FreeBSD and Nagios - permissions
Daniel Bye
danielby at slightlystrange.org
Thu Oct 16 04:05:35 PDT 2008
On Thu, Oct 16, 2008 at 01:04:52AM -0700, Jeremy Chadwick wrote:
> On Thu, Oct 16, 2008 at 09:32:02AM +0200, Per olof Ljungmark wrote:
> > The nrpe daemon that handles the script runs as the "nagios" user and
> > the command needed is camcontrol:
> >
> > camcontrol inquiry da0
> >
> > The nagios user does not have a shell by default in FreeBSD:
> > nagios:*:181:181::0:0:Nagios pseudo-user:/var/spool/nagios:/usr/sbin/nologin
> > so the script will obviously fail.
>
> I think the problem is probably more along the lines of: you can't
> run camcontrol as user "nagios", because root access is required to
> communicate with CAM (open /dev/xptX).
>
> Two recommendations:
>
> 1) Write wrapper program (this requires C) which calls "camcontrol
> inquiry da0". The wrapper binary should be owned by root:nagios,
> and perms should be 4710 (so that individuals in the "nagios" group
> can run the binary, but no one else). This C program is very, very
> simple.
>
> 2) Use "sudo" and set up a ***VERY*** restrictive command list for user
> "nagios", meaning, only allowed to run /sbin/camcontrol. I DO NOT
> recommend this method, as it's possible for someone to use nagios to
> run something like "camcontrol reset" or "camcontrol eject" as root,
> or even worse, "camcontrol cmd" (could induce a low-level format of
> one of your disks),
It is possible to configure sudo to run only exactly the required command
(including arguments) precisely to guard against this type of abuse -
I use it extensively in my own nagios setup.
This Cmnd_Alias in sudoers will do the trick:
Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0
man sudoers for more information about what you can do with sudo.
Dan
--
Daniel Bye
_
ASCII ribbon campaign ( )
- against HTML, vCards and X
- proprietary attachments in e-mail / \
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20081016/9e0de901/attachment.pgp
More information about the freebsd-questions
mailing list