From owner-freebsd-questions@FreeBSD.ORG  Thu Oct 16 11:06:06 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B9A40106568A
	for <freebsd-questions@freebsd.org>;
	Thu, 16 Oct 2008 11:06:06 +0000 (UTC)
	(envelope-from jdc@koitsu.dyndns.org)
Received: from QMTA07.emeryville.ca.mail.comcast.net
	(qmta07.emeryville.ca.mail.comcast.net [76.96.30.64])
	by mx1.freebsd.org (Postfix) with ESMTP id A0AB08FC19
	for <freebsd-questions@freebsd.org>;
	Thu, 16 Oct 2008 11:06:06 +0000 (UTC)
	(envelope-from jdc@koitsu.dyndns.org)
Received: from OMTA09.emeryville.ca.mail.comcast.net ([76.96.30.20])
	by QMTA07.emeryville.ca.mail.comcast.net with comcast
	id TNvo1a0020S2fkCA7P665j; Thu, 16 Oct 2008 11:06:06 +0000
Received: from koitsu.dyndns.org ([69.181.141.110])
	by OMTA09.emeryville.ca.mail.comcast.net with comcast
	id TP651a0042P6wsM8VP650N; Thu, 16 Oct 2008 11:06:06 +0000
X-Authority-Analysis: v=1.0 c=1 a=QycZ5dHgAAAA:8 a=halJxmhDF6Tn-rybqnUA:9
	a=8ZC2bK0NTfPsSY9d2fM2bZDDVAYA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10
Received: by icarus.home.lan (Postfix, from userid 1000)
	id 019B8C941C; Thu, 16 Oct 2008 04:06:05 -0700 (PDT)
Date: Thu, 16 Oct 2008 04:06:04 -0700
From: Jeremy Chadwick <koitsu@FreeBSD.org>
To: Edwin Groothuis <edwin@mavetju.org>
Message-ID: <20081016110604.GA8334@icarus.home.lan>
References: <20081016101758.GA85895@mavetju.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20081016101758.GA85895@mavetju.org>
User-Agent: Mutt/1.5.18 (2008-05-17)
Cc: freebsd-questions@FreeBSD.org
Subject: Re: FreeBSD and Nagios - permissions
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Oct 2008 11:06:06 -0000

On Thu, Oct 16, 2008 at 09:17:58PM +1100, Edwin Groothuis wrote:
> > The nrpe daemon that handles the script runs as the "nagios" user and
> > the command needed is camcontrol:
> 
> First lines of the check_ciss.sh command:
> 
>     #!/bin/sh
> 
>     if [ $(whoami) != "root" ]; then
> 	    sudo $*
>     fi
> 
> And allow in sudoerrs.conf the nagios user to run the check_ciss.sh
> command without passwords.
> 
> Works fine here for years :-)

Wow... all I can say.  Wow.  This is a *humongous* security hole.

So what happens when someone finds a security hole in Nagios, allowing
them to modify files or run checks with arguments of their choice?

For a good time:

check_ciss.sh camcontrol format da0 -y

Yeah, uh, that script should be nuked.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |