FreeBSD and Nagios - permissions
Jeremy Chadwick
koitsu at FreeBSD.org
Thu Oct 16 04:06:06 PDT 2008
On Thu, Oct 16, 2008 at 09:17:58PM +1100, Edwin Groothuis wrote:
> > The nrpe daemon that handles the script runs as the "nagios" user and
> > the command needed is camcontrol:
>
> First lines of the check_ciss.sh command:
>
> #!/bin/sh
>
> if [ $(whoami) != "root" ]; then
> sudo $*
> fi
>
> And allow in sudoerrs.conf the nagios user to run the check_ciss.sh
> command without passwords.
>
> Works fine here for years :-)
Wow... all I can say. Wow. This is a *humongous* security hole.
So what happens when someone finds a security hole in Nagios, allowing
them to modify files or run checks with arguments of their choice?
For a good time:
check_ciss.sh camcontrol format da0 -y
Yeah, uh, that script should be nuked.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-questions
mailing list