Re: FreeBSD and Nagios - permissions
Jeremy Chadwick wrote: You get the point now, I'm sure. Hi, just to say a big thank you to the people on the list for keeping up with my dumb questions on sudo, this morning I re-read the manual and got it working within minutes. I'm still not convinced that sudo is the way to go in our particular case so next week we'll test the C wrapper approach as well. Have a good weekend, -- per ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD and Nagios - permissions
Hi, I'm implementing a shell script as a Nagios plugin to check the status of the ciss(4) driver. However, there is a permission problem that I am not sure about the best way to get around in FreeBSD (7-STABLE). The nrpe daemon that handles the script runs as the nagios user and the command needed is camcontrol: camcontrol inquiry da0 The nagios user does not have a shell by default in FreeBSD: nagios:*:181:181::0:0:Nagios pseudo-user:/var/spool/nagios:/usr/sbin/nologin so the script will obviously fail. I would assume there are several ways to get around this and would welcome best practice suggestions on how. Thanks, --per ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
On Thu, Oct 16, 2008 at 09:32:02AM +0200, Per olof Ljungmark wrote: Hi, I'm implementing a shell script as a Nagios plugin to check the status of the ciss(4) driver. However, there is a permission problem that I am not sure about the best way to get around in FreeBSD (7-STABLE). The nrpe daemon that handles the script runs as the nagios user and the command needed is camcontrol: camcontrol inquiry da0 The nagios user does not have a shell by default in FreeBSD: nagios:*:181:181::0:0:Nagios pseudo-user:/var/spool/nagios:/usr/sbin/nologin so the script will obviously fail. I cease to see what the users' shell has to do with the problem. A shell being set to /usr/sbin/nologin *does not* mean they cannot run shell scripts, it just means one cannot log in as that user. I think the problem is probably more along the lines of: you can't run camcontrol as user nagios, because root access is required to communicate with CAM (open /dev/xptX). I would assume there are several ways to get around this and would welcome best practice suggestions on how. Two recommendations: 1) Write wrapper program (this requires C) which calls camcontrol inquiry da0. The wrapper binary should be owned by root:nagios, and perms should be 4710 (so that individuals in the nagios group can run the binary, but no one else). This C program is very, very simple. 2) Use sudo and set up a ***VERY*** restrictive command list for user nagios, meaning, only allowed to run /sbin/camcontrol. I DO NOT recommend this method, as it's possible for someone to use nagios to run something like camcontrol reset or camcontrol eject as root, or even worse, camcontrol cmd (could induce a low-level format of one of your disks), -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
I think the problem is with the permisions of the specific user. The way to get over it is to use sudo and configure it to allow the nagios user execute camcontrol. This way the line should be : sudo camcontrol inquiry da0 Regards, Ivailo Tanusheff Deputy Head of IT Department ProCredit Bank (Bulgaria) AD Per olof Ljungmark [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 16.10.2008 10:52 To freebsd-questions@freebsd.org cc Subject FreeBSD and Nagios - permissions Hi, I'm implementing a shell script as a Nagios plugin to check the status of the ciss(4) driver. However, there is a permission problem that I am not sure about the best way to get around in FreeBSD (7-STABLE). The nrpe daemon that handles the script runs as the nagios user and the command needed is camcontrol: camcontrol inquiry da0 The nagios user does not have a shell by default in FreeBSD: nagios:*:181:181::0:0:Nagios pseudo-user:/var/spool/nagios:/usr/sbin/nologin so the script will obviously fail. I would assume there are several ways to get around this and would welcome best practice suggestions on how. Thanks, --per ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
On Thu, Oct 16, 2008 at 01:04:52AM -0700, Jeremy Chadwick wrote: On Thu, Oct 16, 2008 at 09:32:02AM +0200, Per olof Ljungmark wrote: The nrpe daemon that handles the script runs as the nagios user and the command needed is camcontrol: camcontrol inquiry da0 The nagios user does not have a shell by default in FreeBSD: nagios:*:181:181::0:0:Nagios pseudo-user:/var/spool/nagios:/usr/sbin/nologin so the script will obviously fail. I think the problem is probably more along the lines of: you can't run camcontrol as user nagios, because root access is required to communicate with CAM (open /dev/xptX). Two recommendations: 1) Write wrapper program (this requires C) which calls camcontrol inquiry da0. The wrapper binary should be owned by root:nagios, and perms should be 4710 (so that individuals in the nagios group can run the binary, but no one else). This C program is very, very simple. 2) Use sudo and set up a ***VERY*** restrictive command list for user nagios, meaning, only allowed to run /sbin/camcontrol. I DO NOT recommend this method, as it's possible for someone to use nagios to run something like camcontrol reset or camcontrol eject as root, or even worse, camcontrol cmd (could induce a low-level format of one of your disks), It is possible to configure sudo to run only exactly the required command (including arguments) precisely to guard against this type of abuse - I use it extensively in my own nagios setup. This Cmnd_Alias in sudoers will do the trick: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 man sudoers for more information about what you can do with sudo. Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpeTPtDTfHCY.pgp Description: PGP signature
