do not install check_dhcp and check_icmp suid root (this code is
too crappy), instead explain how to setup systrace with privilege elevation
This commit is contained in:
parent
f79150a69d
commit
6898e31c46
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: Makefile,v 1.8 2006/04/19 20:35:28 sturm Exp $
|
||||
# $OpenBSD: Makefile,v 1.9 2006/05/07 07:42:09 sturm Exp $
|
||||
|
||||
COMMENT= "nagios base plugins"
|
||||
COMMENT-fping= "fping plugin"
|
||||
@ -12,7 +12,7 @@ COMMENT-snmp= "plugins using snmp"
|
||||
|
||||
V= 1.4.3
|
||||
DISTNAME= nagios-plugins-${V}
|
||||
PKGNAME= nagios-plugins-${V}
|
||||
PKGNAME= nagios-plugins-${V}p0
|
||||
PKGNAME-fping= nagios-plugins-fping-${V}
|
||||
PKGNAME-game= nagios-plugins-game-${V}
|
||||
PKGNAME-ldap= nagios-plugins-ldap-${V}
|
||||
@ -40,6 +40,8 @@ MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=nagiosplug/}
|
||||
BUILD_DEPENDS= qstat::games/qstat \
|
||||
fping::net/fping
|
||||
|
||||
FAKE_FLAGS= setuid_root_mode=0555
|
||||
|
||||
USE_LIBTOOL= Yes
|
||||
|
||||
CONFIGURE_STYLE=gnu
|
||||
@ -120,4 +122,9 @@ MODULES= gettext
|
||||
|
||||
NO_REGRESS= lots of broken tests
|
||||
|
||||
post-install:
|
||||
${INSTALL_DATA_DIR} ${PREFIX}/share/doc/nagios-plugins
|
||||
${INSTALL_DATA} ${FILESDIR}/README.OpenBSD \
|
||||
${PREFIX}/share/doc/nagios-plugins
|
||||
|
||||
.include <bsd.port.mk>
|
||||
|
34
net/nagios/plugins/files/README.OpenBSD
Normal file
34
net/nagios/plugins/files/README.OpenBSD
Normal file
@ -0,0 +1,34 @@
|
||||
Some nagios plugins need elevated privileges to run properly. As the code
|
||||
quality of these plugins is not really good, they are not installed suid
|
||||
root by default, but instead I suggest running them with systrace's
|
||||
privilege elevation feature. This way they are run as _nagios, but single
|
||||
syscalls are run as root.
|
||||
|
||||
1) Create a preliminary systrace policy for the plugin.
|
||||
|
||||
# cd ${PREFIX}/libexec/nagios
|
||||
# systrace -A -d /tmp ./<plugin> <plugin arguments>
|
||||
|
||||
This creates a policy for the plugin <plugin> in /tmp.
|
||||
|
||||
2) Refine the policy and configure privilege elevation as required. This
|
||||
is an example, permitting the bind(2) syscall as root.
|
||||
|
||||
native-bind: sockaddr eq "inet-[0.0.0.0]:68" then permit as root
|
||||
|
||||
3) Copy the systrace policy to /etc/systrace.
|
||||
|
||||
4) Run visudo as root and configure sudo for user _nagios like this.
|
||||
|
||||
_nagios ALL=NOPASSWD: /bin/systrace -a -c 550\:550 \
|
||||
${PREFIX}/libexec/nagios/<plugin> <plugin arguments>
|
||||
|
||||
5) Configure the respective command in nagios.
|
||||
|
||||
define command {
|
||||
command_name check_dhcp
|
||||
command_line sudo /bin/systrace -a -c 550:550 $USER1$/<plugin> <plugin arguments>
|
||||
}
|
||||
|
||||
6) In case of problems, systrace will log to /var/log/messages.
|
||||
|
6
net/nagios/plugins/pkg/MESSAGE
Normal file
6
net/nagios/plugins/pkg/MESSAGE
Normal file
@ -0,0 +1,6 @@
|
||||
The check_dhcp and check_icmp plugins need to run with superuser
|
||||
privileges. For security reasons they are not installed suid root
|
||||
by default. If you want to use them, you have to either change
|
||||
their mode manually or use systrace's privilege elevation feature.
|
||||
|
||||
For further details see ${PREFIX}/share/doc/nagios-plugins/README.OpenBSD.
|
@ -1,4 +1,4 @@
|
||||
@comment $OpenBSD: PLIST,v 1.3 2006/04/19 20:35:28 sturm Exp $
|
||||
@comment $OpenBSD: PLIST,v 1.4 2006/05/07 07:42:09 sturm Exp $
|
||||
libexec/nagios/
|
||||
libexec/nagios/check_by_ssh
|
||||
libexec/nagios/check_clamd
|
||||
@ -50,6 +50,8 @@ libexec/nagios/negate
|
||||
libexec/nagios/urlize
|
||||
libexec/nagios/utils.pm
|
||||
libexec/nagios/utils.sh
|
||||
share/doc/nagios-plugins/
|
||||
share/doc/nagios-plugins/README.OpenBSD
|
||||
share/locale/
|
||||
share/locale/de/
|
||||
share/locale/de/LC_MESSAGES/
|
||||
|
Loading…
Reference in New Issue
Block a user