Date: Thu, 16 Oct 2008 01:04:52 -0700 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: Per olof Ljungmark <peo@intersonic.se> Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD and Nagios - permissions Message-ID: <20081016080452.GA4150@icarus.home.lan> In-Reply-To: <48F6EDF2.4070109@intersonic.se> References: <48F6EDF2.4070109@intersonic.se>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 16, 2008 at 09:32:02AM +0200, Per olof Ljungmark wrote: > Hi, > > I'm implementing a shell script as a Nagios plugin to check the status > of the ciss(4) driver. However, there is a permission problem that I am > not sure about the best way to get around in FreeBSD (7-STABLE). > > The nrpe daemon that handles the script runs as the "nagios" user and > the command needed is camcontrol: > > camcontrol inquiry da0 > > The nagios user does not have a shell by default in FreeBSD: > nagios:*:181:181::0:0:Nagios pseudo-user:/var/spool/nagios:/usr/sbin/nologin > so the script will obviously fail. I cease to see what the users' shell has to do with the problem. A shell being set to /usr/sbin/nologin *does not* mean they cannot run shell scripts, it just means one cannot log in as that user. I think the problem is probably more along the lines of: you can't run camcontrol as user "nagios", because root access is required to communicate with CAM (open /dev/xptX). > I would assume there are several ways to get around this and would > welcome "best practice" suggestions on how. Two recommendations: 1) Write wrapper program (this requires C) which calls "camcontrol inquiry da0". The wrapper binary should be owned by root:nagios, and perms should be 4710 (so that individuals in the "nagios" group can run the binary, but no one else). This C program is very, very simple. 2) Use "sudo" and set up a ***VERY*** restrictive command list for user "nagios", meaning, only allowed to run /sbin/camcontrol. I DO NOT recommend this method, as it's possible for someone to use nagios to run something like "camcontrol reset" or "camcontrol eject" as root, or even worse, "camcontrol cmd" (could induce a low-level format of one of your disks), -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081016080452.GA4150>