On Thu, Oct 16, 2008 at 09:17:58PM +1100, Edwin Groothuis wrote:
> > The nrpe daemon that handles the script runs as the "nagios" user and
> > the command needed is camcontrol:
> First lines of the check_ciss.sh command:
>     #!/bin/sh
>     if [ $(whoami) != "root" ]; then
>           sudo $*
>     fi
> And allow in sudoerrs.conf the nagios user to run the check_ciss.sh
> command without passwords.
> Works fine here for years :-)

Wow... all I can say.  Wow.  This is a *humongous* security hole.

So what happens when someone finds a security hole in Nagios, allowing
them to modify files or run checks with arguments of their choice?

For a good time:

check_ciss.sh camcontrol format da0 -y

Yeah, uh, that script should be nuked.

| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to