On Thu, Oct 16, 2008 at 09:32:02AM +0200, Per olof Ljungmark wrote:
> Hi,
> 
> I'm implementing a shell script as a Nagios plugin to check the status
> of the ciss(4) driver. However, there is a permission problem that I am
> not sure about the best way to get around in FreeBSD (7-STABLE).
> 
> The nrpe daemon that handles the script runs as the "nagios" user and
> the command needed is camcontrol:
> 
> camcontrol inquiry da0
> 
> The nagios user does not have a shell by default in FreeBSD:
> nagios:*:181:181::0:0:Nagios pseudo-user:/var/spool/nagios:/usr/sbin/nologin
> so the script will obviously fail.

I cease to see what the users' shell has to do with the problem.  A
shell being set to /usr/sbin/nologin *does not* mean they cannot run
shell scripts, it just means one cannot log in as that user.

I think the problem is probably more along the lines of: you can't
run camcontrol as user "nagios", because root access is required to
communicate with CAM (open /dev/xptX).

> I would assume there are several ways to get around this and would
> welcome "best practice" suggestions on how.

Two recommendations:

1) Write wrapper program (this requires C) which calls "camcontrol
inquiry da0".  The wrapper binary should be owned by root:nagios,
and perms should be 4710 (so that individuals in the "nagios" group
can run the binary, but no one else).  This C program is very, very
simple.

2) Use "sudo" and set up a ***VERY*** restrictive command list for user
"nagios", meaning, only allowed to run /sbin/camcontrol.  I DO NOT
recommend this method, as it's possible for someone to use nagios to
run something like "camcontrol reset" or "camcontrol eject" as root,
or even worse, "camcontrol cmd" (could induce a low-level format of
one of your disks),

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to