Security Concerns about the nsca daemon

[Andreas Ericsson]

Marc Haber wrote:
> On Tue, Feb 21, 2006 at 03:34:22PM +0100, Andreas Ericsson wrote:
> 
>>Marc Haber wrote:
>>
>>>The directory to chroot to should be configurable at compile time to
>>>help FHS-compliant distributions. On Debian, the directory to use
>>>would be /var/run/nsca, by example of sshd.
>>>
>>
>>At run-time, I'd say.
> 
> 
> Even better, one would have to worry about input processing though.
> 

Not sure I follow you there.

> 
>>>As sean has already said, this breaks as soon as the nagios daemon
>>>re-creates the named pipe for some reason.
>>
>>True. That means setting the jail-dir at compile-time goes out the 
>>window though. It would be better to grok the jail from the nagios 
>>config file.
> 
> 
> That, however, rules out the possible simplest implementation of
> allowing multiple command_file directives in nagios.cfg since nsca
> won't be able to grok its chroot location from there.
> 

But if we do this there's no need to support multiple command_file 
directives. It's the cleanest solution.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642