Re: FreeBSD and Nagios - permissions
On Thu, Oct 16, 2008 at 09:17:58PM +1100, Edwin Groothuis wrote: The nrpe daemon that handles the script runs as the nagios user and the command needed is camcontrol: First lines of the check_ciss.sh command: #!/bin/sh if [ $(whoami) != root ]; then sudo $* fi And allow in sudoerrs.conf the nagios user to run the check_ciss.sh command without passwords. Works fine here for years :-) Wow... all I can say. Wow. This is a *humongous* security hole. So what happens when someone finds a security hole in Nagios, allowing them to modify files or run checks with arguments of their choice? For a good time: check_ciss.sh camcontrol format da0 -y Yeah, uh, that script should be nuked. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: It is possible to configure sudo to run only exactly the required command (including arguments) precisely to guard against this type of abuse - I use it extensively in my own nagios setup. This Cmnd_Alias in sudoers will do the trick: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 man sudoers for more information about what you can do with sudo. I just realised this example is woefully incomplete - apologies for that. There are a few ways you can set up /usr/local/etc/sudoers (make sure you use visudo to edit it, as it will catch any syntax errors for you, thus helping somewhat to prevent breaking your setup). The simplest case will just be to allow nagios to run the command, as root, without a password: nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0 If, as is quite possible, nagios should be able to run more than just that one command, you can define a Cmnd_Alias, as above. To include more than one command in the alias, simply separate them with a comma. You can use `\' to escape newlines and make your file a little easier to read: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \ /sbin/camcontrol inquiry da1 and so on. Now, to use that alias, set the user's permissions to nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS The sudoers man page has more information, and there is also a good tutorial by M Lucas on O'Reilly's Big Scary Daemons (it's from 2002, but still a good introduction): http://www.onlamp.com/pub/a/bsd/2002/08/29/Big_Scary_Daemons.html?page=1 Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgputr2fYSiXj.pgp Description: PGP signature
FreeBSD and Nagios - permissions
The nrpe daemon that handles the script runs as the nagios user and the command needed is camcontrol: First lines of the check_ciss.sh command: #!/bin/sh if [ $(whoami) != root ]; then sudo $* fi And allow in sudoerrs.conf the nagios user to run the check_ciss.sh command without passwords. Works fine here for years :-) Edwin -- Edwin Groothuis Website: http://www.mavetju.org/ [EMAIL PROTECTED] Weblog: http://www.mavetju.org/weblog/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
Daniel Bye wrote: On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: It is possible to configure sudo to run only exactly the required command (including arguments) precisely to guard against this type of abuse - I use it extensively in my own nagios setup. This Cmnd_Alias in sudoers will do the trick: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 man sudoers for more information about what you can do with sudo. I just realised this example is woefully incomplete - apologies for that. There are a few ways you can set up /usr/local/etc/sudoers (make sure you use visudo to edit it, as it will catch any syntax errors for you, thus helping somewhat to prevent breaking your setup). The simplest case will just be to allow nagios to run the command, as root, without a password: nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0 If, as is quite possible, nagios should be able to run more than just that one command, you can define a Cmnd_Alias, as above. To include more than one command in the alias, simply separate them with a comma. You can use `\' to escape newlines and make your file a little easier to read: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \ /sbin/camcontrol inquiry da1 and so on. Now, to use that alias, set the user's permissions to nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS The sudoers man page has more information, and there is also a good tutorial by M Lucas on O'Reilly's Big Scary Daemons (it's from 2002, but still a good introduction): Thank you very much for the detailed information. I will have a go at sudo while waiting for my collegue to return, he knows C and could probably write up the wrapper that Jeremy suggested. Thanks all for the tips! --per ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
