FreeBSD and Nagios - permissions

Jeremy Chadwick koitsu at FreeBSD.org
Thu Oct 16 15:07:47 PDT 2008 

On Thu, Oct 16, 2008 at 11:36:51PM +0200, Per olof Ljungmark wrote:
> Mel wrote:
>> On Thursday 16 October 2008 22:07:43 Per olof Ljungmark wrote:
>>> Per olof Ljungmark wrote:
>>>> Daniel Bye wrote:
>>>>> On Thu, Oct 16, 2008 at 12:05:01PM +0100, Daniel Bye wrote:
>>>>>> It is possible to configure sudo to run only exactly the required
>>>>>> command
>>>>>> (including arguments) precisely to guard against this type of abuse -
>>>>>> I use it extensively in my own nagios setup.
>>>>>>
>>>>>> This Cmnd_Alias in sudoers will do the trick:
>>>>>>
>>>>>> Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0
>>>>>>
>>>>>> man sudoers for more information about what you can do with sudo.
>>>>> I just realised this example is woefully incomplete - apologies for
>>>>> that.
>>>>>
>>>>> There are a few ways you can set up /usr/local/etc/sudoers (make sure
>>>>> you use visudo to edit it, as it will catch any syntax errors for you,
>>>>> thus helping somewhat to prevent breaking your setup).
>>>>>
>>>>> The simplest case will just be to allow nagios to run the command, as
>>>>> root,
>>>>> without a password:
>>>>>
>>>>> nagios ALL=(root) NOPASSWD: /sbin/camcontrol inquiry da0
>>>>>
>>>>> If, as is quite possible, nagios should be able to run more than just
>>>>> that one command, you can define a Cmnd_Alias, as above. To include more
>>>>> than one command in the alias, simply separate them with a comma. You
>>>>> can use `\' to escape newlines and make your file a little easier to
>>>>> read:
>>>>>
>>>>> Cmnd_Alias NAGIOS_CMNDS = /sbin/camcontrol inquiry da0 \
>>>>>                           /sbin/camcontrol inquiry da1
>>>>>
>>>>> and so on. Now, to use that alias, set the user's permissions to
>>>>>
>>>>> nagios ALL=(root) NOPASSWD: NAGIOS_CMNDS
>>                  ^^^^
>>
>>> For the records, even this won't work because nagois needs access to
>>> /dev/xpt0 as well and once there sudo can't help.
>>>
>>> sudo -u nagios /sbin/camcontrol inquiry da0
>>> camcontrol: cam_lookup_pass: couldn't open /dev/xpt0
>>> cam_lookup_pass: Permission denied
>>
>> The idea is to let this be run as root, tho personally, I'd put nagios 
>> in a group that can rw /dev/xpt0, /dev/pass0 and /dev/da0, setup 
>> devfs.rules properly and the let it execute a script that does the 
>> inquiry and the inquiry only.
>>
>> On a related note, it would be a 'nice to have', if the more dangerous  
>> commands of camcontrol had a sysctl knob that only allows them to be 
>> executed only as root.
>
> But... the command "/sbin/camcontrol inquiry da0" IS run as root through  
> the setup in sudoers above, but it is not enough or I'm overseeing  
> something. Anyway, I've already decided to scrap the sudo idea, too  
> kludgy for me.

Scrapping it is fine, but you still aren't understanding how to use
sudo.

The -u flag tells sudo what UID to switch to.  Meaning, your above
command (sudo -u nagios /sbin/camcontrol...) tells the system "run
/sbin/camcontrol as user nagios".  This **does not** tell the system
to run /sbin/camcontrol as user root.

For example, let's say you're logged in as user nagios (or running
commands as user nagios):

nagios at box$ sudo -u nagios whoami
nagios
nagios at box$

This obviously isn't what you want -- this tells sudo to switch to
UID nagios (you already ARE this user!) and run the "whoami" command.

But this IS what you want:

nagios at box$ sudo whoami
root
nagios at box$

You'll need to use visudo(8) to configure sudo to 1) permit user
"nagios" to use sudo (and switch to UID root), and 2) to ONLY RUN
/sbin/camcontrol when sudo is run, otherwise someone could do:

nagios at box$ sudo rm -fr /

You get the point now, I'm sure.

> The idea of running nagios with rw access to the devices is not very  
> appealing either as Jeremy pointed out.
>
> I will start from square one with a different approach that I need to  
> dream up tomorrow.

I must again point out that using a C-based wrapper is a much
better idea, especially if this is the only command you need to
run as root.

The wrapper is a 15-20 line C program, if that, and will only run
one command: /sbin/camcontrol inquiry da0.  It can't be used to do
anything else.

If you really want someone to write this for you, I will do it.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-questions mailing list