[Nagiosplug-devel] Antwort: Security discussion - don't run as root plugins

Olivier 'Babar' Raginel nagios at babar.us
Mon Jul 21 10:49:12 CEST 2008


On Mon, Jul 21, 2008 at 10:27:53AM +0200, Sascha.Runschke at gfkl.com wrote:
>    Don't do the same mistake and enforce your ideas on users.
>    If someone wants to run as root - whatever her reason may be - then
>    let her do so. If it was done by mistake - she learned something from
>    it now (hopefully).
>    The way to go is the un-intrusive way of privilege dropping.
>    If a program does not need root privileges, it should drop them and
>    in my opinion that's the responsibility of the author.

I'd rather go the "munin" way:
# /usr/bin/munin-cron
You are running this program as root, which is neither smart nor necessary.
If you really want to run it as root, use the --force-root option. Else, run
it as the user "munin". Aborting.

Clear, self-explanatory, concise, but still flexible.

Just my 2 cts.

-- 
Babar.




More information about the Devel mailing list