From owner-freebsd-questions@FreeBSD.ORG Thu Oct 16 20:07:47 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 47DF5106568C for ; Thu, 16 Oct 2008 20:07:47 +0000 (UTC) (envelope-from peo@intersonic.se) Received: from neonpark.inter-sonic.com (neonpark.inter-sonic.com [212.247.8.98]) by mx1.freebsd.org (Postfix) with ESMTP id 0B0DD8FC26 for ; Thu, 16 Oct 2008 20:07:46 +0000 (UTC) (envelope-from peo@intersonic.se) X-Virus-Scanned: amavisd-new at BSDLabs AB Message-ID: <48F79F0F.5020402@intersonic.se> Date: Thu, 16 Oct 2008 22:07:43 +0200 From: Per olof Ljungmark Organization: Intersonic AB User-Agent: Thunderbird 2.0.0.17 (X11/20081013) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <48F6EDF2.4070109@intersonic.se> <20081016080452.GA4150@icarus.home.lan> <20081016110501.GB80147@torus.slightlystrange.org> <20081016124700.GC80147@torus.slightlystrange.org> <48F75EE5.2090908@intersonic.se> In-Reply-To: <48F75EE5.2090908@intersonic.se> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD and Nagios - permissions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2008 20:07:47 -0000 Per olof Ljungmark wrote: > Daniel Bye wrote: >> On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: >>> It is possible to configure sudo to run only exactly the required >>> command >>> (including arguments) precisely to guard against this type of abuse - >>> I use it extensively in my own nagios setup. >>> >>> This Cmnd_Alias in sudoers will do the trick: >>> >>> Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 >>> >>> man sudoers for more information about what you can do with sudo. >> >> I just realised this example is woefully incomplete - apologies for that. >> >> There are a few ways you can set up /usr/local/etc/sudoers (make sure >> you use visudo to edit it, as it will catch any syntax errors for you, >> thus helping somewhat to prevent breaking your setup). >> >> The simplest case will just be to allow nagios to run the command, as >> root, >> without a password: >> >> nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0 >> >> If, as is quite possible, nagios should be able to run more than just >> that one command, you can define a Cmnd_Alias, as above. To include more >> than one command in the alias, simply separate them with a comma. You >> can use `\' to escape newlines and make your file a little easier to >> read: >> >> Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \ >> /sbin/camcontrol inquiry da1 >> >> and so on. Now, to use that alias, set the user's permissions to >> >> nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS For the records, even this won't work because nagois needs access to /dev/xpt0 as well and once there sudo can't help. sudo -u nagios /sbin/camcontrol inquiry da0 camcontrol: cam_lookup_pass: couldn't open /dev/xpt0 cam_lookup_pass: Permission denied --per