Date: Thu, 16 Oct 2008 04:06:04 -0700 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: Edwin Groothuis <edwin@mavetju.org> Cc: freebsd-questions@FreeBSD.org Subject: Re: FreeBSD and Nagios - permissions Message-ID: <20081016110604.GA8334@icarus.home.lan> In-Reply-To: <20081016101758.GA85895@mavetju.org> References: <20081016101758.GA85895@mavetju.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 16, 2008 at 09:17:58PM +1100, Edwin Groothuis wrote: > > The nrpe daemon that handles the script runs as the "nagios" user and > > the command needed is camcontrol: > > First lines of the check_ciss.sh command: > > #!/bin/sh > > if [ $(whoami) != "root" ]; then > sudo $* > fi > > And allow in sudoerrs.conf the nagios user to run the check_ciss.sh > command without passwords. > > Works fine here for years :-) Wow... all I can say. Wow. This is a *humongous* security hole. So what happens when someone finds a security hole in Nagios, allowing them to modify files or run checks with arguments of their choice? For a good time: check_ciss.sh camcontrol format da0 -y Yeah, uh, that script should be nuked. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081016110604.GA8334>