We are trying a new technique in the 2.0 trunk to eliminate the use of sudo.
We will have a single setuid binary, the source of which is one page
long, which will allow scripts to open a single privileged socket or
single ICMP socket. That's all Zenoss ever needed.
That should tighten things up a bit.
-Eric
Christopher Blunck wrote:
You'll also need to set the env_keep variable so that your zenoss
user's PYTHONPATH and ZENHOME variables are not squashed when you sudo
as zenoss.
Defaults:zenoss env_reset,env_keep=*
-c
On May 9, 2007, at 12:53 PM, Chet Luther wrote:
On 5/9/07, RVO <[EMAIL PROTECTED]> wrote:
Is the following command safe to add into /etc/sudoers (from a
security perspective)?
zenoss ALL=(ALL) NOPASSWD: /usr/local/zenoss/bin/python,/usr/bin/kill
The reason I ask is, until I added that line as it shows, zenoss
would not fully start. It would complain about sudo permissions.
I have Zenoss installed from source on an Ubuntu 6.06 box with LAMP.
I tried all of the out-of-the-box commands on the Ubuntu install
page, but no matter how hard I tried, or what other variants I used
within the sudoers file, the above line is the only one that worked.
Again - is it security safe? If not, what is the best replacement
that will work?
RVO,
Security safe is a matter of personal comfort. Setting sudo up in this
way really requires that you trust your zenoss account as much as
root. By giving the zenoss user access to run python as root, you are
in effect letting it run anything as root since you can launch
whatever you want from python.
Unfortunately zenping, zensyslog and zentrap require root level access
to create raw sockets and bind to privileged ports so this is
currently the only supported configuration.
--Chet Luther
[EMAIL PROTECTED]
_______________________________________________
zenoss-users mailing list
[email protected]
http://lists.zenoss.org/mailman/listinfo/zenoss-users
_______________________________________________
zenoss-users mailing list
[email protected]
http://lists.zenoss.org/mailman/listinfo/zenoss-users
_______________________________________________
zenoss-users mailing list
[email protected]
http://lists.zenoss.org/mailman/listinfo/zenoss-users
