Hello, Following up on the conversation in monit-general about adding an option to "check program" to drop root privileges, I took a look at the source code and tried to see how difficult it would be to add it. I'm not extremely familiar with the source tree nor do I usually use C for my day job so be gentle, but I was able to mock up a preliminary working patch (against 5.3.2). I think this is a pretty important security feature for "check program" because if the user isn't careful a malicious trojan could be executed as root.
I had to make a couple of workarounds to get this to work. The "check" statements appear to be designed to only take one parameter (in this case, the path to the program), so I had to modify the grammar of "check program" a bit. But also, the order in which the statement is being parsed means the Service_t hasn't been created yet when uid/gid are parsed. So, I have to save those in static global variables and then set them in the instance of Service_t once it has been created. So, testing this with something like "check program test-script with path '/home/lgustafson/test-uid.sh' as uid 1000 as gid 1000 if status != 0 then alert" worked for me. The script was indeed run as my uid/gid. The caveat is the supplemental group list still contains root, so the script could still modify writeable files owned by gid 0. I'm not certain that there is a portable solution for that, but it could be resolved on some of the platforms you support. Like I said, this is just a preliminary patch/brainstorming exercise.
check-program-set-uid.patch
Description: Binary data
_______________________________________________ monit-dev mailing list monit-dev@nongnu.org https://lists.nongnu.org/mailman/listinfo/monit-dev
