From owner-freebsd-questions@FreeBSD.ORG Thu Oct 16 11:05:35 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A93731065692 for ; Thu, 16 Oct 2008 11:05:35 +0000 (UTC) (envelope-from danielby@slightlystrange.org) Received: from mtaout01-winn.ispmail.ntl.com (mtaout01-winn.ispmail.ntl.com [81.103.221.47]) by mx1.freebsd.org (Postfix) with ESMTP id 18FBA8FC24 for ; Thu, 16 Oct 2008 11:05:34 +0000 (UTC) (envelope-from danielby@slightlystrange.org) Received: from aamtaout01-winn.ispmail.ntl.com ([81.103.221.35]) by mtaout01-winn.ispmail.ntl.com (InterMail vM.7.05.02.00 201-2174-114-20060621) with ESMTP id <20081016110533.UVVK2285.mtaout01-winn.ispmail.ntl.com@aamtaout01-winn.ispmail.ntl.com> for ; Thu, 16 Oct 2008 12:05:33 +0100 Received: from catflap.slightlystrange.org ([82.21.101.171]) by aamtaout01-winn.ispmail.ntl.com (InterMail vG.2.02.00.01 201-2161-120-102-20060912) with ESMTP id <20081016110533.NBVI19264.aamtaout01-winn.ispmail.ntl.com@catflap.slightlystrange.org> for ; Thu, 16 Oct 2008 12:05:33 +0100 Received: by catflap.slightlystrange.org (Postfix, from userid 106) id 1F6336185; Thu, 16 Oct 2008 12:05:31 +0100 (BST) Received: from torus.slightlystrange.org (torus.slightlystrange.org [10.1.3.50]) by catflap.slightlystrange.org (Postfix) with SMTP id DCBC06170 for ; Thu, 16 Oct 2008 12:05:01 +0100 (BST) Received: by torus.slightlystrange.org (sSMTP sendmail emulation); Thu, 16 Oct 2008 12:05:01 +0100 From: "Daniel Bye" Date: Thu, 16 Oct 2008 12:05:01 +0100 To: freebsd-questions@freebsd.org Message-ID: <20081016110501.GB80147@torus.slightlystrange.org> Mail-Followup-To: freebsd-questions@freebsd.org References: <48F6EDF2.4070109@intersonic.se> <20081016080452.GA4150@icarus.home.lan> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="eJnRUKwClWJh1Khz" Content-Disposition: inline In-Reply-To: <20081016080452.GA4150@icarus.home.lan> User-Agent: Mutt/1.4.2.3i X-PGP-Fingerprint: D349 B109 0EB8 2554 4D75 B79A 8B17 F97C 1622 166A X-Operating-System: FreeBSD 7.1-PRERELEASE i386 X-Cloudmark-Analysis: v=1.0 c=1 a=ehNlctqhnw0A:10 a=agU2Y7ln6h_rhG_z6PYA:9 a=x57UtODy0ZDLTIGM_0qSNF2oX50A:4 a=LY0hPdMaydYA:10 a=4vLe1wfIhJPPkUfV0jcA:9 a=_X7zxeBPcAOz5Nm32sK0Z9mRsL8A:4 a=rPt6xJ-oxjAA:10 Subject: Re: FreeBSD and Nagios - permissions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Bye List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2008 11:05:35 -0000 --eJnRUKwClWJh1Khz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 16, 2008 at 01:04:52AM -0700, Jeremy Chadwick wrote: > On Thu, Oct 16, 2008 at 09:32:02AM +0200, Per olof Ljungmark wrote: > > The nrpe daemon that handles the script runs as the "nagios" user and > > the command needed is camcontrol: > >=20 > > camcontrol inquiry da0 > >=20 > > The nagios user does not have a shell by default in FreeBSD: > > nagios:*:181:181::0:0:Nagios pseudo-user:/var/spool/nagios:/usr/sbin/no= login > > so the script will obviously fail. >=20 > I think the problem is probably more along the lines of: you can't > run camcontrol as user "nagios", because root access is required to > communicate with CAM (open /dev/xptX). >=20 > Two recommendations: >=20 > 1) Write wrapper program (this requires C) which calls "camcontrol > inquiry da0". The wrapper binary should be owned by root:nagios, > and perms should be 4710 (so that individuals in the "nagios" group > can run the binary, but no one else). This C program is very, very > simple. >=20 > 2) Use "sudo" and set up a ***VERY*** restrictive command list for user > "nagios", meaning, only allowed to run /sbin/camcontrol. I DO NOT > recommend this method, as it's possible for someone to use nagios to > run something like "camcontrol reset" or "camcontrol eject" as root, > or even worse, "camcontrol cmd" (could induce a low-level format of > one of your disks), It is possible to configure sudo to run only exactly the required command (including arguments) precisely to guard against this type of abuse - I use it extensively in my own nagios setup. This Cmnd_Alias in sudoers will do the trick: Cmnd_Alias NAGIOS_CMNDS =3D /sbin/camcontrol inquiry da0 man sudoers for more information about what you can do with sudo. Dan --=20 Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ --eJnRUKwClWJh1Khz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkj3H90ACgkQixf5fBYiFmot5ACeI7v19RjW1oronfU0fLwuavMH /YUAoK+IWalRtFP27yQjnTuNw22x9d9s =0/AE -----END PGP SIGNATURE----- --eJnRUKwClWJh1Khz--