Re: [Nagios-users] security suid/sudo plugins
Alexander Harvey wrote: Note to Hari: my understanding is that sudo won't work for account that doesn't have a valid shell. Certainly all my testing led me to that conclusion. Err, I wasn't sure but this didn't sound right to me, I am sure a shell is not required for program execution, so I tested it. After /bin/falseing and locking the nagios account, the service check I have sudo NOPASSWDed still worked, and I cronned a job to get the date which ran every minute and output to a temp file. So it would seem that this is not correct. A valid shell is not required. Hari Sekhon - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] security suid/sudo plugins
On 4 Sep, 2006, at 12:09, Hari Sekhon wrote: Alexander Harvey wrote: Note to Hari: my understanding is that sudo won't work for account that doesn't have a valid shell. Certainly all my testing led me to that conclusion. So it would seem that this is not correct. A valid shell is not required. Actually, to nitpick a little :) I'd think it's entirely possible that sudo requires a valid shell, just like FTP and such. But in that case valid would mean listed in /etc/shells and not working like a normal shell... I'd have to check the man-page to be sure though.. Cheers! Thomas - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] security suid/sudo plugins
Thomas Sluyter wrote: On 4 Sep, 2006, at 12:09, Hari Sekhon wrote: Alexander Harvey wrote: Note to Hari: my understanding is that sudo won't work for account that doesn't have a valid shell. Certainly all my testing led me to that conclusion. So it would seem that this is not correct. A valid shell is not required. Actually, to nitpick a little :) I'd think it's entirely possible that sudo requires a valid shell, just like FTP and such. But in that case "valid" would mean "listed in /etc/shells" and not "working like a normal shell"... I'd have to check the man-page to be sure though.. Cheers! /bin/false isn't listed as a valid shell on my nagios box and this still works. hmm. Also, you could use sudo -s /bin/bash check_command so that you get the shell for that one command. The man page says you can use this to override the system set shell. If you find anything written anywhere about this then let me know. It's entirely possible that different versions have different quirks, this is not unknown in unixland... fyi my sudo -V gives me the version as "Sudo version 1.6.8p9" (lots of extras output omitted) -h - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] security suid/sudo plugins
Hi All,I'm using the same version of sudo on my Solaris systems. And by 'valid' I didn't mean merely listed in /etc/shell; I meant a real shell like bash. However, I'm afraid I can't reproduce the problem at the moment, but I can say that I resorted to giving the nagios user a real shell only when I realised I needed to run a shell-script plugin as the root user. Someone explained to me: It would be a security flaw for sudo to allow anything to run for a user who is not otherwise entitled to a real shell. I make no comment on the reasoning--consider it hearsay--but sure enough, it was the only way I could get my plugin to work. If I get a chance to reproduce the problem, I'll see what I can dig out about it. AlexOn 9/4/06, Hari Sekhon [EMAIL PROTECTED] wrote: Thomas Sluyter wrote: On 4 Sep, 2006, at 12:09, Hari Sekhon wrote: Alexander Harvey wrote: Note to Hari: my understanding is that sudo won't work for accountthat doesn't have a valid shell. Certainly all my testing led me tothat conclusion. So it would seem that this is not correct. A valid shell is not required. Actually, to nitpick a little :)I'd think it's entirely possible that sudo requires a valid shell, just like FTP and such. But in that case valid would mean listed in /etc/shells and not working like a normal shell... I'd have to check the man-page to be sure though..Cheers! /bin/false isn't listed as a valid shell on my nagios box and this still works. hmm. Also, you could use sudo -s /bin/bash check_command so that you get the shell for that one command. The man page says you can use this to override the system set shell. If you find anything written anywhere about this then let me know. It's entirely possible that different versions have different quirks, this is not unknown in unixland... fyi my sudo -V gives me the version as Sudo version 1.6.8p9 (lots of extras output omitted) -h -Using Tomcat but need to do more? Need to support web services, security?Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642___Nagios-users mailing list Nagios-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.::: Messages without supporting info will risk being sent to /dev/null - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] security suid/sudo plugins
