Re: [Nagios-devel] [patch] nsca chroot() support
Posted: Sun Mar 12, 2006 4:17 am
--h31gzZEtNLTqOjlF
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Mar 12, 2006 at 12:24:07PM +0100, Marc Haber wrote:
> If the inet daemon chroots before invoking nsca, all libraries and
> config files would need to be present in the chroot. I don't think
> this would be desireable.
yeah, upon further consideration i agree. looking at xinetd config
documentation i don't think there is a way to do this, and even if
there was, it would have the problems you mention. =20
but if we keep the chroot call in inetd mode there still exists a
problem in the sense that if run in inetd mode it probably won't have
the privilege level to chroot. or, if it does then it's running as
root but won't drop privileges afterwards--which would be worse
than not chrooting imho.
so, perhaps what would make the most sense is to attempt
to chroot as the patch does now, but also attempt to drop
privileges after the chroot. then, if the administrator
decides to have nsca chroot he/she can configure xinetd to
run nsca as root, and the chroot/user/group settings from
nsca.cfg will dictate what to do.
what do you think?
sean
--h31gzZEtNLTqOjlF
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFEFBFSynjLPm522B0RAjbJAJ9uAIWamhv1MvlLsrX0iI7JJG1vEQCdH/H6
oit6VjsHoRYzhlENvUhrUno=
=K0LK
-----END PGP SIGNATURE-----
--h31gzZEtNLTqOjlF--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Mar 12, 2006 at 12:24:07PM +0100, Marc Haber wrote:
> If the inet daemon chroots before invoking nsca, all libraries and
> config files would need to be present in the chroot. I don't think
> this would be desireable.
yeah, upon further consideration i agree. looking at xinetd config
documentation i don't think there is a way to do this, and even if
there was, it would have the problems you mention. =20
but if we keep the chroot call in inetd mode there still exists a
problem in the sense that if run in inetd mode it probably won't have
the privilege level to chroot. or, if it does then it's running as
root but won't drop privileges afterwards--which would be worse
than not chrooting imho.
so, perhaps what would make the most sense is to attempt
to chroot as the patch does now, but also attempt to drop
privileges after the chroot. then, if the administrator
decides to have nsca chroot he/she can configure xinetd to
run nsca as root, and the chroot/user/group settings from
nsca.cfg will dictate what to do.
what do you think?
sean
--h31gzZEtNLTqOjlF
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFEFBFSynjLPm522B0RAjbJAJ9uAIWamhv1MvlLsrX0iI7JJG1vEQCdH/H6
oit6VjsHoRYzhlENvUhrUno=
=K0LK
-----END PGP SIGNATURE-----
--h31gzZEtNLTqOjlF--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]