[Nagiosplug-devel] check_ping and check_icmp confusion

Jason Crawford jasonrcrawford at gmail.com
Wed Feb 22 11:15:16 CET 2006


On 2/22/06, Andreas Ericsson <ae at op5.se> wrote:
> Jason Crawford wrote:
> > On 2/22/06, gh <gh at 3gupload.com> wrote:
> >
> >>On Wed, 2006-02-22 at 18:36 +0100, Andreas Ericsson wrote:
> >>
> >>>gh wrote:
> >>>>From what I can tell check_ping has been deprecated in favor of
> >>>
> >>>>check_icmp. Is this the case or are there certain systems or conditions
> >>>>that make check_ping favorable or even necessary?
> >>>>
> >>>
> >>>check_icmp had some problems on systems with 32-bit process id's in the
> >>>early days (causing it to mark the packets wrong and then not
> >>>recognizing them when they returned). It also used to calculate timings
> >>>slightly wrong. Both those problems are solved long since, however. Now
> >>>there are no real reasons to use check_ping instead of check_icmp.
> >>>
> >>
> >>What do people think about just dropping check_ping from the next
> >>version of the plugins package to avoid all this unnecessary confusion
> >>that is evident on the mailing lists and replace it with a symlink to
> >>check_icmp for backwards compatibility?
> >>
> >
> >
> > I just don't like the fact that check_icmp must be setuid root or run
> > as root. Personally, I like to have as few setuid binaries as possible
> > on my system, as well as little running as root as possible
>
> This is both sane and wise.
>
> > (in order
> > to run check_icmp as root, the parent nagios stuff must be running as
> > root as well).
>
>
> This is a downright lie. setuid binaries are executed with the
> permissions of the owner of the file. Nagios does *not* have to run as
> root (otherwise check_ping would fail as well).

You misunderstand what I was saying. What I meant to say was EITHER
the binary must be setuid root OR the parent calling process must be
run as root.

>
>
> > The great thing about check_ping is that it uses the
> > already setuid ping binary.
> >
>
> Arguably, that's a worse setup since /bin/ping is executable by every
> user on the system (normally), while there's no reason for check_icmp to be.
>
> If you do
>         # chown root:nagios check_icmp
>         # chmod 4710 check_icmp
>
> and then set the nagios users shell to /bin/false (and ofcourse make
> sure there are no other users in the nagios group), you have a much
> safer setup than if you use check_ping to invoke /bin/ping.
>
> On a side note, both ping and check_icmp drop their root-privileges
> (unless run as root, anyways) immediately after obtaining the raw socket
> necessary to send layer 2 packets.
>
> However, if this is a very large concern for lots of people I could make
> check_icmp do all its work inside a chroot(2) jail. Then you'd be safer
> running check_icmp than /bin/ping.

Well I was more referring to the fact that the system's ping binary
has gone through very extensive and thorough security audits (it's
been around for how many years?) so there are less likely to be issues
in the privileged code. However, a chroot(2) jail would make it even
better.

Jason




More information about the Devel mailing list