Date: Thu, 16 Oct 2008 12:05:01 +0100 From: "Daniel Bye" <danielby@slightlystrange.org> To: freebsd-questions@freebsd.org Subject: Re: FreeBSD and Nagios - permissions Message-ID: <20081016110501.GB80147@torus.slightlystrange.org> In-Reply-To: <20081016080452.GA4150@icarus.home.lan> References: <48F6EDF2.4070109@intersonic.se> <20081016080452.GA4150@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
--eJnRUKwClWJh1Khz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 16, 2008 at 01:04:52AM -0700, Jeremy Chadwick wrote: > On Thu, Oct 16, 2008 at 09:32:02AM +0200, Per olof Ljungmark wrote: > > The nrpe daemon that handles the script runs as the "nagios" user and > > the command needed is camcontrol: > >=20 > > camcontrol inquiry da0 > >=20 > > The nagios user does not have a shell by default in FreeBSD: > > nagios:*:181:181::0:0:Nagios pseudo-user:/var/spool/nagios:/usr/sbin/no= login > > so the script will obviously fail. >=20 > I think the problem is probably more along the lines of: you can't > run camcontrol as user "nagios", because root access is required to > communicate with CAM (open /dev/xptX). >=20 > Two recommendations: >=20 > 1) Write wrapper program (this requires C) which calls "camcontrol > inquiry da0". The wrapper binary should be owned by root:nagios, > and perms should be 4710 (so that individuals in the "nagios" group > can run the binary, but no one else). This C program is very, very > simple. >=20 > 2) Use "sudo" and set up a ***VERY*** restrictive command list for user > "nagios", meaning, only allowed to run /sbin/camcontrol. I DO NOT > recommend this method, as it's possible for someone to use nagios to > run something like "camcontrol reset" or "camcontrol eject" as root, > or even worse, "camcontrol cmd" (could induce a low-level format of > one of your disks), It is possible to configure sudo to run only exactly the required command (including arguments) precisely to guard against this type of abuse - I use it extensively in my own nagios setup. This Cmnd_Alias in sudoers will do the trick: Cmnd_Alias NAGIOS_CMNDS =3D /sbin/camcontrol inquiry da0 man sudoers for more information about what you can do with sudo. Dan --=20 Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ --eJnRUKwClWJh1Khz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkj3H90ACgkQixf5fBYiFmot5ACeI7v19RjW1oronfU0fLwuavMH /YUAoK+IWalRtFP27yQjnTuNw22x9d9s =0/AE -----END PGP SIGNATURE----- --eJnRUKwClWJh1Khz--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081016110501.GB80147>