Per olof Ljungmark wrote: Daniel Bye wrote: On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: It is possible to configure sudo to run only exactly the required command (including arguments) precisely to guard against this type of abuse - I use it extensively in my own nagios setup. This Cmnd_Alias in sudoers will do the trick: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 man sudoers for more information about what you can do with sudo. I just realised this example is woefully incomplete - apologies for that. There are a few ways you can set up /usr/local/etc/sudoers (make sure you use visudo to edit it, as it will catch any syntax errors for you, thus helping somewhat to prevent breaking your setup). The simplest case will just be to allow nagios to run the command, as root, without a password: nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0 If, as is quite possible, nagios should be able to run more than just that one command, you can define a Cmnd_Alias, as above. To include more than one command in the alias, simply separate them with a comma. You can use `\' to escape newlines and make your file a little easier to read: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \ /sbin/camcontrol inquiry da1 and so on. Now, to use that alias, set the user's permissions to nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS For the records, even this won't work because nagois needs access to /dev/xpt0 as well and once there sudo can't help. sudo -u nagios /sbin/camcontrol inquiry da0 camcontrol: cam_lookup_pass: couldn't open /dev/xpt0 cam_lookup_pass: Permission denied --per ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
On Thursday 16 October 2008 22:07:43 Per olof Ljungmark wrote: Per olof Ljungmark wrote: Daniel Bye wrote: On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: It is possible to configure sudo to run only exactly the required command (including arguments) precisely to guard against this type of abuse - I use it extensively in my own nagios setup. This Cmnd_Alias in sudoers will do the trick: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 man sudoers for more information about what you can do with sudo. I just realised this example is woefully incomplete - apologies for that. There are a few ways you can set up /usr/local/etc/sudoers (make sure you use visudo to edit it, as it will catch any syntax errors for you, thus helping somewhat to prevent breaking your setup). The simplest case will just be to allow nagios to run the command, as root, without a password: nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0 If, as is quite possible, nagios should be able to run more than just that one command, you can define a Cmnd_Alias, as above. To include more than one command in the alias, simply separate them with a comma. You can use `\' to escape newlines and make your file a little easier to read: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \ /sbin/camcontrol inquiry da1 and so on. Now, to use that alias, set the user's permissions to nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS For the records, even this won't work because nagois needs access to /dev/xpt0 as well and once there sudo can't help. sudo -u nagios /sbin/camcontrol inquiry da0 camcontrol: cam_lookup_pass: couldn't open /dev/xpt0 cam_lookup_pass: Permission denied The idea is to let this be run as root, tho personally, I'd put nagios in a group that can rw /dev/xpt0, /dev/pass0 and /dev/da0, setup devfs.rules properly and the let it execute a script that does the inquiry and the inquiry only. On a related note, it would be a 'nice to have', if the more dangerous commands of camcontrol had a sysctl knob that only allows them to be executed only as root. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
Mel wrote: On Thursday 16 October 2008 22:07:43 Per olof Ljungmark wrote: Per olof Ljungmark wrote: Daniel Bye wrote: On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: It is possible to configure sudo to run only exactly the required command (including arguments) precisely to guard against this type of abuse - I use it extensively in my own nagios setup. This Cmnd_Alias in sudoers will do the trick: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 man sudoers for more information about what you can do with sudo. I just realised this example is woefully incomplete - apologies for that. There are a few ways you can set up /usr/local/etc/sudoers (make sure you use visudo to edit it, as it will catch any syntax errors for you, thus helping somewhat to prevent breaking your setup). The simplest case will just be to allow nagios to run the command, as root, without a password: nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0 If, as is quite possible, nagios should be able to run more than just that one command, you can define a Cmnd_Alias, as above. To include more than one command in the alias, simply separate them with a comma. You can use `\' to escape newlines and make your file a little easier to read: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \ /sbin/camcontrol inquiry da1 and so on. Now, to use that alias, set the user's permissions to nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS For the records, even this won't work because nagois needs access to /dev/xpt0 as well and once there sudo can't help. sudo -u nagios /sbin/camcontrol inquiry da0 camcontrol: cam_lookup_pass: couldn't open /dev/xpt0 cam_lookup_pass: Permission denied The idea is to let this be run as root, tho personally, I'd put nagios in a group that can rw /dev/xpt0, /dev/pass0 and /dev/da0, setup devfs.rules properly and the let it execute a script that does the inquiry and the inquiry only. On a related note, it would be a 'nice to have', if the more dangerous commands of camcontrol had a sysctl knob that only allows them to be executed only as root. But... the command /sbin/camcontrol inquiry da0 IS run as root through the setup in sudoers above, but it is not enough or I'm overseeing something. Anyway, I've already decided to scrap the sudo idea, too kludgy for me. The idea of running nagios with rw access to the devices is not very appealing either as Jeremy pointed out. I will start from square one with a different approach that I need to dream up tomorrow. Thanks, -- per ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
