[Nagiosplug-devel] check_ping and check_icmp confusion
Andreas Ericsson
ae at op5.se
Wed Feb 22 11:10:04 CET 2006
Jason Crawford wrote:
> On 2/22/06, gh <gh at 3gupload.com> wrote:
>
>>On Wed, 2006-02-22 at 18:36 +0100, Andreas Ericsson wrote:
>>
>>>gh wrote:
>>>>From what I can tell check_ping has been deprecated in favor of
>>>
>>>>check_icmp. Is this the case or are there certain systems or conditions
>>>>that make check_ping favorable or even necessary?
>>>>
>>>
>>>check_icmp had some problems on systems with 32-bit process id's in the
>>>early days (causing it to mark the packets wrong and then not
>>>recognizing them when they returned). It also used to calculate timings
>>>slightly wrong. Both those problems are solved long since, however. Now
>>>there are no real reasons to use check_ping instead of check_icmp.
>>>
>>
>>What do people think about just dropping check_ping from the next
>>version of the plugins package to avoid all this unnecessary confusion
>>that is evident on the mailing lists and replace it with a symlink to
>>check_icmp for backwards compatibility?
>>
>
>
> I just don't like the fact that check_icmp must be setuid root or run
> as root. Personally, I like to have as few setuid binaries as possible
> on my system, as well as little running as root as possible
This is both sane and wise.
> (in order
> to run check_icmp as root, the parent nagios stuff must be running as
> root as well).
This is a downright lie. setuid binaries are executed with the
permissions of the owner of the file. Nagios does *not* have to run as
root (otherwise check_ping would fail as well).
> The great thing about check_ping is that it uses the
> already setuid ping binary.
>
Arguably, that's a worse setup since /bin/ping is executable by every
user on the system (normally), while there's no reason for check_icmp to be.
If you do
# chown root:nagios check_icmp
# chmod 4710 check_icmp
and then set the nagios users shell to /bin/false (and ofcourse make
sure there are no other users in the nagios group), you have a much
safer setup than if you use check_ping to invoke /bin/ping.
On a side note, both ping and check_icmp drop their root-privileges
(unless run as root, anyways) immediately after obtaining the raw socket
necessary to send layer 2 packets.
However, if this is a very large concern for lots of people I could make
check_icmp do all its work inside a chroot(2) jail. Then you'd be safer
running check_icmp than /bin/ping.
--
Andreas Ericsson andreas.ericsson at op5.se
OP5 AB www.op5.se
Tel: +46 8-230225 Fax: +46 8-230231
More information about the Devel
mailing list