Re: [Nagios-devel] Security Concerns about the nsca daemon
Posted: Tue Feb 21, 2006 8:42 am
On Tue, Feb 21, 2006 at 05:35:53PM +0100, Andreas Ericsson wrote:
> Marc Haber wrote:
> >On Tue, Feb 21, 2006 at 03:34:22PM +0100, Andreas Ericsson wrote:
> >
> >>Marc Haber wrote:
> >>
> >>>The directory to chroot to should be configurable at compile time to
> >>>help FHS-compliant distributions. On Debian, the directory to use
> >>>would be /var/run/nsca, by example of sshd.
> >>>
> >>
> >>At run-time, I'd say.
> >
> >
> >Even better, one would have to worry about input processing though.
> >
>
> Not sure I follow you there.
A compile-time setting will end up in a #define, so one can assume
that whatever is there isn't maliciously set. For a run-time setting,
one must verify that the parameter is acutally a valid path name, that
no wildcard or relative path stunts are pulled, and one needs to go
through the hassle of string handling in C, which is always a source
for buffer overflow errors, which will have bad consequences at the
time of option parsing since we are not yet chrooted and still hold
root privileges at that point.
> >>>As sean has already said, this breaks as soon as the nagios daemon
> >>>re-creates the named pipe for some reason.
> >>
> >>True. That means setting the jail-dir at compile-time goes out the
> >>window though. It would be better to grok the jail from the nagios
> >>config file.
> >
> >That, however, rules out the possible simplest implementation of
> >allowing multiple command_file directives in nagios.cfg since nsca
> >won't be able to grok its chroot location from there.
>
> But if we do this there's no need to support multiple command_file
> directives. It's the cleanest solution.
Having multiple command_file directives is desireable, IMO, since one
could then run multiple instances of programs that can deliver
external commands (web, wap, nsca, e-mail, irc etc) to nagios, all of
them potentially chrooted. It's like adapting nagios for a general
thing, not just for nsca.
otoh, all of these interfaces could lead to send_nsca being called,
which would reduce the number of nagios interfaces to one: nsca.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
> Marc Haber wrote:
> >On Tue, Feb 21, 2006 at 03:34:22PM +0100, Andreas Ericsson wrote:
> >
> >>Marc Haber wrote:
> >>
> >>>The directory to chroot to should be configurable at compile time to
> >>>help FHS-compliant distributions. On Debian, the directory to use
> >>>would be /var/run/nsca, by example of sshd.
> >>>
> >>
> >>At run-time, I'd say.
> >
> >
> >Even better, one would have to worry about input processing though.
> >
>
> Not sure I follow you there.
A compile-time setting will end up in a #define, so one can assume
that whatever is there isn't maliciously set. For a run-time setting,
one must verify that the parameter is acutally a valid path name, that
no wildcard or relative path stunts are pulled, and one needs to go
through the hassle of string handling in C, which is always a source
for buffer overflow errors, which will have bad consequences at the
time of option parsing since we are not yet chrooted and still hold
root privileges at that point.
> >>>As sean has already said, this breaks as soon as the nagios daemon
> >>>re-creates the named pipe for some reason.
> >>
> >>True. That means setting the jail-dir at compile-time goes out the
> >>window though. It would be better to grok the jail from the nagios
> >>config file.
> >
> >That, however, rules out the possible simplest implementation of
> >allowing multiple command_file directives in nagios.cfg since nsca
> >won't be able to grok its chroot location from there.
>
> But if we do this there's no need to support multiple command_file
> directives. It's the cleanest solution.
Having multiple command_file directives is desireable, IMO, since one
could then run multiple instances of programs that can deliver
external commands (web, wap, nsca, e-mail, irc etc) to nagios, all of
them potentially chrooted. It's like adapting nagios for a general
thing, not just for nsca.
otoh, all of these interfaces could lead to send_nsca being called,
which would reduce the number of nagios interfaces to one: nsca.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]