From owner-freebsd-questions@FreeBSD.ORG Thu Oct 16 08:04:54 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A00C106568A for ; Thu, 16 Oct 2008 08:04:54 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA08.emeryville.ca.mail.comcast.net (qmta08.emeryville.ca.mail.comcast.net [76.96.30.80]) by mx1.freebsd.org (Postfix) with ESMTP id 5094B8FC18 for ; Thu, 16 Oct 2008 08:04:53 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA03.emeryville.ca.mail.comcast.net ([76.96.30.27]) by QMTA08.emeryville.ca.mail.comcast.net with comcast id TKuu1a0040b6N64A8L4tqG; Thu, 16 Oct 2008 08:04:53 +0000 Received: from koitsu.dyndns.org ([69.181.141.110]) by OMTA03.emeryville.ca.mail.comcast.net with comcast id TL4s1a0032P6wsM8PL4sBx; Thu, 16 Oct 2008 08:04:53 +0000 X-Authority-Analysis: v=1.0 c=1 a=QycZ5dHgAAAA:8 a=BwKj8mwN9yPs34-oIf8A:9 a=_jpCZ75cBi5rPQdoGR6e-zRuIA0A:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 91D5DC9419; Thu, 16 Oct 2008 01:04:52 -0700 (PDT) Date: Thu, 16 Oct 2008 01:04:52 -0700 From: Jeremy Chadwick To: Per olof Ljungmark Message-ID: <20081016080452.GA4150@icarus.home.lan> References: <48F6EDF2.4070109@intersonic.se> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48F6EDF2.4070109@intersonic.se> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD and Nagios - permissions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2008 08:04:54 -0000 On Thu, Oct 16, 2008 at 09:32:02AM +0200, Per olof Ljungmark wrote: > Hi, > > I'm implementing a shell script as a Nagios plugin to check the status > of the ciss(4) driver. However, there is a permission problem that I am > not sure about the best way to get around in FreeBSD (7-STABLE). > > The nrpe daemon that handles the script runs as the "nagios" user and > the command needed is camcontrol: > > camcontrol inquiry da0 > > The nagios user does not have a shell by default in FreeBSD: > nagios:*:181:181::0:0:Nagios pseudo-user:/var/spool/nagios:/usr/sbin/nologin > so the script will obviously fail. I cease to see what the users' shell has to do with the problem. A shell being set to /usr/sbin/nologin *does not* mean they cannot run shell scripts, it just means one cannot log in as that user. I think the problem is probably more along the lines of: you can't run camcontrol as user "nagios", because root access is required to communicate with CAM (open /dev/xptX). > I would assume there are several ways to get around this and would > welcome "best practice" suggestions on how. Two recommendations: 1) Write wrapper program (this requires C) which calls "camcontrol inquiry da0". The wrapper binary should be owned by root:nagios, and perms should be 4710 (so that individuals in the "nagios" group can run the binary, but no one else). This C program is very, very simple. 2) Use "sudo" and set up a ***VERY*** restrictive command list for user "nagios", meaning, only allowed to run /sbin/camcontrol. I DO NOT recommend this method, as it's possible for someone to use nagios to run something like "camcontrol reset" or "camcontrol eject" as root, or even worse, "camcontrol cmd" (could induce a low-level format of one of your disks), -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |