Date: Thu, 16 Oct 2008 12:05:01 +0100 From: "Daniel Bye" <danielby@slightlystrange.org> To: freebsd-questions@freebsd.org Subject: Re: FreeBSD and Nagios - permissions Message-ID: <20081016110501.GB80147@torus.slightlystrange.org> In-Reply-To: <20081016080452.GA4150@icarus.home.lan> References: <48F6EDF2.4070109@intersonic.se> <20081016080452.GA4150@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
--eJnRUKwClWJh1Khz
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Oct 16, 2008 at 01:04:52AM -0700, Jeremy Chadwick wrote:
> On Thu, Oct 16, 2008 at 09:32:02AM +0200, Per olof Ljungmark wrote:
> > The nrpe daemon that handles the script runs as the "nagios" user and
> > the command needed is camcontrol:
> >=20
> > camcontrol inquiry da0
> >=20
> > The nagios user does not have a shell by default in FreeBSD:
> > nagios:*:181:181::0:0:Nagios pseudo-user:/var/spool/nagios:/usr/sbin/no=
login
> > so the script will obviously fail.
>=20
> I think the problem is probably more along the lines of: you can't
> run camcontrol as user "nagios", because root access is required to
> communicate with CAM (open /dev/xptX).
>=20
> Two recommendations:
>=20
> 1) Write wrapper program (this requires C) which calls "camcontrol
> inquiry da0". The wrapper binary should be owned by root:nagios,
> and perms should be 4710 (so that individuals in the "nagios" group
> can run the binary, but no one else). This C program is very, very
> simple.
>=20
> 2) Use "sudo" and set up a ***VERY*** restrictive command list for user
> "nagios", meaning, only allowed to run /sbin/camcontrol. I DO NOT
> recommend this method, as it's possible for someone to use nagios to
> run something like "camcontrol reset" or "camcontrol eject" as root,
> or even worse, "camcontrol cmd" (could induce a low-level format of
> one of your disks),
It is possible to configure sudo to run only exactly the required command
(including arguments) precisely to guard against this type of abuse -
I use it extensively in my own nagios setup.
This Cmnd_Alias in sudoers will do the trick:
Cmnd_Alias NAGIOS_CMNDS =3D /sbin/camcontrol inquiry da0
man sudoers for more information about what you can do with sudo.
Dan
--=20
Daniel Bye
_
ASCII ribbon campaign ( )
- against HTML, vCards and X
- proprietary attachments in e-mail / \
--eJnRUKwClWJh1Khz
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
iEYEARECAAYFAkj3H90ACgkQixf5fBYiFmot5ACeI7v19RjW1oronfU0fLwuavMH
/YUAoK+IWalRtFP27yQjnTuNw22x9d9s
=0/AE
-----END PGP SIGNATURE-----
--eJnRUKwClWJh1Khz--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081016110501.GB80147>