[Nagiosplug-devel] Security discussion - don't run as root plugins

Hendrik Bäcker andurin at process-zero.de
Fri Jul 18 20:46:27 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Hi List,

just a few moments ago I've read a question by a user if it would be a 
problem to run the nagios plugins with root right via check_by_ssh.

Yes - I laughed too as I read that. But in the following discussion it 
clears up - they already have a spreaded root ssh key on most of their 
systems and are to lazy to establish an unprivileged 'nagios' user on 
their systems - so they would run them as root.

I know, security awareness should be part of the persons who are using 
the tools, scripts and programs - but 80% of security holes came from 
people who didn't know what they are doing.

Without starting a flame on this topic I would like to ask what do you 
think of some security benefits like:

* don't run the code if UID is 0: Hard but effective - check uid and 
abort with a warning.
* try to drop the privileges to the givven user by the configure run as 
a hard coded option

I am not stupid enough to run my plugins with root privileges - but 
there are thousand of users out their who won't know what they're doing.

Regards,
Hendrik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
 
iD8DBQFIgOUDlI0PwfxLQjkRAse1AJ9BXDL40w3UgztEgOjBGWkkiC2DowCfYdlZ
/ycNK7edoC7q1ehWNo//LvM=
=dBD2
-----END PGP SIGNATURE-----





More information about the Devel mailing list