From owner-freebsd-questions@FreeBSD.ORG Thu Oct 16 22:07:46 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B9FBD1065689 for ; Thu, 16 Oct 2008 22:07:46 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA06.emeryville.ca.mail.comcast.net (qmta06.emeryville.ca.mail.comcast.net [76.96.30.56]) by mx1.freebsd.org (Postfix) with ESMTP id 9C10D8FC1A for ; Thu, 16 Oct 2008 22:07:46 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA11.emeryville.ca.mail.comcast.net ([76.96.30.36]) by QMTA06.emeryville.ca.mail.comcast.net with comcast id TZ3X1a0010mlR8UA6a7lDd; Thu, 16 Oct 2008 22:07:45 +0000 Received: from koitsu.dyndns.org ([69.181.141.110]) by OMTA11.emeryville.ca.mail.comcast.net with comcast id Ta7k1a00F2P6wsM8Xa7kWZ; Thu, 16 Oct 2008 22:07:45 +0000 X-Authority-Analysis: v=1.0 c=1 a=QycZ5dHgAAAA:8 a=-CrH-x8uxHmXl3cRBK4A:9 a=tDfxeIFhnDhl530aBPsA:7 a=VqO83g7PkcTeRmPMOJTyhFd_mq4A:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 525BDC9432; Thu, 16 Oct 2008 15:07:44 -0700 (PDT) Date: Thu, 16 Oct 2008 15:07:44 -0700 From: Jeremy Chadwick To: Per olof Ljungmark Message-ID: <20081016220744.GA4823@icarus.home.lan> References: <48F6EDF2.4070109@intersonic.se> <48F75EE5.2090908@intersonic.se> <48F79F0F.5020402@intersonic.se> <200810162231.50549.fbsd.questions@rachie.is-a-geek.net> <48F7B3F3.70907@intersonic.se> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48F7B3F3.70907@intersonic.se> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: Mel , freebsd-questions@freebsd.org Subject: Re: FreeBSD and Nagios - permissions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2008 22:07:47 -0000 On Thu, Oct 16, 2008 at 11:36:51PM +0200, Per olof Ljungmark wrote: > Mel wrote: >> On Thursday 16 October 2008 22:07:43 Per olof Ljungmark wrote: >>> Per olof Ljungmark wrote: >>>> Daniel Bye wrote: >>>>> On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: >>>>>> It is possible to configure sudo to run only exactly the required >>>>>> command >>>>>> (including arguments) precisely to guard against this type of abuse - >>>>>> I use it extensively in my own nagios setup. >>>>>> >>>>>> This Cmnd_Alias in sudoers will do the trick: >>>>>> >>>>>> Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 >>>>>> >>>>>> man sudoers for more information about what you can do with sudo. >>>>> I just realised this example is woefully incomplete - apologies for >>>>> that. >>>>> >>>>> There are a few ways you can set up /usr/local/etc/sudoers (make sure >>>>> you use visudo to edit it, as it will catch any syntax errors for you, >>>>> thus helping somewhat to prevent breaking your setup). >>>>> >>>>> The simplest case will just be to allow nagios to run the command, as >>>>> root, >>>>> without a password: >>>>> >>>>> nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0 >>>>> >>>>> If, as is quite possible, nagios should be able to run more than just >>>>> that one command, you can define a Cmnd_Alias, as above. To include more >>>>> than one command in the alias, simply separate them with a comma. You >>>>> can use `\' to escape newlines and make your file a little easier to >>>>> read: >>>>> >>>>> Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \ >>>>> /sbin/camcontrol inquiry da1 >>>>> >>>>> and so on. Now, to use that alias, set the user's permissions to >>>>> >>>>> nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS >> ^^^^ >> >>> For the records, even this won't work because nagois needs access to >>> /dev/xpt0 as well and once there sudo can't help. >>> >>> sudo -u nagios /sbin/camcontrol inquiry da0 >>> camcontrol: cam_lookup_pass: couldn't open /dev/xpt0 >>> cam_lookup_pass: Permission denied >> >> The idea is to let this be run as root, tho personally, I'd put nagios >> in a group that can rw /dev/xpt0, /dev/pass0 and /dev/da0, setup >> devfs.rules properly and the let it execute a script that does the >> inquiry and the inquiry only. >> >> On a related note, it would be a 'nice to have', if the more dangerous >> commands of camcontrol had a sysctl knob that only allows them to be >> executed only as root. > > But... the command "/sbin/camcontrol inquiry da0" IS run as root through > the setup in sudoers above, but it is not enough or I'm overseeing > something. Anyway, I've already decided to scrap the sudo idea, too > kludgy for me. Scrapping it is fine, but you still aren't understanding how to use sudo. The -u flag tells sudo what UID to switch to. Meaning, your above command (sudo -u nagios /sbin/camcontrol...) tells the system "run /sbin/camcontrol as user nagios". This **does not** tell the system to run /sbin/camcontrol as user root. For example, let's say you're logged in as user nagios (or running commands as user nagios): nagios@box$ sudo -u nagios whoami nagios nagios@box$ This obviously isn't what you want -- this tells sudo to switch to UID nagios (you already ARE this user!) and run the "whoami" command. But this IS what you want: nagios@box$ sudo whoami root nagios@box$ You'll need to use visudo(8) to configure sudo to 1) permit user "nagios" to use sudo (and switch to UID root), and 2) to ONLY RUN /sbin/camcontrol when sudo is run, otherwise someone could do: nagios@box$ sudo rm -fr / You get the point now, I'm sure. > The idea of running nagios with rw access to the devices is not very > appealing either as Jeremy pointed out. > > I will start from square one with a different approach that I need to > dream up tomorrow. I must again point out that using a C-based wrapper is a much better idea, especially if this is the only command you need to run as root. The wrapper is a 15-20 line C program, if that, and will only run one command: /sbin/camcontrol inquiry da0. It can't be used to do anything else. If you really want someone to write this for you, I will do it. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |