RFC: Monit Environment purging

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

RFC: Monit Environment purging

Jan-Henrik Haukeland

I think it is high time for Monit to stop purging of the environment. It has created a lot of problems for users not to have environment variables available in scripts and has created a need for awkward workarounds.

I’m also unsure how much improved security is by purging the environment. So I propose that this feature is dropped and that Monit no longer will purge the environment. Alternatively, introduce a new —no-sandbox switch which does this, though I fear this will be overlooked and better to have it as default that the environment is kept. Unless there are valid arguments against this proposal, we’ll add this now.




_______________________________________________
monit-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/monit-dev
Reply | Threaded
Open this post in threaded view
|

Re: RFC: Monit Environment purging

Andrew Forward
+1

We have monit wrappers to specifically put the environment stuff back in, and confuses people when they try to run things outside that wrapper.

-- aforward

> On Feb 20, 2014, at 9:39 AM, Jan-Henrik Haukeland <[hidden email]> wrote:
>
>
> I think it is high time for Monit to stop purging of the environment. It has created a lot of problems for users not to have environment variables available in scripts and has created a need for awkward workarounds.
>
> I’m also unsure how much improved security is by purging the environment. So I propose that this feature is dropped and that Monit no longer will purge the environment. Alternatively, introduce a new —no-sandbox switch which does this, though I fear this will be overlooked and better to have it as default that the environment is kept. Unless there are valid arguments against this proposal, we’ll add this now.
>
>
>
>
> _______________________________________________
> monit-dev mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/monit-dev

_______________________________________________
monit-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/monit-dev
Reply | Threaded
Open this post in threaded view
|

Re: RFC: Monit Environment purging

Jan-Henrik Haukeland
I've just modified Monit to keep the environment in sub-processes, see https://bitbucket.org/tildeslash/monit/commits/cd545838378517f84bdb0989cadf461a19d8ba11

If anyone wants to give it a test, you can download the latest version from https://bitbucket.org/tildeslash/monit/get/master.tar.gz


On 20 Feb 2014, at 18:38, Andrew Forward <[hidden email]> wrote:

> +1
>
> We have monit wrappers to specifically put the environment stuff back in, and confuses people when they try to run things outside that wrapper.
>
> -- aforward
>
>> On Feb 20, 2014, at 9:39 AM, Jan-Henrik Haukeland <[hidden email]> wrote:
>>
>>
>> I think it is high time for Monit to stop purging of the environment. It has created a lot of problems for users not to have environment variables available in scripts and has created a need for awkward workarounds.
>>
>> I’m also unsure how much improved security is by purging the environment. So I propose that this feature is dropped and that Monit no longer will purge the environment. Alternatively, introduce a new —no-sandbox switch which does this, though I fear this will be overlooked and better to have it as default that the environment is kept. Unless there are valid arguments against this proposal, we’ll add this now.
>>
>>
>>
>>
>> _______________________________________________
>> monit-dev mailing list
>> [hidden email]
>> https://lists.nongnu.org/mailman/listinfo/monit-dev
>
> _______________________________________________
> monit-dev mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/monit-dev


_______________________________________________
monit-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/monit-dev
Reply | Threaded
Open this post in threaded view
|

Re: RFC: Monit Environment purging

Michael Shigorin
In reply to this post by Jan-Henrik Haukeland
On Thu, Feb 20, 2014 at 03:39:40PM +0100, Jan-Henrik Haukeland wrote:
> I think it is high time for Monit to stop purging of the environment.

It's a nice knob for those who have taken many more measures at
security but it's a hurdle for many indeed (could be an armoured
door in a stick fence).

--
 ---- WBR, Michael Shigorin / http://altlinux.org
  ------ http://opennet.ru / http://anna-news.info

_______________________________________________
monit-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/monit-dev