[Nagiosplug-devel] [RFC] Plugins config file
John P. Rouillard
rouilj at cs.umb.edu
Mon Oct 16 18:40:29 CEST 2006
In message <Pine.LNX.4.62.0610160616580.10188 at sokol.elan.net>,
"william(at)elan.net" writes:
>
>On Mon, 16 Oct 2006, Andreas Ericsson wrote:
>
>> If an attacker has access to your system in a way that lets them list
>> processes of any arbitrary user, I fail to see how you could protect
>> this configuration file in a sane way.
>
>Common way to deal with this is to have option that reads additional
>arguments from specified file, i.e. it would be:
> Usage: check_db_query_rowcount [-v] -q <query> -w <warn-count>
> -c <crit-count> [--config <config-file>]
>where the file would contain
> -d <dsn> -u user> -p <pass>
Yup. Chmod the files mode 400 to the nagios user and delete them
afterwards. The stdin trick also works as data in a pipeline/here
document isn't readable w/o kernel or process access AFAIK.
>Another option is to have environment variables but not actually expand
>during call, i.e.
> check_db_query_rowcount -p '$DB_PASS' -u '$DB_USER' ...
>Be carefull though to only read passed shell variables and not allow
>reading actual variables used in program.
But if the variables are in the process environment they can still be
seen easily.
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
More information about the Devel
mailing list