Notification issues

Andreas Ericsson ae at op5.se
Wed Feb 16 13:52:05 CET 2005

Previous message: Notification issues
Next message: Notification issues
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Michael Medin wrote:
> Hi,
> 
> I tried this but it needed to be run as root so should I a+s and chown
> the file to root or is there some better (as in more secure) way to
> handle it ?

The paranoid way of setting suid root on a program goes as follows;

chmod 000 check_icmp
chown root:nagios check_icmp
chmod 710 check_icmp

> Root suid sounds dangerous to me...
> 

That depends on the program having the honor. For check_icmp, it's 
really quite safe.

check_icmp obtains the raw socket prior to parsing any input at all and 
then immediately drops privileges (in case it isn't run by root in the 
first place).

During run-time it implements a whitelist of what kind of network 
retrieved responses it will handle, copies nothing of it anywhere (no 
remotely triggered buffer overflows) and doesn't ever point beyond 
packet boundaries (no harmless sigsegv's either).

The only way anyone can cause it to sigsegv is by injecting bogus but 
carefully calculated packets in kernel memory and then make the kernel 
believe it actually arrived on the socket assigned to whatever pid 
check_icmp might have.
This would require a fairly extensive kernel rewrite and root 
privileges. Even then the sigsegv would be due to a read-only request on 
out-of-bounds memory (i.e. non-exploitable).

I believe I have commented on the security features in the code so that 
others may find it and comment on it easily (and so that no idiot will 
remove them should he decide to improve on it).

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Lead Developer

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: Notification issues
Next message: Notification issues
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list