Date: Thu, 16 Oct 2008 17:33:57 +0200 From: Per olof Ljungmark <peo@intersonic.se> To: freebsd-questions@freebsd.org Subject: Re: FreeBSD and Nagios - permissions Message-ID: <48F75EE5.2090908@intersonic.se> In-Reply-To: <20081016124700.GC80147@torus.slightlystrange.org> References: <48F6EDF2.4070109@intersonic.se> <20081016080452.GA4150@icarus.home.lan> <20081016110501.GB80147@torus.slightlystrange.org> <20081016124700.GC80147@torus.slightlystrange.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Daniel Bye wrote: > On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: >> It is possible to configure sudo to run only exactly the required command >> (including arguments) precisely to guard against this type of abuse - >> I use it extensively in my own nagios setup. >> >> This Cmnd_Alias in sudoers will do the trick: >> >> Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 >> >> man sudoers for more information about what you can do with sudo. > > I just realised this example is woefully incomplete - apologies for that. > > There are a few ways you can set up /usr/local/etc/sudoers (make sure > you use visudo to edit it, as it will catch any syntax errors for you, > thus helping somewhat to prevent breaking your setup). > > The simplest case will just be to allow nagios to run the command, as root, > without a password: > > nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0 > > If, as is quite possible, nagios should be able to run more than just > that one command, you can define a Cmnd_Alias, as above. To include more > than one command in the alias, simply separate them with a comma. You > can use `\' to escape newlines and make your file a little easier to read: > > Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \ > /sbin/camcontrol inquiry da1 > > and so on. Now, to use that alias, set the user's permissions to > > nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS > > The sudoers man page has more information, and there is also a good > tutorial by M Lucas on O'Reilly's Big Scary Daemons (it's from 2002, but > still a good introduction): Thank you very much for the detailed information. I will have a go at sudo while waiting for my collegue to return, he knows C and could probably write up the wrapper that Jeremy suggested. Thanks all for the tips! --per
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48F75EE5.2090908>