[Nagiosplug-devel] Antwort: Re: Antwort: Security discussion - don't run as root plugins

Sascha.Runschke at gfkl.com Sascha.Runschke at gfkl.com
Mon Jul 21 11:16:39 CEST 2008


nagiosplug-devel-bounces at lists.sourceforge.net schrieb am 21.07.2008 
10:49:12:

> >    Don't do the same mistake and enforce your ideas on users.
> >    If someone wants to run as root - whatever her reason may be - then
> >    let her do so. If it was done by mistake - she learned something 
from
> >    it now (hopefully).
> >    The way to go is the un-intrusive way of privilege dropping.
> >    If a program does not need root privileges, it should drop them and
> >    in my opinion that's the responsibility of the author.
> 
> I'd rather go the "munin" way:
> # /usr/bin/munin-cron
> You are running this program as root, which is neither smart nor 
necessary.
> If you really want to run it as root, use the --force-root option. Else, 
run
> it as the user "munin". Aborting.
> 
> Clear, self-explanatory, concise, but still flexible.

I do not agree on that. It will break quite a few setups.
That would require defining different checks for different machines,
if you have some where you connect as root and some where you connect
as nagios or even different user. That quite normal if you monitor
machines of other companies...

S

-- 
Sascha Runschke
Netzwerk-  und  Systemmanagement
Telefon : +49 (201) 102-1879 Mobil : +49 (173) 5419665 Fax : +49 (201) 
102-1102105



GFKL Financial Services AG
Vorstand: Dr. Peter Jänsch (Vors.), Jürgen Baltes, Dr. Till Ergenzinger, Dr. Tom Haverkamp
Vorsitzender des Aufsichtsrats: Dr. Georg F. Thoma
Sitz: Limbecker Platz 1, 45127 Essen, Amtsgericht Essen, HRB 13522
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nagios-plugins.org/archive/devel/attachments/20080721/32bb3570/attachment.html>


More information about the Devel mailing list