Thanks everyone for the responses. The 'systrace' thing went over my head I'm afraid and the Solaris man page for that command isn't helping me much.To make things clearer, the setup I'm proposing is this:1. # /usr/local/sbin/visudo ...nagios ALL=(ALL) NOPASSWD: /usr/local/nagios/libexec/check_logfiles -f /usr/local/nagios/etc/check_logfiles.cfg2. # vi /usr/local/nagios/etc/nrpe.cfg...command[check_logfiles]=/usr/local/bin/sudo /usr/local/nagios/libexec/check_logfiles -f /usr/local/nagios/etc/check_logfiles.cfg 3. # grep nagios /etc/passwdnagios:x:1123:100:Nagios Remote User:/usr/local/nagios:/usr/bin/bashNote to Hari: my understanding is that sudo won't work for account that doesn't have a valid shell. Certainly all my testing led me to that conclusion. 4. # passwd -l nagiosIt's not clear to me exactly what the security risk is. The idea is that someone may gain access to an unprivileged account on the system and then use this access and this Nagios plugin to cause mailicious damage? Or to break the root account? In which case, it would all come down to how secure the code of the plugin is. Is this correct? Kind Regards,AlexOn 9/1/06, julien Touche [EMAIL PROTECTED] wrote: Alexander Harvey wrote on 31/08/2006 16:10: I have a difficult customer who won't sign off changes based on the security risk using suid plugins, for example, check_logfiles. What does one do about this situation?$ cat /usr/local/share/doc/nagios-plugins/README.OpenBSDSome nagios plugins need elevated privileges to run properly. As the code quality of these plugins is not really good, they are not installed suidroot by default, but instead I suggest running them with systrace'sprivilege elevation feature. This way they are run as _nagios, but single syscalls are run as root.1) Create a preliminary systrace policy for the plugin.# cd ${PREFIX}/libexec/nagios# systrace -A -d /tmp ./plugin plugin argumentsThis creates a policy for the plugin plugin in /tmp. 2) Refine the policy and configure privilege elevation as required. Thisis an example, permitting the bind(2) syscall as root.native-bind: sockaddr eq inet-[0.0.0.0]:68 then permit as root 3) Copy the systrace policy to /etc/systrace.4) Run visudo as root and configure sudo for user _nagios like this._nagios ALL=NOPASSWD: /bin/systrace -a -c 550\:550 \${PREFIX}/libexec/nagios/plugin plugin arguments 5) Configure the respective command in nagios.define command {command_name check_dhcpcommand_line sudo /bin/systrace -a -c 550:550 $USER1$/pluginplugin arguments }6) In case of problems, systrace will log to /var/log/messages.RegardsJulien - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
[Nagios-users] security suid/sudo plugins
Hi,I have a difficult customer who won't sign off changes based on the security risk using suid plugins, for example, check_logfiles. What does one do about this situation?Regards,Alex - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] security suid/sudo plugins
Alexander Harvey wrote: Hi, I have a difficult customer who won't sign off changes based on the security risk using suid plugins, for example, check_logfiles. What does one do about this situation? Regards, Alex - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null use sudo, that's what it's for. Hari Sekhon - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] security suid/sudo plugins
Alexander Harvey wrote: I am using sudo, except that customer won't sign the change!:-) On 9/1/06, Hari Sekhon [EMAIL PROTECTED] wrote: Alexander Harvey wrote: Hi, I have a difficult customer who won't sign off changes based on the security risk using suid plugins, for example, check_logfiles. What does one do about this situation? Regards, Alex - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null use sudo, that's what it's for. Hari Sekhon tell the muppet customer that sudo is safer and was designed for this purpose. No other account can use the command with the elevated privilege and that no other user can use that account, especially if you lock it and /bin/false it as well for 2 level protection that the account can't be used by anybody (apart from root, by which point you're already hosed and that will be the least of your worries). Hari Sekhon - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] security suid/sudo plugins
