Thanks everyone for the responses. The 'systrace' thing went over my head I'm afraid and the Solaris man page for that command isn't helping me much.<br><br>To make things clearer, the setup I'm proposing is this:<br><br>1. # /usr/local/sbin/visudo
<br>...<br>nagios ALL=(ALL) NOPASSWD: /usr/local/nagios/libexec/check_logfiles -f /usr/local/nagios/etc/check_logfiles.cfg<br><br>2. # vi /usr/local/nagios/etc/nrpe.cfg<br>...<br>command[check_logfiles]=/usr/local/bin/sudo /usr/local/nagios/libexec/check_logfiles -f /usr/local/nagios/etc/check_logfiles.cfg
<br><br>3. # grep nagios /etc/passwd<br>nagios:x:1123:100:Nagios Remote User:/usr/local/nagios:/usr/bin/bash<br><br>Note to Hari: my understanding is that sudo won't work for account that doesn't have a valid shell. Certainly all my testing led me to that conclusion.
<br><br>4. # passwd -l nagios<br><br>It's not clear to me exactly what the security risk is. The idea is that someone may gain access to an unprivileged account on the system and then use this access and this Nagios plugin to cause mailicious damage? Or to break the root account? In which case, it would all come down to how secure the code of the plugin is. Is this correct?
<br><br>Kind Regards,<br>Alex<br><br><div><span class="gmail_quote">On 9/1/06, <b class="gmail_sendername">julien Touche</b> <<a href="mailto:julien.touche@touche.fr.st">julien.touche@touche.fr.st</a>> wrote:</span>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Alexander Harvey wrote on 31/08/2006 16:10:<br>> I have a difficult customer who won't sign off changes based on the
<br>> security<br>> risk using suid plugins, for example, check_logfiles. What does one do<br>> about<br>> this situation?<br><br>$ cat /usr/local/share/doc/nagios-plugins/README.OpenBSD<br>Some nagios plugins need elevated privileges to run properly. As the code
<br>quality of these plugins is not really good, they are not installed suid<br>root by default, but instead I suggest running them with systrace's<br>privilege elevation feature. This way they are run as _nagios, but single
<br>syscalls are run as root.<br><br>1) Create a preliminary systrace policy for the plugin.<br><br># cd ${PREFIX}/libexec/nagios<br># systrace -A -d /tmp ./<plugin> <plugin arguments><br><br>This creates a policy for the plugin <plugin> in /tmp.
<br><br>2) Refine the policy and configure privilege elevation as required. This<br>is an example, permitting the bind(2) syscall as root.<br><br>native-bind: sockaddr eq "inet-[<a href="http://0.0.0.0">0.0.0.0</a>]:68" then permit as root
<br><br>3) Copy the systrace policy to /etc/systrace.<br><br>4) Run visudo as root and configure sudo for user _nagios like this.<br><br>_nagios ALL=NOPASSWD: /bin/systrace -a -c 550\:550 \<br> ${PREFIX}/libexec/nagios/<plugin> <plugin arguments>
<br><br>5) Configure the respective command in nagios.<br><br>define command {<br> command_name check_dhcp<br> command_line sudo /bin/systrace -a -c 550:550 $USER1$/<plugin><br><plugin arguments>
<br>}<br><br>6) In case of problems, systrace will log to /var/log/messages.<br><br>Regards<br><br><br> Julien<br><br></blockquote></div><br>