security & suid/sudo plugins

[Hari Sekhon]

Thomas Sluyter wrote:
> On 31 Aug, 2006, at 16:34, Hari Sekhon wrote:
>
>   
>>> I have a difficult customer who won't sign off changes based on  
>>> the security risk using suid plugins, for example, check_logfiles.  
>>> What does one do about this situation?
>>>
>>>       
>> use sudo, that's what it's for.
>>
>>     
>
> And then -don't- use sudo to run the script, but use sudo to run the  
> actual command that's needed to read the logfile. Possibly even  
> defining the actual arguments that will be given to the command. It's  
> a bitch when it comes to upkeep, but it is the safest way of going  
> about this...
>
> Using a suid script is asking for trouble... Anyone could change the  
> script to read "rm -rf /*"
>
> Cheers!
>
>
> Thomas
>
>
>   

yeah well that was implied in the go learn how to use sudo properly hint...

sorry I should have been more explicit in that. Only sudo the specific 
command (ie the plugin itself) and only for the one user. Done.



Hari Sekhon


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20060831/1c015c96/attachment.html>
-------------- next part --------------
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null