FreeBSD and Nagios - permissions

Daniel Bye danielby at slightlystrange.org
Thu Oct 16 04:05:35 PDT 2008 

On Thu, Oct 16, 2008 at 01:04:52AM -0700, Jeremy Chadwick wrote:
> On Thu, Oct 16, 2008 at 09:32:02AM +0200, Per olof Ljungmark wrote:
> > The nrpe daemon that handles the script runs as the "nagios" user and
> > the command needed is camcontrol:
> > 
> > camcontrol inquiry da0
> > 
> > The nagios user does not have a shell by default in FreeBSD:
> > nagios:*:181:181::0:0:Nagios pseudo-user:/var/spool/nagios:/usr/sbin/nologin
> > so the script will obviously fail.
> 
> I think the problem is probably more along the lines of: you can't
> run camcontrol as user "nagios", because root access is required to
> communicate with CAM (open /dev/xptX).
> 
> Two recommendations:
> 
> 1) Write wrapper program (this requires C) which calls "camcontrol
> inquiry da0".  The wrapper binary should be owned by root:nagios,
> and perms should be 4710 (so that individuals in the "nagios" group
> can run the binary, but no one else).  This C program is very, very
> simple.
> 
> 2) Use "sudo" and set up a ***VERY*** restrictive command list for user
> "nagios", meaning, only allowed to run /sbin/camcontrol.  I DO NOT
> recommend this method, as it's possible for someone to use nagios to
> run something like "camcontrol reset" or "camcontrol eject" as root,
> or even worse, "camcontrol cmd" (could induce a low-level format of
> one of your disks),

It is possible to configure sudo to run only exactly the required command
(including arguments) precisely to guard against this type of abuse -
I use it extensively in my own nagios setup.

This Cmnd_Alias in sudoers will do the trick:

Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0

man sudoers for more information about what you can do with sudo.

Dan

-- 
Daniel Bye
                                                                     _
                                              ASCII ribbon campaign ( )
                                         - against HTML, vCards and  X
                                - proprietary attachments in e-mail / \
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20081016/9e0de901/attachment.pgp

More information about the freebsd-questions mailing list