[Nagiosplug-devel] restricted shell for nagios checks

Thomas Guyot-Sionnest dermoth at aei.ca
Fri Nov 7 18:48:09 CET 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin.Gerdes at directbox.com wrote:
> I wanted to use ssh to execute checkscripts (and evaluate their results).
> But I didn't want to give that account a full shell,
> since it isn't necessary for the task, and a risk.
> So what I decided to do was to write a wrapper to execute the individual
> scripts, and set it as the shell:
> 
> in /etc/passwd of the client:
> nagios:x:9000:9000::/home/nagios:/home/nagios/executeCheck.sh
> 
> ========executeCheck.sh:=======
> #!/bin/bash
> 
> #first parameter is '-c', which we skip
> shift 1
> 
> CMD="`echo "$1" | cut -d ' ' -f1`"
> CMD_DIR="/home/nagios/plugins"
> 
> #make sure check name is benign and exists
> if [ ! "`echo "$CMD" | egrep '^[a-zA-Z0-9_\.-]+$'`" ] || \
> 		[ ! -e "$CMD_DIR/$CMD" ] ; then
> 	echo "unknown check '$CMD'"
> 	exit 3
> fi
> 
> #protect checks from weird parameters
> if [ ! "`echo "$1" | egrep '^[a-zA-Z0-9_%,\./ -]+$'`" ] ; then
> 	echo "command '$1' contains illegal characters"
> 	exit 3
> fi
> 
> #execute command
> "$CMD_DIR/"$1
> 
> ===============================
> 
> To execute a check, the nagios server calls ssh -q check_... <parameters>
> If a file of that name exists in CMD_DIR, it is executed,
> and its result returned.
> 
> Opinions or thoughts? Any glaring security holes I am overlooking?
> (Of course the checks themselves could still contain errors
>  which allow escape to a shell...)

Unless you want one key per check/arguments, you'll need a wrapper
script anyway. Since you can get the original command trough environment
variable, you can still sanitize it and exec it from a wrapper (the key
runs your wrapper script, and the wrapper script exec the original
command if it's deemed safe). I do this for rsync over ssh, although in
this case it's mainly to avoid accidentally destroying the remote file
structure since it uses --delete.

Another option would be using latest OpenSSH's chroot capabilities to
give it access only to required binaries.

Although, my preference is still using nrpe with cfg_dirs, so all I have
to do is copy the configs over and issue a HUP to nrpe to activate new
configs. I have scripts for that so updating the configs is just as simple.

- --
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJFH9Z6dZ+Kt5BchYRAuebAKDQ9XXb5FXRELPVtlDcTz1oVDgkxgCeOKRH
1JXAyVRB/enywfIGKM8sr9s=
=Fnkq
-----END PGP SIGNATURE-----




More information about the Devel mailing list