FreeBSD and Nagios - permissions

[Per olof Ljungmark]

Daniel Bye wrote:
> On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote:
>> It is possible to configure sudo to run only exactly the required command
>> (including arguments) precisely to guard against this type of abuse -
>> I use it extensively in my own nagios setup.
>>
>> This Cmnd_Alias in sudoers will do the trick:
>>
>> Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0
>>
>> man sudoers for more information about what you can do with sudo.
> 
> I just realised this example is woefully incomplete - apologies for that.
> 
> There are a few ways you can set up /usr/local/etc/sudoers (make sure
> you use visudo to edit it, as it will catch any syntax errors for you,
> thus helping somewhat to prevent breaking your setup).
> 
> The simplest case will just be to allow nagios to run the command, as root,
> without a password:
> 
> nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0
> 
> If, as is quite possible, nagios should be able to run more than just
> that one command, you can define a Cmnd_Alias, as above. To include more
> than one command in the alias, simply separate them with a comma. You
> can use `\' to escape newlines and make your file a little easier to read:
> 
> Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \
>                           /sbin/camcontrol inquiry da1
> 
> and so on. Now, to use that alias, set the user's permissions to
> 
> nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS
> 
> The sudoers man page has more information, and there is also a good
> tutorial by M Lucas on O'Reilly's Big Scary Daemons (it's from 2002, but
> still a good introduction):

Thank you very much for the detailed information.

I will have a go at sudo while waiting for my collegue to return, he 
knows C and could probably write up the wrapper that Jeremy suggested.

Thanks all for the tips!

--per