On Thursday 16 October 2008 23:36:51 Per olof Ljungmark wrote: Mel wrote: On Thursday 16 October 2008 22:07:43 Per olof Ljungmark wrote: Per olof Ljungmark wrote: Daniel Bye wrote: On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: snip nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS This means: ALLOW nagios user from anywhere to run commands NAGIOS_CMNDS as user root without a password. For the records, even this won't work because nagois needs access to /dev/xpt0 as well and once there sudo can't help. sudo -u nagios /sbin/camcontrol inquiry da0 camcontrol: cam_lookup_pass: couldn't open /dev/xpt0 cam_lookup_pass: Permission denied The above sudo command, runs as nagios user, not as root. But... the command /sbin/camcontrol inquiry da0 IS run as root through the setup in sudoers above, See above. To test if it would work, you'd have to login as nagios then run sudo /sbin/camcontrol inquiry da0. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
On Thu, Oct 16, 2008 at 11:36:51PM +0200, Per olof Ljungmark wrote: Mel wrote: On Thursday 16 October 2008 22:07:43 Per olof Ljungmark wrote: Per olof Ljungmark wrote: Daniel Bye wrote: On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: It is possible to configure sudo to run only exactly the required command (including arguments) precisely to guard against this type of abuse - I use it extensively in my own nagios setup. This Cmnd_Alias in sudoers will do the trick: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 man sudoers for more information about what you can do with sudo. I just realised this example is woefully incomplete - apologies for that. There are a few ways you can set up /usr/local/etc/sudoers (make sure you use visudo to edit it, as it will catch any syntax errors for you, thus helping somewhat to prevent breaking your setup). The simplest case will just be to allow nagios to run the command, as root, without a password: nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0 If, as is quite possible, nagios should be able to run more than just that one command, you can define a Cmnd_Alias, as above. To include more than one command in the alias, simply separate them with a comma. You can use `\' to escape newlines and make your file a little easier to read: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \ /sbin/camcontrol inquiry da1 and so on. Now, to use that alias, set the user's permissions to nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS For the records, even this won't work because nagois needs access to /dev/xpt0 as well and once there sudo can't help. sudo -u nagios /sbin/camcontrol inquiry da0 camcontrol: cam_lookup_pass: couldn't open /dev/xpt0 cam_lookup_pass: Permission denied The idea is to let this be run as root, tho personally, I'd put nagios in a group that can rw /dev/xpt0, /dev/pass0 and /dev/da0, setup devfs.rules properly and the let it execute a script that does the inquiry and the inquiry only. On a related note, it would be a 'nice to have', if the more dangerous commands of camcontrol had a sysctl knob that only allows them to be executed only as root. But... the command /sbin/camcontrol inquiry da0 IS run as root through the setup in sudoers above, but it is not enough or I'm overseeing something. Anyway, I've already decided to scrap the sudo idea, too kludgy for me. Scrapping it is fine, but you still aren't understanding how to use sudo. The -u flag tells sudo what UID to switch to. Meaning, your above command (sudo -u nagios /sbin/camcontrol...) tells the system run /sbin/camcontrol as user nagios. This **does not** tell the system to run /sbin/camcontrol as user root. For example, let's say you're logged in as user nagios (or running commands as user nagios): [EMAIL PROTECTED] sudo -u nagios whoami nagios [EMAIL PROTECTED] This obviously isn't what you want -- this tells sudo to switch to UID nagios (you already ARE this user!) and run the whoami command. But this IS what you want: [EMAIL PROTECTED] sudo whoami root [EMAIL PROTECTED] You'll need to use visudo(8) to configure sudo to 1) permit user nagios to use sudo (and switch to UID root), and 2) to ONLY RUN /sbin/camcontrol when sudo is run, otherwise someone could do: [EMAIL PROTECTED] sudo rm -fr / You get the point now, I'm sure. The idea of running nagios with rw access to the devices is not very appealing either as Jeremy pointed out. I will start from square one with a different approach that I need to dream up tomorrow. I must again point out that using a C-based wrapper is a much better idea, especially if this is the only command you need to run as root. The wrapper is a 15-20 line C program, if that, and will only run one command: /sbin/camcontrol inquiry da0. It can't be used to do anything else. If you really want someone to write this for you, I will do it. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
