From owner-freebsd-questions@FreeBSD.ORG Thu Oct 16 20:32:28 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 041071065687 for ; Thu, 16 Oct 2008 20:32:28 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from mail.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id C18E88FC17 for ; Thu, 16 Oct 2008 20:32:27 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from localhost (mail.rachie.is-a-geek.net [192.168.2.101]) by mail.rachie.is-a-geek.net (Postfix) with ESMTP id 906B2AFBC02; Thu, 16 Oct 2008 12:32:26 -0800 (AKDT) From: Mel To: freebsd-questions@freebsd.org Date: Thu, 16 Oct 2008 22:31:50 +0200 User-Agent: KMail/1.9.7 References: <48F6EDF2.4070109@intersonic.se> <48F75EE5.2090908@intersonic.se> <48F79F0F.5020402@intersonic.se> In-Reply-To: <48F79F0F.5020402@intersonic.se> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200810162231.50549.fbsd.questions@rachie.is-a-geek.net> Cc: Subject: Re: FreeBSD and Nagios - permissions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2008 20:32:28 -0000 On Thursday 16 October 2008 22:07:43 Per olof Ljungmark wrote: > Per olof Ljungmark wrote: > > Daniel Bye wrote: > >> On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: > >>> It is possible to configure sudo to run only exactly the required > >>> command > >>> (including arguments) precisely to guard against this type of abuse - > >>> I use it extensively in my own nagios setup. > >>> > >>> This Cmnd_Alias in sudoers will do the trick: > >>> > >>> Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 > >>> > >>> man sudoers for more information about what you can do with sudo. > >> > >> I just realised this example is woefully incomplete - apologies for > >> that. > >> > >> There are a few ways you can set up /usr/local/etc/sudoers (make sure > >> you use visudo to edit it, as it will catch any syntax errors for you, > >> thus helping somewhat to prevent breaking your setup). > >> > >> The simplest case will just be to allow nagios to run the command, as > >> root, > >> without a password: > >> > >> nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0 > >> > >> If, as is quite possible, nagios should be able to run more than just > >> that one command, you can define a Cmnd_Alias, as above. To include more > >> than one command in the alias, simply separate them with a comma. You > >> can use `\' to escape newlines and make your file a little easier to > >> read: > >> > >> Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \ > >> /sbin/camcontrol inquiry da1 > >> > >> and so on. Now, to use that alias, set the user's permissions to > >> > >> nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS ^^^^ > For the records, even this won't work because nagois needs access to > /dev/xpt0 as well and once there sudo can't help. > > sudo -u nagios /sbin/camcontrol inquiry da0 > camcontrol: cam_lookup_pass: couldn't open /dev/xpt0 > cam_lookup_pass: Permission denied The idea is to let this be run as root, tho personally, I'd put nagios in a group that can rw /dev/xpt0, /dev/pass0 and /dev/da0, setup devfs.rules properly and the let it execute a script that does the inquiry and the inquiry only. On a related note, it would be a 'nice to have', if the more dangerous commands of camcontrol had a sysctl knob that only allows them to be executed only as root. -- Mel Problem with today's modular software: they start with the modules and never get to the software part.