Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 Oct 2008 22:07:43 +0200
From:      Per olof Ljungmark <peo@intersonic.se>
To:        freebsd-questions@freebsd.org
Subject:   Re: FreeBSD and Nagios - permissions
Message-ID:  <48F79F0F.5020402@intersonic.se>
In-Reply-To: <48F75EE5.2090908@intersonic.se>
References:  <48F6EDF2.4070109@intersonic.se>	<20081016080452.GA4150@icarus.home.lan>	<20081016110501.GB80147@torus.slightlystrange.org>	<20081016124700.GC80147@torus.slightlystrange.org> <48F75EE5.2090908@intersonic.se>
next in thread | previous in thread | raw e-mail | index | archive | help 
Per olof Ljungmark wrote:
> Daniel Bye wrote:
>> On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote:
>>> It is possible to configure sudo to run only exactly the required 
>>> command
>>> (including arguments) precisely to guard against this type of abuse -
>>> I use it extensively in my own nagios setup.
>>>
>>> This Cmnd_Alias in sudoers will do the trick:
>>>
>>> Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0
>>>
>>> man sudoers for more information about what you can do with sudo.
>>
>> I just realised this example is woefully incomplete - apologies for that.
>>
>> There are a few ways you can set up /usr/local/etc/sudoers (make sure
>> you use visudo to edit it, as it will catch any syntax errors for you,
>> thus helping somewhat to prevent breaking your setup).
>>
>> The simplest case will just be to allow nagios to run the command, as 
>> root,
>> without a password:
>>
>> nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0
>>
>> If, as is quite possible, nagios should be able to run more than just
>> that one command, you can define a Cmnd_Alias, as above. To include more
>> than one command in the alias, simply separate them with a comma. You
>> can use `\' to escape newlines and make your file a little easier to 
>> read:
>>
>> Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \
>>                           /sbin/camcontrol inquiry da1
>>
>> and so on. Now, to use that alias, set the user's permissions to
>>
>> nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS

For the records, even this won't work because nagois needs access to 
/dev/xpt0 as well and once there sudo can't help.

sudo -u nagios /sbin/camcontrol inquiry da0
camcontrol: cam_lookup_pass: couldn't open /dev/xpt0
cam_lookup_pass: Permission denied

--per

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48F79F0F.5020402>