[Nagiosplug-devel] Security discussion - don't run as root plugins

Olivier 'Babar' Raginel nagios at babar.us
Sun Jul 20 00:00:47 CEST 2008


On Sat, Jul 19, 2008 at 08:16:13PM +0200, Hendrik B?äcker wrote:
> I think there are only a few lines for this in C, some fewer lines in 
> perl if someone decide to "use Posix" in any perlplugins - that would 
> be another dependency for plugins that might not be wanted.

You don't have to use Posix to do setuid, but you do have to use 
suidperl. Something like $< = $>; should do the trick, but it is highly 
discouraged, as emphasied by Larry Wall:

"suidperl was a baaad idea" -- Larry Wall at YAPC::Europe 2005

As for the rest of the discution, I think everybody agrees we should 
keep the number of suid plugins to the minimal (so raw socket or some 
other feature), and for the rest, encourage to use some other ways (sudo 
might be a way, tuning group access or ACLs might be another one).

-- 
Babar.




More information about the Devel mailing list