check-ping

Christopher Odenbach odenbach at uni-paderborn.de
Mon Jul 14 14:21:11 CEST 2008


Hi,

> Changing /bin/ping to not be suid root for security reasons and then changing
> Nagios to be suid root to fix a problem this causes seems more than just a
> little backwards to me.
> 
> Do "chmod 4711 /bin/ping" instead. ping is a simple program of ~4000 LoC. It
> has been thouroughly audited for security holes. Nagios is, in comparison, a
> complex elephantine monster of 80.000 LoC. Add any and all plugins it might
> run as well and you'll be well on your way to 250k LoC or more. Nobody has
> bothered auditing it very much from a security standpoint because it's not
> supposed to run with root permissions.

For checks which require root privileges we use sudo. That way it is
easy to configure the usage to a single user: the nagios user.

Just put something like

nagios  ALL=NOPASSWD: /usr/bin/aptitude # added by nagios-plugins-debs

in your /etc/sudoers file and that is it. The check of course has to
call the binary with sudo prepended, e.g. 'sudo aptitude ...'.

Christopher


-- 
======================================================
    Dipl.-Ing. Christopher Odenbach
    Zentrum fuer Informations- und Medientechnologien
    Universitaet Paderborn
    Raum N5.122
    odenbach at uni-paderborn.de
    Tel.: +49 5251 60 5315
======================================================

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <https://www.monitoring-lists.org/archive/users/attachments/20080714/c90b0d33/attachment.sig>
-------------- next part --------------
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null


More information about the Users mailing list