On 31 Aug, 2006, at 16:34, Hari Sekhon wrote: I have a difficult customer who won't sign off changes based on the security risk using suid plugins, for example, check_logfiles. What does one do about this situation? use sudo, that's what it's for. And then -don't- use sudo to run the script, but use sudo to run the actual command that's needed to read the logfile. Possibly even defining the actual arguments that will be given to the command. It's a bitch when it comes to upkeep, but it is the safest way of going about this... Using a suid script is asking for trouble... Anyone could change the script to read rm -rf /* Cheers! Thomas - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] security suid/sudo plugins
Or create a group with the owner of the logfiles + user that NRPE runs under so that the group can read the logfile Internet [EMAIL PROTECTED]@lists.sourceforge.net - 31/08/2006 15:34 Sent by:[EMAIL PROTECTED] To:alexh19740110 cc:nagios-users Subject:Re: [Nagios-users] security suid/sudo plugins Alexander Harvey wrote: Hi, I have a difficult customer who won't sign off changes based on the security risk using suid plugins, for example, check_logfiles. What does one do about this situation? Regards, Alex - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null use sudo, that's what it's for. Hari Sekhon - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null This message and any attachments (the message) is intended solely for the addressees and is confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval. The internet can not guarantee the integrity of this message. BNP PARIBAS (and its subsidiaries) shall (will) not therefore be liable for the message if modified. ** BNP Paribas Private Bank London Branch is authorised by CECEI AMF and is regulated by the Financial Services Authority for the conduct of its investment business in the United Kingdom. BNP Paribas Securities Services London Branch is authorised by CECEI AMF and is regulated by the Financial Services Authority for the conduct of its investment business in the United Kingdom. BNP Paribas Fund Services UK Limited is authorised and regulated by the Financial Services Authority - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] security suid/sudo plugins
Thomas Sluyter wrote: On 31 Aug, 2006, at 16:34, Hari Sekhon wrote: I have a difficult customer who won't sign off changes based on the security risk using suid plugins, for example, check_logfiles. What does one do about this situation? use sudo, that's what it's for. And then -don't- use sudo to run the script, but use sudo to run the actual command that's needed to read the logfile. Possibly even defining the actual arguments that will be given to the command. It's a bitch when it comes to upkeep, but it is the safest way of going about this... Using a suid script is asking for trouble... Anyone could change the script to read "rm -rf /*" Cheers! Thomas yeah well that was implied in the go learn how to use sudo properly hint... sorry I should have been more explicit in that. Only sudo the specific command (ie the plugin itself) and only for the one user. Done. Hari Sekhon - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] security suid/sudo plugins
Alexander Harvey wrote on 31/08/2006 16:10: I have a difficult customer who won't sign off changes based on the security risk using suid plugins, for example, check_logfiles. What does one do about this situation? $ cat /usr/local/share/doc/nagios-plugins/README.OpenBSD Some nagios plugins need elevated privileges to run properly. As the code quality of these plugins is not really good, they are not installed suid root by default, but instead I suggest running them with systrace's privilege elevation feature. This way they are run as _nagios, but single syscalls are run as root. 1) Create a preliminary systrace policy for the plugin. # cd ${PREFIX}/libexec/nagios # systrace -A -d /tmp ./plugin plugin arguments This creates a policy for the plugin plugin in /tmp. 2) Refine the policy and configure privilege elevation as required. This is an example, permitting the bind(2) syscall as root. native-bind: sockaddr eq inet-[0.0.0.0]:68 then permit as root 3) Copy the systrace policy to /etc/systrace. 4) Run visudo as root and configure sudo for user _nagios like this. _nagios ALL=NOPASSWD: /bin/systrace -a -c 550\:550 \ ${PREFIX}/libexec/nagios/plugin plugin arguments 5) Configure the respective command in nagios. define command { command_name check_dhcp command_line sudo /bin/systrace -a -c 550:550 $USER1$/plugin plugin arguments } 6) In case of problems, systrace will log to /var/log/messages. Regards Julien - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null