[Nagiosplug-devel] [RFC] Plugins config file

John P. Rouillard rouilj at cs.umb.edu
Mon Oct 16 18:24:40 CEST 2006


In message <20061016111350.GB15099 at openfusion.com.au>,
Gavin Carr writes:

>  Usage: check_db_query_rowcount [-v] -q <query> -w <warn-count> 
>            -c <crit-count> -d <dsn> -u <user> -p <pass>
>
>An obvious security problem with this is that the user must pass the
>database credentials on the command line, which typically means 
>they're exposed to any local users via the process list for however 
>long the plugin executes.
>
>This must be a problem for lots of other kinds of plugin too - 
>anywhere you need to pass any kind of secret to a plugin. Is there a
>good way of dealing with this that I'm not aware of?

The way I do it is to use a small shell script to parse a password
config file and create a temp file. Then I pass the temp file to the
plugin. Obviously this works only with my own plugins, but it does
allow formatting and other changes. E.G. I can:

    pass URL's in a file
    create curl config files
    create user:passwd authentication formatted entries

and the input file tries to reuse plugins's normal authentication
mechanism setting the internal variable from a file rather than on the
command line.

Also I can run the command inside a here document in a shell script and
pass password info on stdin to the plugin if it accepts it.

wget -i << EOE
https://`getpw /password/cache -`@example.com/ 
EOE

which doesn't leave authentication info in the environment or on the
command line.

>My suggestion is that we introduce a config file specifically for use
>by plugins (e.g. /etc/nagios/plugins.cfg or 
>$NAGIOS_HOME/etc/plugins.cfg), for arbitrary per-plugin parameters we 
>don't want to have to pass at the command line. Perhaps an INI-style 
>format would make sense, with per-plugin sections, or arbitrary 
>section names specified explicitly e.g.
>
>  [ check_db_query_rowcount ]
>  dsn = db:Pg:database=foo
>  user = fred
>  pass = secret
>
>or perhaps if I want to check multiple different databases, or share
>the credentials across plugins:
>
>  [ foo_db ]
>  dsn = db:Pg:database=foo
>  user = fred
>  pass = secret
>  
>Then my plugin could have a usage pattern like this:
>
>  Usage: check_db_query_rowcount [-v] -q <query> -w <warn-count> 
>            -c <crit-count> [--auth=<auth-section>]
>
>where auth-section might default to the plugin name if not specified
>(and the plugin would fail if an appropriate auth section could not 
>be found).

Sounds like a good idea and it should be simple enough to code in
perl, C, Bourne shell and python for starters. What may be better is
for the <auth-section> to be:

    auth-section:/path/to/auth/file

since I can see multiple auth files for different people to
maintain (e.g. oracle db's maintain the password for the test users
using on their databases).

My little getpw script takes:

  /path/to/file output_file_basename [token]

where the credentials (and their output format) are uniquely
identified by the file path and the token (where the token is similar
to your auth-section). So I can get the updates when the web admins
change the manager password on the servers without giving them access
to the passwords for other test users in LDAP.

				-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.




More information about the Devel mailing list