[Nagiosplug-devel] restricted shell for nagios checks

Martin.Gerdes at directbox.com Martin.Gerdes at directbox.com
Fri Nov 7 15:46:25 CET 2008


I wanted to use ssh to execute checkscripts (and evaluate their results).
But I didn't want to give that account a full shell,
since it isn't necessary for the task, and a risk.
So what I decided to do was to write a wrapper to execute the individual
scripts, and set it as the shell:

in /etc/passwd of the client:
nagios:x:9000:9000::/home/nagios:/home/nagios/executeCheck.sh

========executeCheck.sh:=======
#!/bin/bash

#first parameter is '-c', which we skip
shift 1

CMD="`echo "$1" | cut -d ' ' -f1`"
CMD_DIR="/home/nagios/plugins"

#make sure check name is benign and exists
if [ ! "`echo "$CMD" | egrep '^[a-zA-Z0-9_\.-]+$'`" ] || \
		[ ! -e "$CMD_DIR/$CMD" ] ; then
	echo "unknown check '$CMD'"
	exit 3
fi

#protect checks from weird parameters
if [ ! "`echo "$1" | egrep '^[a-zA-Z0-9_%,\./ -]+$'`" ] ; then
	echo "command '$1' contains illegal characters"
	exit 3
fi

#execute command
"$CMD_DIR/"$1

===============================

To execute a check, the nagios server calls ssh -q check_... <parameters>
If a file of that name exists in CMD_DIR, it is executed,
and its result returned.

Opinions or thoughts? Any glaring security holes I am overlooking?
(Of course the checks themselves could still contain errors
 which allow escape to a shell...)






More information about the Devel mailing list