Hi Ingo, Another method is to use a 'procmail' recepie for the nagios user, to execute a script when it recieves. (I don't have a Ubuntu example, but I have done this in the past with Debian.)
This gives you two benefits. 1. You don't need to change the owner of postfix, together with the security implications. 2: You get finer grained control on what scripts execute and when. - Install the 'procmail' package.. - Create a '.procmailrc' file in the nagios account. see 'man 5 procmailrc' for details. (I would guess you would need something that looks like..) ---- :0 w # pass along all to script | /path/to/nagios /usr/local/nagios/... ----- Cheer, Paul On 12/13/06, Daniel Pittman <[EMAIL PROTECTED]> wrote: > Ingo Lantschner <[EMAIL PROTECTED]> writes: > > > I am using Ubuntu Server 6.06 as base os for a Nagios > > systemmonitor. Yesterday I was looking for a way to feed alerts send > > as emails from RAID-controllers like 3ware. First it was quite simple: > > Adding a line to /etc/aliases > > > > nagios: "|/usr/local/nagios/libexec/eventhandlers/handle-RAID-mail" > > > > Writing the script was not the problem, but the permissions > > were. Nagios uses a pipe which is for obvious reasons not writable by > > nobody:nogroup. > > > > In order to get around this problem I changed the user runing "local": > > $ sudo postconf -e default_privs=nagios > > > > Now the emails go straight into Nagios. > > > > BUT: What are the security implications of tampering with the > > permissions of postfix? Any input is welcome > > Now *all* alias delivery, and unprivileged actions in Postfix, will > default to being done as the Nagios user. That means that any security > flaw in code run by Postfix during delivery has the capability to access > Nagios data. > > A more likely problem, though, is that you will propagate ownership of > files by Nagios where they shouldn't be, or that some accident will > cause problems by damaging Nagios data. > > > A better approach would be to have that one alias deliver through a > suitable setuid program that switches to the Nagios user for the one > process. > > The easy way to do that, of course, is to use a pre-existing tool > designed for the purpose of changing userid. One that is already well > integrated into Ubuntu and available to you: > > Add to your sudoers file a line akin to this: > > nobody ALL=(nagios) NOPASSWD: /usr/local/nagios/... > > Then arrange for your alias to use sudo to change to the appropriate > user before running your script: > > nagios: "|/usr/bin/sudo -u nagios /usr/local/nagios/..." > > I can't recall if alias delivery allows parameters, but I believe it > does. If not wrap that in a trivial shell script. > > Regards, > Daniel > -- > Digital Infrastructure Solutions -- making IT simple, stable and secure > Phone: 0401 155 707 email: [EMAIL PROTECTED] > http://digital-infrastructure.com.au/ > > > -- > ubuntu-server mailing list > [email protected] > https://lists.ubuntu.com/mailman/listinfo/ubuntu-server > -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
