On Thu, Oct 16, 2008 at 01:04:52AM -0700, Jeremy Chadwick wrote:
> On Thu, Oct 16, 2008 at 09:32:02AM +0200, Per olof Ljungmark wrote:
> > The nrpe daemon that handles the script runs as the "nagios" user and
> > the command needed is camcontrol:
> > 
> > camcontrol inquiry da0
> > 
> > The nagios user does not have a shell by default in FreeBSD:
> > nagios:*:181:181::0:0:Nagios pseudo-user:/var/spool/nagios:/usr/sbin/nologin
> > so the script will obviously fail.
> I think the problem is probably more along the lines of: you can't
> run camcontrol as user "nagios", because root access is required to
> communicate with CAM (open /dev/xptX).
> Two recommendations:
> 1) Write wrapper program (this requires C) which calls "camcontrol
> inquiry da0".  The wrapper binary should be owned by root:nagios,
> and perms should be 4710 (so that individuals in the "nagios" group
> can run the binary, but no one else).  This C program is very, very
> simple.
> 2) Use "sudo" and set up a ***VERY*** restrictive command list for user
> "nagios", meaning, only allowed to run /sbin/camcontrol.  I DO NOT
> recommend this method, as it's possible for someone to use nagios to
> run something like "camcontrol reset" or "camcontrol eject" as root,
> or even worse, "camcontrol cmd" (could induce a low-level format of
> one of your disks),

It is possible to configure sudo to run only exactly the required command
(including arguments) precisely to guard against this type of abuse -
I use it extensively in my own nagios setup.

This Cmnd_Alias in sudoers will do the trick:

Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0

man sudoers for more information about what you can do with sudo.


Daniel Bye
                                              ASCII ribbon campaign ( )
                                         - against HTML, vCards and  X
                                - proprietary attachments in e-mail / \

Attachment: pgpeTPtDTfHCY.pgp
Description: PGP signature

Reply via email to