On Thu, Oct 16, 2008 at 01:04:52AM -0700, Jeremy Chadwick wrote: > On Thu, Oct 16, 2008 at 09:32:02AM +0200, Per olof Ljungmark wrote: > > The nrpe daemon that handles the script runs as the "nagios" user and > > the command needed is camcontrol: > > > > camcontrol inquiry da0 > > > > The nagios user does not have a shell by default in FreeBSD: > > nagios:*:181:181::0:0:Nagios pseudo-user:/var/spool/nagios:/usr/sbin/nologin > > so the script will obviously fail. > > I think the problem is probably more along the lines of: you can't > run camcontrol as user "nagios", because root access is required to > communicate with CAM (open /dev/xptX). > > Two recommendations: > > 1) Write wrapper program (this requires C) which calls "camcontrol > inquiry da0". The wrapper binary should be owned by root:nagios, > and perms should be 4710 (so that individuals in the "nagios" group > can run the binary, but no one else). This C program is very, very > simple. > > 2) Use "sudo" and set up a ***VERY*** restrictive command list for user > "nagios", meaning, only allowed to run /sbin/camcontrol. I DO NOT > recommend this method, as it's possible for someone to use nagios to > run something like "camcontrol reset" or "camcontrol eject" as root, > or even worse, "camcontrol cmd" (could induce a low-level format of > one of your disks),
It is possible to configure sudo to run only exactly the required command (including arguments) precisely to guard against this type of abuse - I use it extensively in my own nagios setup. This Cmnd_Alias in sudoers will do the trick: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 man sudoers for more information about what you can do with sudo. Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \
pgpeTPtDTfHCY.pgp
Description: PGP signature