Jay R. Ashworth wrote: > On Mon, Jul 14, 2008 at 01:54:03PM +0200, Andreas Ericsson wrote: >> Jeff Koch wrote: >>> Thanks for your help. When we ran ping as nagios it bombed. Permissions on >>> ping needed to be set SUID root so that an ICMP socket could be opened. We >>> had changed that for security reasons. We'll make nagios sudo root for >>> ping. That should solve the problem. >> Changing /bin/ping to not be suid root for security reasons and then changing >> Nagios to be suid root to fix a problem this causes seems more than just a >> little backwards to me. > > I've left Jeff's quote in so you can see, Andreas, that you misread > him. He didn't say "SUID root". He said sudo -- he plans to set the > nagios Linux user up so it can sudo to run ping as root. >
Ah, right. Having had some driver issues for my laptop lately, I foolishly joined the linux-kernel mailing list. A payload of 1000 non-spam emails is now hitting my inbox on a daily basis, causing me to only half-read pretty much everything. > Seems sensible to me. > Still, I'm not convinced. sudo is a different can of worms entirely, and not nearly as secure as many people seem to think. Although the attack vector is strictly local, it's large enough to be a greater worry to me than running a small, much-audited program suid root. Ah well. To each his own, I guess. -- Andreas Ericsson [EMAIL PROTECTED] OP5 AB www.op5.se Tel: +46 8-230225 Fax: +46 8-230231 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null