[Nagiosplug-devel] [RFC] Plugins config file

william(at)elan.net william at elan.net
Mon Oct 16 15:36:52 CEST 2006


On Mon, 16 Oct 2006, Andreas Ericsson wrote:

> If an attacker has access to your system in a way that lets them list
> processes of any arbitrary user, I fail to see how you could protect
> this configuration file in a sane way.

Common way to deal with this is to have option that reads additional 
arguments from specified file, i.e. it would be:
    Usage: check_db_query_rowcount [-v] -q <query> -w <warn-count>
              -c <crit-count> [--config <config-file>]
where the file would contain
   -d <dsn> -u user> -p <pass>

Another option is to have environment variables but not actually expand 
during call, i.e.
    check_db_query_rowcount -p '$DB_PASS' -u '$DB_USER' ...
Be carefull though to only read passed shell variables and not allow
reading actual variables used in program.


The processing of command-line options in one or both ways above could 
potentially be done be done by optional plugin library and not something 
each plugin writer  has to worry about - this would in fact make it 
simple to further expand to common format config file for plugins.

-- 
William Leibzon
Elan Networks
william at elan.net




More information about the Devel mailing list