--24zk1gE8NUlDmwG9
Content-Type: multipart/mixed; boundary="h31gzZEtNLTqOjlF"
Content-Disposition: inline
--h31gzZEtNLTqOjlF
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
hi ethan et al,
attached is a an initial patch which gives nsca the ability to
perform a chroot() before dropping privileges when in daemon
mode. the patch basically does the following:
- provide a new nsca.cfg option nsca_chroot_dir
- split the drop_privileges function into two logical parts: the part
that gets the user/group info and the part that actually does the
dropping. this is necessary because in most cases it's impossible
to get the user/group info after chrooting, and chrooting needs to
be done before privileges are dropped.
- introduce a do_chroot function which uh, does the chrooting if the
configuration option is specified. nsca exits with an error if the
chroot fails.
also, while making this patch, i've noticed the following:
- there seems to be a mishmash of spaces and tabs used for indentation.
which should i use? i fear i have only added to the mishmash but
have tried to minimize the size of the diff at least.
- currently nsca does not exit with an error if it fails to drop
privileges. is this intentional?
anyway, please let me know if you see any issues with this patch.
thanks,
sean
--h31gzZEtNLTqOjlF
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="05_nsca_chroot.dpatch"
Content-Transfer-Encoding: quoted-printable
#! /bin/sh /usr/share/dpatch/dpatch-run
## 05_nsca_chroot.dpatch by
##
## DP: provide support for chrooting when in daemon mode.
@DPATCH@
diff -urNad --exclude=3DCVS --exclude=3D.svn ./sample-config/nsca.cfg.in /h=
ome/sean/tmp/dpep-work.v8Tmq4/nsca-2.5/sample-config/nsca.cfg.in
--- ./sample-config/nsca.cfg.in 2006-03-12 11:40:20.000000000 +0100
+++ /home/sean/tmp/dpep-work.v8Tmq4/nsca-2.5/sample-config/nsca.cfg.in 2006=
-03-12 11:40:20.000000000 +0100
@@ -42,6 +42,16 @@
=20
nsca_group=3D@nsca_grp@
=20
+# NSCA CHROOT
+# If specified, determines a directory into which the nsca daemon
+# will perform a chroot(2) operation before dropping its privileges.
+# for the security conscious this can add a layer of protection in
+# the event that the nagios daemon is compromised. =20
+#=20
+# NOTE: if you specify this option, the command file will be opened
+# relative to this directory.
+
+#nsca_chroot=3D/var/run/nagios/rw
=20
=20
# DEBUGGING OPTION
diff -urNad --exclude=3DCVS --exclude=3D.svn ./src/nsca.c /home/sean/tmp/dp=
ep-work.v8Tmq4/nsca-2.5/src/nsca.c
--- ./src/nsca.c 2006-03-12 11:40:20.000000000 +0100
+++ /home/sean/tmp/dpep-work.v8Tmq4/nsca-2.5/src/nsca.c 2006-03-12 11:41:50=
=2E000000000 +0100
@@ -40,8 +40,11 @@
static int open_command_file(void);
static void close_command_file(void);
static void install_child_handler(void);
-static int drop_privileges(char *,char *);
+static int get_user_info(const char *, uid_t *);
+static int get_group_info(const char *, gid_t *);
+static int drop_privileges(const char *,uid_t,gid_t);
static int write_check_result(char *,char *,int,char *,time_t);
+static void do_chroot(void);
static void do_exit(int);
=20
static enum { OPTIONS_ERROR, SINGLE_PROCESS_DAEMON, MULTI_PROCESS_DAEMON, =
INETD } mode=3DSINGLE_PROCESS_DAEMON;
@@ -54,6 +57,8 @@
char *nsca_user=3DNULL;
char *nsca_group=3DNULL;
=20
+char *nsca_chroot=3DNULL;
+
int show_help=3DFALSE;
int show_license=3DFALSE;
int show_version=3DFALSE;
@@ -88,6 +93,8 @@
int main(int argc, char **argv){
char buffer[MAX_INPUT_BUFFER];
int result;
+ uid_t uid=3D-1;
+ gid_t gid=3D-1;
=20
=20
/* process command-line arguments */
@@ -143,7 +150,7 @@
=20
=20
/* open a connection to the syslog facility */
- openlog("nsca",LOG_PID,LOG_DAEMON);=20
+ openlog("nsca",LOG_PID|LOG_NDELAY,LOG_DAEMON);=20
=20
/* make sure the config file uses an absolute path */
if(config_file[0]!=3D'/'){
@@ -180,6 +187,9 @@
switch(mode){
=20
case INETD:
+ /* chroot if configured */
+ do_chroot();
+
/* if we're running under inetd, handle o
...[email truncated]...
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]