From owner-freebsd-questions@FreeBSD.ORG Thu Oct 16 12:47:05 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3CF86106568B for ; Thu, 16 Oct 2008 12:47:05 +0000 (UTC) (envelope-from danielby@slightlystrange.org) Received: from mtaout02-winn.ispmail.ntl.com (mtaout02-winn.ispmail.ntl.com [81.103.221.48]) by mx1.freebsd.org (Postfix) with ESMTP id A072D8FC1A for ; Thu, 16 Oct 2008 12:47:04 +0000 (UTC) (envelope-from danielby@slightlystrange.org) Received: from aamtaout01-winn.ispmail.ntl.com ([81.103.221.35]) by mtaout02-winn.ispmail.ntl.com (InterMail vM.7.05.02.00 201-2174-114-20060621) with ESMTP id <20081016124703.NGQ21103.mtaout02-winn.ispmail.ntl.com@aamtaout01-winn.ispmail.ntl.com> for ; Thu, 16 Oct 2008 13:47:03 +0100 Received: from catflap.slightlystrange.org ([82.21.101.171]) by aamtaout01-winn.ispmail.ntl.com (InterMail vG.2.02.00.01 201-2161-120-102-20060912) with ESMTP id <20081016124703.OTQR19264.aamtaout01-winn.ispmail.ntl.com@catflap.slightlystrange.org> for ; Thu, 16 Oct 2008 13:47:03 +0100 Received: by catflap.slightlystrange.org (Postfix, from userid 106) id 97192613A; Thu, 16 Oct 2008 13:47:00 +0100 (BST) Received: from torus.slightlystrange.org (torus.slightlystrange.org [10.1.3.50]) by catflap.slightlystrange.org (Postfix) with SMTP id 1DBEB6131 for ; Thu, 16 Oct 2008 13:47:00 +0100 (BST) Received: by torus.slightlystrange.org (sSMTP sendmail emulation); Thu, 16 Oct 2008 13:47:00 +0100 From: "Daniel Bye" Date: Thu, 16 Oct 2008 13:47:00 +0100 To: freebsd-questions@freebsd.org Message-ID: <20081016124700.GC80147@torus.slightlystrange.org> Mail-Followup-To: freebsd-questions@freebsd.org References: <48F6EDF2.4070109@intersonic.se> <20081016080452.GA4150@icarus.home.lan> <20081016110501.GB80147@torus.slightlystrange.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2JFBq9zoW8cOFH7v" Content-Disposition: inline In-Reply-To: <20081016110501.GB80147@torus.slightlystrange.org> User-Agent: Mutt/1.4.2.3i X-PGP-Fingerprint: D349 B109 0EB8 2554 4D75 B79A 8B17 F97C 1622 166A X-Operating-System: FreeBSD 7.1-PRERELEASE i386 X-Cloudmark-Analysis: v=1.0 c=1 a=ehNlctqhnw0A:10 a=kruHNeHDAAAA:8 a=s4s-REC0Bid4hitGQLwA:9 a=8RicYlTTCuNMg4MVnxYTEwl02qUA:4 a=LY0hPdMaydYA:10 a=SwCVmF8o9YEnAwOQY4UA:9 a=K6SeMc4si12j1gVmVU4hMbbUt4MA:4 a=rPt6xJ-oxjAA:10 Subject: Re: FreeBSD and Nagios - permissions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Bye List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2008 12:47:05 -0000 --2JFBq9zoW8cOFH7v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: > It is possible to configure sudo to run only exactly the required command > (including arguments) precisely to guard against this type of abuse - > I use it extensively in my own nagios setup. >=20 > This Cmnd_Alias in sudoers will do the trick: >=20 > Cmnd_Alias NAGIOS_CMNDS =3D /sbin/camcontrol inquiry da0 >=20 > man sudoers for more information about what you can do with sudo. I just realised this example is woefully incomplete - apologies for that. There are a few ways you can set up /usr/local/etc/sudoers (make sure you use visudo to edit it, as it will catch any syntax errors for you, thus helping somewhat to prevent breaking your setup). The simplest case will just be to allow nagios to run the command, as root, without a password: nagios ALL=3D(root) NOPASSWD: /sbin/camcontrol inquiry da0 If, as is quite possible, nagios should be able to run more than just that one command, you can define a Cmnd_Alias, as above. To include more than one command in the alias, simply separate them with a comma. You can use `\' to escape newlines and make your file a little easier to read: Cmnd_Alias NAGIOS_CMNDS =3D /sbin/camcontrol inquiry da0 \ /sbin/camcontrol inquiry da1 and so on. Now, to use that alias, set the user's permissions to nagios ALL=3D(root) NOPASSWD: NAGIOS_CMNDS The sudoers man page has more information, and there is also a good tutorial by M Lucas on O'Reilly's Big Scary Daemons (it's from 2002, but still a good introduction): http://www.onlamp.com/pub/a/bsd/2002/08/29/Big_Scary_Daemons.html?page=3D1 Dan --=20 Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ --2JFBq9zoW8cOFH7v Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkj3N8QACgkQixf5fBYiFmq19QCeLohFdQJqyBy+tnHBIgiPy9xC U8cAoM5MXYbuwhgpcGHiqZuiAxm8ha/6 =ZXSX -----END PGP SIGNATURE----- --2JFBq9zoW8cOFH7v--