Mel wrote: On Thursday 16 October 2008 23:36:51 Per olof Ljungmark wrote: Mel wrote: On Thursday 16 October 2008 22:07:43 Per olof Ljungmark wrote: Per olof Ljungmark wrote: Daniel Bye wrote: On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: snip nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS This means: ALLOW nagios user from anywhere to run commands NAGIOS_CMNDS as user root without a password. For the records, even this won't work because nagois needs access to /dev/xpt0 as well and once there sudo can't help. sudo -u nagios /sbin/camcontrol inquiry da0 camcontrol: cam_lookup_pass: couldn't open /dev/xpt0 cam_lookup_pass: Permission denied The above sudo command, runs as nagios user, not as root. But... the command /sbin/camcontrol inquiry da0 IS run as root through the setup in sudoers above, See above. To test if it would work, you'd have to login as nagios then run sudo /sbin/camcontrol inquiry da0. OK, I'm sure you're right, this was my first encounter with sudo. But, nagios, running in parallel, reported identical results as the ones I got from the command line. That is why I draw the conclusion that giving nagios root access to NAGIOS_CMNDS was not enough and the reported error (access to /dev/xpt0) was not part of any direct command. Maybe this is wrong and I made a mistake but because this is *nix I'm confident there are other less kludgy solutions to the problem. -- per ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD and Nagios - permissions
Jeremy Chadwick wrote: On Thu, Oct 16, 2008 at 11:36:51PM +0200, Per olof Ljungmark wrote: Mel wrote: On Thursday 16 October 2008 22:07:43 Per olof Ljungmark wrote: Per olof Ljungmark wrote: Daniel Bye wrote: On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote: It is possible to configure sudo to run only exactly the required command (including arguments) precisely to guard against this type of abuse - I use it extensively in my own nagios setup. This Cmnd_Alias in sudoers will do the trick: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 man sudoers for more information about what you can do with sudo. I just realised this example is woefully incomplete - apologies for that. There are a few ways you can set up /usr/local/etc/sudoers (make sure you use visudo to edit it, as it will catch any syntax errors for you, thus helping somewhat to prevent breaking your setup). The simplest case will just be to allow nagios to run the command, as root, without a password: nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0 If, as is quite possible, nagios should be able to run more than just that one command, you can define a Cmnd_Alias, as above. To include more than one command in the alias, simply separate them with a comma. You can use `\' to escape newlines and make your file a little easier to read: Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \ /sbin/camcontrol inquiry da1 and so on. Now, to use that alias, set the user's permissions to nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS For the records, even this won't work because nagois needs access to /dev/xpt0 as well and once there sudo can't help. sudo -u nagios /sbin/camcontrol inquiry da0 camcontrol: cam_lookup_pass: couldn't open /dev/xpt0 cam_lookup_pass: Permission denied The idea is to let this be run as root, tho personally, I'd put nagios in a group that can rw /dev/xpt0, /dev/pass0 and /dev/da0, setup devfs.rules properly and the let it execute a script that does the inquiry and the inquiry only. On a related note, it would be a 'nice to have', if the more dangerous commands of camcontrol had a sysctl knob that only allows them to be executed only as root. But... the command /sbin/camcontrol inquiry da0 IS run as root through the setup in sudoers above, but it is not enough or I'm overseeing something. Anyway, I've already decided to scrap the sudo idea, too kludgy for me. Scrapping it is fine, but you still aren't understanding how to use sudo. The -u flag tells sudo what UID to switch to. Meaning, your above command (sudo -u nagios /sbin/camcontrol...) tells the system run /sbin/camcontrol as user nagios. This **does not** tell the system to run /sbin/camcontrol as user root. For example, let's say you're logged in as user nagios (or running commands as user nagios): [EMAIL PROTECTED] sudo -u nagios whoami nagios [EMAIL PROTECTED] This obviously isn't what you want -- this tells sudo to switch to UID nagios (you already ARE this user!) and run the whoami command. But this IS what you want: [EMAIL PROTECTED] sudo whoami root [EMAIL PROTECTED] You'll need to use visudo(8) to configure sudo to 1) permit user nagios to use sudo (and switch to UID root), and 2) to ONLY RUN /sbin/camcontrol when sudo is run, otherwise someone could do: [EMAIL PROTECTED] sudo rm -fr / You get the point now, I'm sure. Yep, promise :-) I'm off to bed but will try to work out the sudo magic tomorrow although I'm still incloned to an alternative solution. -- per ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
