Date: Thu, 16 Oct 2008 22:31:50 +0200 From: Mel <fbsd.questions@rachie.is-a-geek.net> To: freebsd-questions@freebsd.org Subject: Re: FreeBSD and Nagios - permissions Message-ID: <200810162231.50549.fbsd.questions@rachie.is-a-geek.net> In-Reply-To: <48F79F0F.5020402@intersonic.se> References: <48F6EDF2.4070109@intersonic.se> <48F75EE5.2090908@intersonic.se> <48F79F0F.5020402@intersonic.se>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 16 October 2008 22:07:43 Per olof Ljungmark wrote:
> Per olof Ljungmark wrote:
> > Daniel Bye wrote:
> >> On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote:
> >>> It is possible to configure sudo to run only exactly the required
> >>> command
> >>> (including arguments) precisely to guard against this type of abuse -
> >>> I use it extensively in my own nagios setup.
> >>>
> >>> This Cmnd_Alias in sudoers will do the trick:
> >>>
> >>> Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0
> >>>
> >>> man sudoers for more information about what you can do with sudo.
> >>
> >> I just realised this example is woefully incomplete - apologies for
> >> that.
> >>
> >> There are a few ways you can set up /usr/local/etc/sudoers (make sure
> >> you use visudo to edit it, as it will catch any syntax errors for you,
> >> thus helping somewhat to prevent breaking your setup).
> >>
> >> The simplest case will just be to allow nagios to run the command, as
> >> root,
> >> without a password:
> >>
> >> nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0
> >>
> >> If, as is quite possible, nagios should be able to run more than just
> >> that one command, you can define a Cmnd_Alias, as above. To include more
> >> than one command in the alias, simply separate them with a comma. You
> >> can use `\' to escape newlines and make your file a little easier to
> >> read:
> >>
> >> Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \
> >> /sbin/camcontrol inquiry da1
> >>
> >> and so on. Now, to use that alias, set the user's permissions to
> >>
> >> nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS
^^^^
> For the records, even this won't work because nagois needs access to
> /dev/xpt0 as well and once there sudo can't help.
>
> sudo -u nagios /sbin/camcontrol inquiry da0
> camcontrol: cam_lookup_pass: couldn't open /dev/xpt0
> cam_lookup_pass: Permission denied
The idea is to let this be run as root, tho personally, I'd put nagios in a
group that can rw /dev/xpt0, /dev/pass0 and /dev/da0, setup devfs.rules
properly and the let it execute a script that does the inquiry and the
inquiry only.
On a related note, it would be a 'nice to have', if the more dangerous
commands of camcontrol had a sysctl knob that only allows them to be executed
only as root.
--
Mel
Problem with today's modular software: they start with the modules
and never get to the software part.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200810162231.50549.fbsd.questions>