Security Concerns about the nsca daemon

Marc Haber mh+nagios-devel at zugschlus.de
Wed Feb 22 14:41:52 CET 2006

Previous message: Security Concerns about the nsca daemon
Next message: Security Concerns about the nsca daemon
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Feb 22, 2006 at 02:18:52PM +0100, Andreas Ericsson wrote:
> Marc Haber wrote:
> >On Wed, Feb 22, 2006 at 11:03:51AM +0100, Andreas Ericsson wrote:
> >>
> >>Nothing prevents multiple daemons running in the same chroot() jail. The 
> >>jail is still as secure as it would be if just one daemon was running 
> >>inside it.
> >
> >That might be the case when the daemon can live with an empty chroot,
> >which is only true if the daemon can chroot itself. As soon as we need
> >external chroot techniques (which might be the case for third-party
> >daemons, not the patched nsca), the chroot needs contents, and then it
> >would be desireable to have one chroot per daemon.
> >
> 
> In that case I'd argue setting up /jail with a full environment in it 
> and include an empty directory where Nagios will create its command-fifo.

Doesn't scale in cases were multiple jails are needed, and I don't
like the idea of chroot-in-chroot. Mucho ugly.

> >Yes, you're right. So it is desireable to have multiple command_file
> >directives just to make sure.
> 
> Writing code "just to make sure" is a good way of wasting time and 
> adding code-bloat. When someone needs it, they'll write it. When someone 
> else may need it sometime in the future, it stays unwritten.

That's the open source approach "works for me". I prefer to think
ahead, but I am not going to write the code anyway (since I can't), so
the decision stays yours.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Previous message: Security Concerns about the nsca daemon
Next message: Security Concerns about the nsca daemon
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Developers mailing list