Solaris)
  */
 double icmp_echo(const char *hostname, int timeout, int count) {
   struct sockaddr_in sout;
@@ -681,7 +683,12 @@
   }

   if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) < 0) {
- LogError("ICMP echo for %s -- socket failed: %s\n", hostname, STRERROR); 
+    if (errno == EACCES || errno == EPERM) {
+ DEBUG("ICMP echo for %s -- cannot create socket: %s\n", hostname, STRERROR); 
+      response = -2.;
+    } else {
+ LogError("ICMP echo for %s -- canot create socket: %s\n", hostname, STRERROR); 
+    }
     goto error2;
   }

=======================================
--- /trunk/p.y  Fri Sep 24 11:47:07 2010
+++ /trunk/p.y  Tue Sep 28 15:09:00 2010
@@ -2540,23 +2540,21 @@
  * Add a new icmp object to the current service's icmp list
  */
 static void addicmp(Icmp_T is) {
-  if (!getuid()) {
-    Icmp_T icmp;
-
-    ASSERT(is);
-
-    NEW(icmp);
-    icmp->type         = is->type;
-    icmp->count        = is->count;
-    icmp->timeout      = is->timeout;
-    icmp->action       = is->action;
-    icmp->is_available = FALSE;
-    icmp->response     = -1;
-
-    icmp->next         = current->icmplist;
-    current->icmplist  = icmp;
-  } else
-    yyerror("icmp statements must be run as root");
+  Icmp_T icmp;
+
+  ASSERT(is);
+
+  NEW(icmp);
+  icmp->type         = is->type;
+  icmp->count        = is->count;
+  icmp->timeout      = is->timeout;
+  icmp->action       = is->action;
+  icmp->is_available = FALSE;
+  icmp->response     = -1;
+
+  icmp->next         = current->icmplist;
+  current->icmplist  = icmp;
+
   reset_icmpset();
 }

=======================================
--- /trunk/validate.c   Sun Sep 19 15:01:47 2010
+++ /trunk/validate.c   Tue Sep 28 15:09:00 2010
@@ -488,7 +488,10 @@

         icmp->response = icmp_echo(s->path, icmp->timeout, icmp->count);

-        if (icmp->response < 0) {
+        if (icmp->response == -2) {
+          icmp->is_available = TRUE;
+ DEBUG("'%s' icmp ping skipped -- the monit user has no permission to create raw socket, please run monit as root or add privilege for net_icmpaccess\n", s->name); 
+        } else if (icmp->response == -1) {
           icmp->is_available = FALSE;
           DEBUG("'%s' icmp ping failed\n", s->name);
Event_post(s, Event_Icmp, STATE_FAILED, icmp->action, "failed ICMP test [%s]", icmpnames[icmp->type]);
reply via email to
[Prev in Thread] Current Thread [Next in Thread]