[Nagiosplug-devel] check_ping and check_icmp confusion

[Andreas Ericsson]

Jason Crawford wrote:
> On 2/22/06, gh <gh at 3gupload.com> wrote:
> 
>>On Wed, 2006-02-22 at 18:36 +0100, Andreas Ericsson wrote:
>>
>>>gh wrote:
>>>>From what I can tell check_ping has been deprecated in favor of
>>>
>>>>check_icmp. Is this the case or are there certain systems or conditions
>>>>that make check_ping favorable or even necessary?
>>>>
>>>
>>>check_icmp had some problems on systems with 32-bit process id's in the
>>>early days (causing it to mark the packets wrong and then not
>>>recognizing them when they returned). It also used to calculate timings
>>>slightly wrong. Both those problems are solved long since, however. Now
>>>there are no real reasons to use check_ping instead of check_icmp.
>>>
>>
>>What do people think about just dropping check_ping from the next
>>version of the plugins package to avoid all this unnecessary confusion
>>that is evident on the mailing lists and replace it with a symlink to
>>check_icmp for backwards compatibility?
>>
> 
> 
> I just don't like the fact that check_icmp must be setuid root or run
> as root. Personally, I like to have as few setuid binaries as possible
> on my system, as well as little running as root as possible

This is both sane and wise.

> (in order
> to run check_icmp as root, the parent nagios stuff must be running as
> root as well).


This is a downright lie. setuid binaries are executed with the 
permissions of the owner of the file. Nagios does *not* have to run as 
root (otherwise check_ping would fail as well).


> The great thing about check_ping is that it uses the
> already setuid ping binary.
> 

Arguably, that's a worse setup since /bin/ping is executable by every 
user on the system (normally), while there's no reason for check_icmp to be.

If you do
	# chown root:nagios check_icmp
	# chmod 4710 check_icmp

and then set the nagios users shell to /bin/false (and ofcourse make 
sure there are no other users in the nagios group), you have a much 
safer setup than if you use check_ping to invoke /bin/ping.

On a side note, both ping and check_icmp drop their root-privileges 
(unless run as root, anyways) immediately after obtaining the raw socket 
necessary to send layer 2 packets.

However, if this is a very large concern for lots of people I could make 
check_icmp do all its work inside a chroot(2) jail. Then you'd be safer 
running check_icmp than /bin/ping.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231