On Thu, Oct 16, 2008 at 09:32:02AM +0200, Per olof Ljungmark wrote: > Hi, > > I'm implementing a shell script as a Nagios plugin to check the status > of the ciss(4) driver. However, there is a permission problem that I am > not sure about the best way to get around in FreeBSD (7-STABLE). > > The nrpe daemon that handles the script runs as the "nagios" user and > the command needed is camcontrol: > > camcontrol inquiry da0 > > The nagios user does not have a shell by default in FreeBSD: > nagios:*:181:181::0:0:Nagios pseudo-user:/var/spool/nagios:/usr/sbin/nologin > so the script will obviously fail.
I cease to see what the users' shell has to do with the problem. A shell being set to /usr/sbin/nologin *does not* mean they cannot run shell scripts, it just means one cannot log in as that user. I think the problem is probably more along the lines of: you can't run camcontrol as user "nagios", because root access is required to communicate with CAM (open /dev/xptX). > I would assume there are several ways to get around this and would > welcome "best practice" suggestions on how. Two recommendations: 1) Write wrapper program (this requires C) which calls "camcontrol inquiry da0". The wrapper binary should be owned by root:nagios, and perms should be 4710 (so that individuals in the "nagios" group can run the binary, but no one else). This C program is very, very simple. 2) Use "sudo" and set up a ***VERY*** restrictive command list for user "nagios", meaning, only allowed to run /sbin/camcontrol. I DO NOT recommend this method, as it's possible for someone to use nagios to run something like "camcontrol reset" or "camcontrol eject" as root, or even worse, "camcontrol cmd" (could induce a low-level format of one of your disks), -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"