[Nagiosplug-devel] [RFC] Plugins config file

Andreas Ericsson ae at op5.se
Mon Oct 16 13:25:46 CEST 2006

Previous message: [Nagiosplug-devel] [RFC] Plugins config file
Next message: [Nagiosplug-devel] [RFC] Plugins config file
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Gavin Carr wrote:
> I've got a perl nagios plugin that performs arbitrary queries against
> a database and reports status codes based on the number of rows 
> returned i.e.
> 
>   Usage: check_db_query_rowcount [-v] -q <query> -w <warn-count> 
>             -c <crit-count> -d <dsn> -u <user> -p <pass>
> 
> An obvious security problem with this is that the user must pass the
> database credentials on the command line, which typically means 
> they're exposed to any local users via the process list for however 
> long the plugin executes.
> 
> This must be a problem for lots of other kinds of plugin too - 
> anywhere you need to pass any kind of secret to a plugin. Is there a
> good way of dealing with this that I'm not aware of?
> 
> My suggestion is that we introduce a config file specifically for use
> by plugins (e.g. /etc/nagios/plugins.cfg or 
> $NAGIOS_HOME/etc/plugins.cfg), for arbitrary per-plugin parameters we 
> don't want to have to pass at the command line. Perhaps an INI-style 
> format would make sense, with per-plugin sections, or arbitrary 
> section names specified explicitly e.g.
> 
>   [ check_db_query_rowcount ]
>   dsn = db:Pg:database=foo
>   user = fred
>   pass = secret
> 
> or perhaps if I want to check multiple different databases, or share
> the credentials across plugins:
> 
>   [ foo_db ]
>   dsn = db:Pg:database=foo
>   user = fred
>   pass = secret
>   
> Then my plugin could have a usage pattern like this:
> 
>   Usage: check_db_query_rowcount [-v] -q <query> -w <warn-count> 
>             -c <crit-count> [--auth=<auth-section>]
> 
> where auth-section might default to the plugin name if not specified
> (and the plugin would fail if an appropriate auth section could not 
> be found).
> 
> Thoughts/comments?
> 

If an attacker has access to your system in a way that lets them list 
processes of any arbitrary user, I fail to see how you could protect 
this configuration file in a sane way.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

Previous message: [Nagiosplug-devel] [RFC] Plugins config file
Next message: [Nagiosplug-devel] [RFC] Plugins config file
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Devel mailing list