From owner-freebsd-questions@FreeBSD.ORG Thu Oct 16 22:32:02 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2A6F11065686 for ; Thu, 16 Oct 2008 22:32:02 +0000 (UTC) (envelope-from peo@intersonic.se) Received: from neonpark.inter-sonic.com (neonpark.inter-sonic.com [212.247.8.98]) by mx1.freebsd.org (Postfix) with ESMTP id ADADB8FC0C for ; Thu, 16 Oct 2008 22:32:01 +0000 (UTC) (envelope-from peo@intersonic.se) X-Virus-Scanned: amavisd-new at BSDLabs AB Message-ID: <48F7C0DB.2040802@intersonic.se> Date: Fri, 17 Oct 2008 00:31:55 +0200 From: Per olof Ljungmark Organization: Intersonic AB User-Agent: Thunderbird 2.0.0.17 (X11/20081013) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <48F6EDF2.4070109@intersonic.se> <48F75EE5.2090908@intersonic.se> <48F79F0F.5020402@intersonic.se> <200810162231.50549.fbsd.questions@rachie.is-a-geek.net> <48F7B3F3.70907@intersonic.se> <20081016220744.GA4823@icarus.home.lan> In-Reply-To: <20081016220744.GA4823@icarus.home.lan> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD and Nagios - permissions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2008 22:32:02 -0000 Jeremy Chadwick wrote: > On Thu, Oct 16, 2008 at 11:36:51PM +0200, Per olof Ljungmark wrote: >> Mel wrote: >>> On Thursday 16 October 2008 22:07:43 Per olof Ljungmark wrote: >>>> Per olof Ljungmark wrote: >>>>> Daniel Bye wrote: >>>>>> On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: >>>>>>> It is possible to configure sudo to run only exactly the required >>>>>>> command >>>>>>> (including arguments) precisely to guard against this type of abuse - >>>>>>> I use it extensively in my own nagios setup. >>>>>>> >>>>>>> This Cmnd_Alias in sudoers will do the trick: >>>>>>> >>>>>>> Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 >>>>>>> >>>>>>> man sudoers for more information about what you can do with sudo. >>>>>> I just realised this example is woefully incomplete - apologies for >>>>>> that. >>>>>> >>>>>> There are a few ways you can set up /usr/local/etc/sudoers (make sure >>>>>> you use visudo to edit it, as it will catch any syntax errors for you, >>>>>> thus helping somewhat to prevent breaking your setup). >>>>>> >>>>>> The simplest case will just be to allow nagios to run the command, as >>>>>> root, >>>>>> without a password: >>>>>> >>>>>> nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0 >>>>>> >>>>>> If, as is quite possible, nagios should be able to run more than just >>>>>> that one command, you can define a Cmnd_Alias, as above. To include more >>>>>> than one command in the alias, simply separate them with a comma. You >>>>>> can use `\' to escape newlines and make your file a little easier to >>>>>> read: >>>>>> >>>>>> Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \ >>>>>> /sbin/camcontrol inquiry da1 >>>>>> >>>>>> and so on. Now, to use that alias, set the user's permissions to >>>>>> >>>>>> nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS >>> ^^^^ >>> >>>> For the records, even this won't work because nagois needs access to >>>> /dev/xpt0 as well and once there sudo can't help. >>>> >>>> sudo -u nagios /sbin/camcontrol inquiry da0 >>>> camcontrol: cam_lookup_pass: couldn't open /dev/xpt0 >>>> cam_lookup_pass: Permission denied >>> The idea is to let this be run as root, tho personally, I'd put nagios >>> in a group that can rw /dev/xpt0, /dev/pass0 and /dev/da0, setup >>> devfs.rules properly and the let it execute a script that does the >>> inquiry and the inquiry only. >>> >>> On a related note, it would be a 'nice to have', if the more dangerous >>> commands of camcontrol had a sysctl knob that only allows them to be >>> executed only as root. >> But... the command "/sbin/camcontrol inquiry da0" IS run as root through >> the setup in sudoers above, but it is not enough or I'm overseeing >> something. Anyway, I've already decided to scrap the sudo idea, too >> kludgy for me. > > Scrapping it is fine, but you still aren't understanding how to use > sudo. > > The -u flag tells sudo what UID to switch to. Meaning, your above > command (sudo -u nagios /sbin/camcontrol...) tells the system "run > /sbin/camcontrol as user nagios". This **does not** tell the system > to run /sbin/camcontrol as user root. > > For example, let's say you're logged in as user nagios (or running > commands as user nagios): > > nagios@box$ sudo -u nagios whoami > nagios > nagios@box$ > > This obviously isn't what you want -- this tells sudo to switch to > UID nagios (you already ARE this user!) and run the "whoami" command. > > But this IS what you want: > > nagios@box$ sudo whoami > root > nagios@box$ > > You'll need to use visudo(8) to configure sudo to 1) permit user > "nagios" to use sudo (and switch to UID root), and 2) to ONLY RUN > /sbin/camcontrol when sudo is run, otherwise someone could do: > > nagios@box$ sudo rm -fr / > > You get the point now, I'm sure. Yep, promise :-) I'm off to bed but will try to work out the sudo magic tomorrow although I'm still incloned to an alternative solution. -- per