Page 1 of 1
Default root plugins
Posted: Tue Jul 28, 2015 12:54 pm
by pamplifier
I'm trying to build a plugin that requires root privileges to successfully run. So far
this has been helpful in making it work.
...
Option Three (Best):
Give the nagios user sudo access to run one command in this example the command is "lsof" and add "sudo" in the plugin script before the command you want to run.
# Add nagios to sudoers
vi /etc/sudoers
# nagios check (/usr/lib/nagios/plugins/check_user_openfiles)
nagios ALL=NOPASSWD: /bin/lsof
# In your script add "sudo" before the command.
sudo lsof | grep blah
However, I'm curious how the default Nagios plugins that need root privileges (check_dhcp and check_icmp) work and run successfully without doing anything with sudoers. Can anyone help me understand?
EDIT: meant root, not 'doot'
Re: Default doot plugins
Posted: Tue Jul 28, 2015 12:59 pm
by tmcdonald
suid bit:
http://unix.stackexchange.com/questions ... t-properly
Code: Select all
root@localhost: /tmp/nagiosxi
$ ls -l /usr/local/nagios/libexec/check_icmp
-r-sr-xr-x 1 root root 181971 Feb 6 10:55 /usr/local/nagios/libexec/check_icmp
Was going to post in the other thread but I didn't hear back from you so it slipped my mind:
https://support.nagios.com/forum/viewto ... 6&start=10
Just be careful. suid means that plugin runs as root, so if there are vulnerabilities you are potentially opening yourself up to attack.
Re: Default doot plugins
Posted: Tue Jul 28, 2015 1:18 pm
by pamplifier
Thanks! I wasn't sure if I should have kept this question in the other thread, that's why I decided to make a new one in the specific Plugins forum.
I am worried about it as well, would the sudoers method be "safer"? Or am I just asking for trouble by needing root access in the first place?
Re: Default doot plugins
Posted: Tue Jul 28, 2015 1:21 pm
by tmcdonald
/etc/sudoers is probably safer, because then you are saying "This specific user can run exactly these commands as root" whereas setting the binary to run as root allows *anyone* to run it and get root permissions. But yes, in either case you do assume some risk. A possibly safer route still would be to set up your syslog daemon to copy all messages matching a certain pattern (or involving a certain service/daemon/program) to log to a file that nagios would have access to, then running the plugin against that.
Re: Default root plugins
Posted: Mon Aug 10, 2015 9:44 am
by pamplifier
Decided to go the sudoers route for now, and it works great! I just have to make sure everything is closed off to possible attacks and abuse of the root privileges. Thank you!
seteuid might be useful later on, though I don't trust myself to get it exactly right at the moment, so I'm putting that method on the back-burner.
Re: Default root plugins
Posted: Mon Aug 10, 2015 10:25 am
by tmcdonald
seteuid is nice for when you want the binary to drop privileges no matter what the suid bit is set to, who owns it, etc. There are of course some restrictions (I don't believe a binary run by nagios can
seteuid to root, for example) but it's pretty straight-forward once you get it working.
pamplifier wrote:I just have to make sure everything is closed off to possible attacks and abuse of the root privileges.
Having just come back from a security conference, I can assure you this is pretty hard to get right 100% of the time even by the most seasoned coders :)
That being said, are we all clear to close this up?
Re: Default root plugins
Posted: Mon Aug 10, 2015 10:30 am
by pamplifier
Yes, this can be closed. Thank you for helping me! My other
thread can be closed too, I think