FreeBSD and Nagios - permissions
Per olof Ljungmark
peo at intersonic.se
Thu Oct 16 15:32:02 PDT 2008
Jeremy Chadwick wrote:
> On Thu, Oct 16, 2008 at 11:36:51PM +0200, Per olof Ljungmark wrote:
>> Mel wrote:
>>> On Thursday 16 October 2008 22:07:43 Per olof Ljungmark wrote:
>>>> Per olof Ljungmark wrote:
>>>>> Daniel Bye wrote:
>>>>>> On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote:
>>>>>>> It is possible to configure sudo to run only exactly the required
>>>>>>> command
>>>>>>> (including arguments) precisely to guard against this type of abuse -
>>>>>>> I use it extensively in my own nagios setup.
>>>>>>>
>>>>>>> This Cmnd_Alias in sudoers will do the trick:
>>>>>>>
>>>>>>> Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0
>>>>>>>
>>>>>>> man sudoers for more information about what you can do with sudo.
>>>>>> I just realised this example is woefully incomplete - apologies for
>>>>>> that.
>>>>>>
>>>>>> There are a few ways you can set up /usr/local/etc/sudoers (make sure
>>>>>> you use visudo to edit it, as it will catch any syntax errors for you,
>>>>>> thus helping somewhat to prevent breaking your setup).
>>>>>>
>>>>>> The simplest case will just be to allow nagios to run the command, as
>>>>>> root,
>>>>>> without a password:
>>>>>>
>>>>>> nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0
>>>>>>
>>>>>> If, as is quite possible, nagios should be able to run more than just
>>>>>> that one command, you can define a Cmnd_Alias, as above. To include more
>>>>>> than one command in the alias, simply separate them with a comma. You
>>>>>> can use `\' to escape newlines and make your file a little easier to
>>>>>> read:
>>>>>>
>>>>>> Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \
>>>>>> /sbin/camcontrol inquiry da1
>>>>>>
>>>>>> and so on. Now, to use that alias, set the user's permissions to
>>>>>>
>>>>>> nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS
>>> ^^^^
>>>
>>>> For the records, even this won't work because nagois needs access to
>>>> /dev/xpt0 as well and once there sudo can't help.
>>>>
>>>> sudo -u nagios /sbin/camcontrol inquiry da0
>>>> camcontrol: cam_lookup_pass: couldn't open /dev/xpt0
>>>> cam_lookup_pass: Permission denied
>>> The idea is to let this be run as root, tho personally, I'd put nagios
>>> in a group that can rw /dev/xpt0, /dev/pass0 and /dev/da0, setup
>>> devfs.rules properly and the let it execute a script that does the
>>> inquiry and the inquiry only.
>>>
>>> On a related note, it would be a 'nice to have', if the more dangerous
>>> commands of camcontrol had a sysctl knob that only allows them to be
>>> executed only as root.
>> But... the command "/sbin/camcontrol inquiry da0" IS run as root through
>> the setup in sudoers above, but it is not enough or I'm overseeing
>> something. Anyway, I've already decided to scrap the sudo idea, too
>> kludgy for me.
>
> Scrapping it is fine, but you still aren't understanding how to use
> sudo.
>
> The -u flag tells sudo what UID to switch to. Meaning, your above
> command (sudo -u nagios /sbin/camcontrol...) tells the system "run
> /sbin/camcontrol as user nagios". This **does not** tell the system
> to run /sbin/camcontrol as user root.
>
> For example, let's say you're logged in as user nagios (or running
> commands as user nagios):
>
> nagios at box$ sudo -u nagios whoami
> nagios
> nagios at box$
>
> This obviously isn't what you want -- this tells sudo to switch to
> UID nagios (you already ARE this user!) and run the "whoami" command.
>
> But this IS what you want:
>
> nagios at box$ sudo whoami
> root
> nagios at box$
>
> You'll need to use visudo(8) to configure sudo to 1) permit user
> "nagios" to use sudo (and switch to UID root), and 2) to ONLY RUN
> /sbin/camcontrol when sudo is run, otherwise someone could do:
>
> nagios at box$ sudo rm -fr /
>
> You get the point now, I'm sure.
Yep, promise :-)
I'm off to bed but will try to work out the sudo magic tomorrow although
I'm still incloned to an alternative solution.
--
per
More information about the freebsd-questions
mailing list