On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: > It is possible to configure sudo to run only exactly the required command > (including arguments) precisely to guard against this type of abuse - > I use it extensively in my own nagios setup. > > This Cmnd_Alias in sudoers will do the trick: > > Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 > > man sudoers for more information about what you can do with sudo.
I just realised this example is woefully incomplete - apologies for that.
There are a few ways you can set up /usr/local/etc/sudoers (make sure
you use visudo to edit it, as it will catch any syntax errors for you,
thus helping somewhat to prevent breaking your setup).
The simplest case will just be to allow nagios to run the command, as root,
without a password:
nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0
If, as is quite possible, nagios should be able to run more than just
that one command, you can define a Cmnd_Alias, as above. To include more
than one command in the alias, simply separate them with a comma. You
can use `\' to escape newlines and make your file a little easier to read:
Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \
/sbin/camcontrol inquiry da1
and so on. Now, to use that alias, set the user's permissions to
nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS
The sudoers man page has more information, and there is also a good
tutorial by M Lucas on O'Reilly's Big Scary Daemons (it's from 2002, but
still a good introduction):
http://www.onlamp.com/pub/a/bsd/2002/08/29/Big_Scary_Daemons.html?page=1
Dan
--
Daniel Bye
_
ASCII ribbon campaign ( )
- against HTML, vCards and X
- proprietary attachments in e-mail / \
pgputr2fYSiXj.pgp
Description: PGP signature
