[Nagiosplug-devel] [RFC] Plugins config file
william(at)elan.net
william at elan.net
Mon Oct 16 15:36:52 CEST 2006
On Mon, 16 Oct 2006, Andreas Ericsson wrote:
> If an attacker has access to your system in a way that lets them list
> processes of any arbitrary user, I fail to see how you could protect
> this configuration file in a sane way.
Common way to deal with this is to have option that reads additional
arguments from specified file, i.e. it would be:
Usage: check_db_query_rowcount [-v] -q <query> -w <warn-count>
-c <crit-count> [--config <config-file>]
where the file would contain
-d <dsn> -u user> -p <pass>
Another option is to have environment variables but not actually expand
during call, i.e.
check_db_query_rowcount -p '$DB_PASS' -u '$DB_USER' ...
Be carefull though to only read passed shell variables and not allow
reading actual variables used in program.
The processing of command-line options in one or both ways above could
potentially be done be done by optional plugin library and not something
each plugin writer has to worry about - this would in fact make it
simple to further expand to common format config file for plugins.
--
William Leibzon
Elan Networks
william at elan.net
More information about the Devel
mailing list