Notification issues
Andreas Ericsson
ae at op5.se
Wed Feb 16 13:52:05 CET 2005
Michael Medin wrote:
> Hi,
>
> I tried this but it needed to be run as root so should I a+s and chown
> the file to root or is there some better (as in more secure) way to
> handle it ?
The paranoid way of setting suid root on a program goes as follows;
chmod 000 check_icmp
chown root:nagios check_icmp
chmod 710 check_icmp
> Root suid sounds dangerous to me...
>
That depends on the program having the honor. For check_icmp, it's
really quite safe.
check_icmp obtains the raw socket prior to parsing any input at all and
then immediately drops privileges (in case it isn't run by root in the
first place).
During run-time it implements a whitelist of what kind of network
retrieved responses it will handle, copies nothing of it anywhere (no
remotely triggered buffer overflows) and doesn't ever point beyond
packet boundaries (no harmless sigsegv's either).
The only way anyone can cause it to sigsegv is by injecting bogus but
carefully calculated packets in kernel memory and then make the kernel
believe it actually arrived on the socket assigned to whatever pid
check_icmp might have.
This would require a fairly extensive kernel rewrite and root
privileges. Even then the sigsegv would be due to a read-only request on
out-of-bounds memory (i.e. non-exploitable).
I believe I have commented on the security features in the code so that
others may find it and comment on it easily (and so that no idiot will
remove them should he decide to improve on it).
--
Andreas Ericsson andreas.ericsson at op5.se
OP5 AB www.op5.se
Lead Developer
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list