Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Oct 2008 23:36:51 +0200
From:      Per olof Ljungmark <peo@intersonic.se>
To:        Mel <fbsd.questions@rachie.is-a-geek.net>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: FreeBSD and Nagios - permissions
Message-ID:  <48F7B3F3.70907@intersonic.se>
In-Reply-To: <200810162231.50549.fbsd.questions@rachie.is-a-geek.net>
References:  <48F6EDF2.4070109@intersonic.se> <48F75EE5.2090908@intersonic.se> <48F79F0F.5020402@intersonic.se> <200810162231.50549.fbsd.questions@rachie.is-a-geek.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Mel wrote:
> On Thursday 16 October 2008 22:07:43 Per olof Ljungmark wrote:
>> Per olof Ljungmark wrote:
>>> Daniel Bye wrote:
>>>> On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote:
>>>>> It is possible to configure sudo to run only exactly the required
>>>>> command
>>>>> (including arguments) precisely to guard against this type of abuse -
>>>>> I use it extensively in my own nagios setup.
>>>>>
>>>>> This Cmnd_Alias in sudoers will do the trick:
>>>>>
>>>>> Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0
>>>>>
>>>>> man sudoers for more information about what you can do with sudo.
>>>> I just realised this example is woefully incomplete - apologies for
>>>> that.
>>>>
>>>> There are a few ways you can set up /usr/local/etc/sudoers (make sure
>>>> you use visudo to edit it, as it will catch any syntax errors for you,
>>>> thus helping somewhat to prevent breaking your setup).
>>>>
>>>> The simplest case will just be to allow nagios to run the command, as
>>>> root,
>>>> without a password:
>>>>
>>>> nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0
>>>>
>>>> If, as is quite possible, nagios should be able to run more than just
>>>> that one command, you can define a Cmnd_Alias, as above. To include more
>>>> than one command in the alias, simply separate them with a comma. You
>>>> can use `\' to escape newlines and make your file a little easier to
>>>> read:
>>>>
>>>> Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \
>>>>                           /sbin/camcontrol inquiry da1
>>>>
>>>> and so on. Now, to use that alias, set the user's permissions to
>>>>
>>>> nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS
>                  ^^^^
> 
>> For the records, even this won't work because nagois needs access to
>> /dev/xpt0 as well and once there sudo can't help.
>>
>> sudo -u nagios /sbin/camcontrol inquiry da0
>> camcontrol: cam_lookup_pass: couldn't open /dev/xpt0
>> cam_lookup_pass: Permission denied
> 
> The idea is to let this be run as root, tho personally, I'd put nagios in a 
> group that can rw /dev/xpt0, /dev/pass0 and /dev/da0, setup devfs.rules 
> properly and the let it execute a script that does the inquiry and the 
> inquiry only.
> 
> On a related note, it would be a 'nice to have', if the more dangerous 
> commands of camcontrol had a sysctl knob that only allows them to be executed 
> only as root.

But... the command "/sbin/camcontrol inquiry da0" IS run as root through 
the setup in sudoers above, but it is not enough or I'm overseeing 
something. Anyway, I've already decided to scrap the sudo idea, too 
kludgy for me.

The idea of running nagios with rw access to the devices is not very 
appealing either as Jeremy pointed out.

I will start from square one with a different approach that I need to 
dream up tomorrow.
Thanks,
--
per



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48F7B3F3.70907>