[EMAIL PROTECTED] schrieb am 02.09.2006 18:06:47: > To make things clearer, the setup I'm proposing is this: > > 1. # /usr/local/sbin/visudo > ... > nagios ALL=(ALL) NOPASSWD: /usr/local/nagios/libexec/check_logfiles -f > /usr/local/nagios/etc/check_logfiles.cfg > > 2. # vi /usr/local/nagios/etc/nrpe.cfg > ... > command[check_logfiles]=/usr/local/bin/sudo > /usr/local/nagios/libexec/check_logfiles -f > /usr/local/nagios/etc/check_logfiles.cfg > > 3. # grep nagios /etc/passwd > nagios:x:1123:100:Nagios Remote User:/usr/local/nagios:/usr/bin/bash > > Note to Hari: my understanding is that sudo won't work for account that > doesn't have a valid shell. Certainly all my testing led me to that conclusion. > > 4. # passwd -l nagios > > It's not clear to me exactly what the security risk is. The idea is that
> someone may gain access to an unprivileged account on the system and then > use this access and this Nagios plugin to cause mailicious damage? Or to > break the root account? In which case, it would all come down to how > secure the code of the plugin is. Is this correct? Looks ok so far, you just have to make sure of one BIG issue. /usr/local/nagios/libexec/check_logfiles MUST NOT be owned by the nagios user/group and the nagios user/group MUST NOT have write permissions. Imagine someone doing: "copy /usr/bin/bash /usr/local/nagios/libexec/check_logfiles" In regard to security of the plugin code itself, you're more or less on the safe side here. Since you "hardcoded" the parameters of the root call, you cannot suffer from buffer overflows caused my malicious parameters and exploiting the plugin via the logfiles itself is both most unlikely and secondly would mean someone already compromised the system - else he couldn't forge syslog entries ;) regards Sascha -- Sascha Runschke Netzwerk Management IT-Services ABIT AG i. Gr. Robert-Bosch-Str. 1 40668 Meerbusch Tel.:+49 (0) 2150.9153.226 Mobil:+49 (0) 173.5419665 mailto:[EMAIL PROTECTED] http://www.abit.net http://www.abit-epos.net --------------------------------- Sicherheitshinweis zur E-Mail Kommunikation / Security note regarding email communication: http://www.abit.net/sicherheitshinweis.html ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null