Antwort: Re: security & suid/sudo plugins

srunschke at abit.de srunschke at abit.de
Mon Sep 4 10:50:38 CEST 2006


nagios-users-bounces at lists.sourceforge.net schrieb am 02.09.2006 18:06:47:

> To make things clearer, the setup I'm proposing is this:
> 
> 1. # /usr/local/sbin/visudo 
> ...
> nagios  ALL=(ALL) NOPASSWD: /usr/local/nagios/libexec/check_logfiles -f 
> /usr/local/nagios/etc/check_logfiles.cfg
> 
> 2. # vi /usr/local/nagios/etc/nrpe.cfg
> ...
> command[check_logfiles]=/usr/local/bin/sudo 
> /usr/local/nagios/libexec/check_logfiles -f 
> /usr/local/nagios/etc/check_logfiles.cfg 
> 
> 3. # grep nagios /etc/passwd
> nagios:x:1123:100:Nagios Remote User:/usr/local/nagios:/usr/bin/bash
> 
> Note to Hari: my understanding is that sudo won't work for account that 
> doesn't have a valid shell. Certainly all my testing led me to that 
conclusion. 
> 
> 4. # passwd -l nagios
> 
> It's not clear to me exactly what the security risk is. The idea is that 

> someone may gain access to an unprivileged account on the system and 
then 
> use this access and this Nagios plugin to cause mailicious damage? Or to 

> break the root account? In which case, it would all come down to how 
> secure the code of the plugin is. Is this correct? 

Looks ok so far, you just have to make sure of one BIG issue.
/usr/local/nagios/libexec/check_logfiles MUST NOT be owned by
the nagios user/group and the nagios user/group MUST NOT have
write permissions.
Imagine someone doing:
"copy /usr/bin/bash /usr/local/nagios/libexec/check_logfiles"

In regard to security of the plugin code itself, you're more or less
on the safe side here. Since you "hardcoded" the parameters of the
root call, you cannot suffer from buffer overflows caused my malicious
parameters and exploiting the plugin via the logfiles itself is both
most unlikely and secondly would mean someone already compromised the
system - else he couldn't forge syslog entries ;)

regards
        Sascha

--
Sascha Runschke
Netzwerk Management
IT-Services

ABIT AG i. Gr.
Robert-Bosch-Str. 1
40668 Meerbusch

Tel.:+49 (0) 2150.9153.226
Mobil:+49 (0) 173.5419665
mailto:SRunschke at abit.de

http://www.abit.net
http://www.abit-epos.net
---------------------------------
Sicherheitshinweis zur E-Mail Kommunikation /
  Security note regarding email communication:
http://www.abit.net/sicherheitshinweis.html


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list