do not install check_dhcp and check_icmp suid root (this code is

too crappy), instead explain how to setup systrace with privilege
elevation
This commit is contained in:
sturm 2006-05-07 07:42:09 +00:00
parent f79150a69d
commit 6898e31c46
4 changed files with 52 additions and 3 deletions

View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.8 2006/04/19 20:35:28 sturm Exp $
# $OpenBSD: Makefile,v 1.9 2006/05/07 07:42:09 sturm Exp $
COMMENT= "nagios base plugins"
COMMENT-fping= "fping plugin"
@ -12,7 +12,7 @@ COMMENT-snmp= "plugins using snmp"
V= 1.4.3
DISTNAME= nagios-plugins-${V}
PKGNAME= nagios-plugins-${V}
PKGNAME= nagios-plugins-${V}p0
PKGNAME-fping= nagios-plugins-fping-${V}
PKGNAME-game= nagios-plugins-game-${V}
PKGNAME-ldap= nagios-plugins-ldap-${V}
@ -40,6 +40,8 @@ MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=nagiosplug/}
BUILD_DEPENDS= qstat::games/qstat \
fping::net/fping
FAKE_FLAGS= setuid_root_mode=0555
USE_LIBTOOL= Yes
CONFIGURE_STYLE=gnu
@ -120,4 +122,9 @@ MODULES= gettext
NO_REGRESS= lots of broken tests
post-install:
${INSTALL_DATA_DIR} ${PREFIX}/share/doc/nagios-plugins
${INSTALL_DATA} ${FILESDIR}/README.OpenBSD \
${PREFIX}/share/doc/nagios-plugins
.include <bsd.port.mk>

View File

@ -0,0 +1,34 @@
Some nagios plugins need elevated privileges to run properly. As the code
quality of these plugins is not really good, they are not installed suid
root by default, but instead I suggest running them with systrace's
privilege elevation feature. This way they are run as _nagios, but single
syscalls are run as root.
1) Create a preliminary systrace policy for the plugin.
# cd ${PREFIX}/libexec/nagios
# systrace -A -d /tmp ./<plugin> <plugin arguments>
This creates a policy for the plugin <plugin> in /tmp.
2) Refine the policy and configure privilege elevation as required. This
is an example, permitting the bind(2) syscall as root.
native-bind: sockaddr eq "inet-[0.0.0.0]:68" then permit as root
3) Copy the systrace policy to /etc/systrace.
4) Run visudo as root and configure sudo for user _nagios like this.
_nagios ALL=NOPASSWD: /bin/systrace -a -c 550\:550 \
${PREFIX}/libexec/nagios/<plugin> <plugin arguments>
5) Configure the respective command in nagios.
define command {
command_name check_dhcp
command_line sudo /bin/systrace -a -c 550:550 $USER1$/<plugin> <plugin arguments>
}
6) In case of problems, systrace will log to /var/log/messages.

View File

@ -0,0 +1,6 @@
The check_dhcp and check_icmp plugins need to run with superuser
privileges. For security reasons they are not installed suid root
by default. If you want to use them, you have to either change
their mode manually or use systrace's privilege elevation feature.
For further details see ${PREFIX}/share/doc/nagios-plugins/README.OpenBSD.

View File

@ -1,4 +1,4 @@
@comment $OpenBSD: PLIST,v 1.3 2006/04/19 20:35:28 sturm Exp $
@comment $OpenBSD: PLIST,v 1.4 2006/05/07 07:42:09 sturm Exp $
libexec/nagios/
libexec/nagios/check_by_ssh
libexec/nagios/check_clamd
@ -50,6 +50,8 @@ libexec/nagios/negate
libexec/nagios/urlize
libexec/nagios/utils.pm
libexec/nagios/utils.sh
share/doc/nagios-plugins/
share/doc/nagios-plugins/README.OpenBSD
share/locale/
share/locale/de/
share/locale/de/LC_MESSAGES/