[Nagiosplug-devel] [RFC] Plugins config file

[sean finney]

hi gavin,

On Mon, 2006-10-16 at 21:13 +1000, Gavin Carr wrote:
> An obvious security problem with this is that the user must pass the
> database credentials on the command line, which typically means 
> they're exposed to any local users via the process list for however 
> long the plugin executes.

i've brought this up before, actually (though at the time it was
regardling snmp auth info, but same problem)

> This must be a problem for lots of other kinds of plugin too - 
> anywhere you need to pass any kind of secret to a plugin. Is there a
> good way of dealing with this that I'm not aware of?

well, for the db plugin, assuming that it's a mysql program, why not
use the built-in functionality for  reading in additional mysql
ini-format files?  it should be possible to say something like

check_db_plugin --defaults-file=/etc/mysql/nagiosplugin.cnf

where you use getopt to get the defaults-file value, and pass it to the
mysql "load_defaults" function with the proper parameters.

> My suggestion is that we introduce a config file specifically for use
> by plugins (e.g. /etc/nagios/plugins.cfg or 
> $NAGIOS_HOME/etc/plugins.cfg), for arbitrary per-plugin parameters we 
> don't want to have to pass at the command line. Perhaps an INI-style 
> format would make sense, with per-plugin sections, or arbitrary 
> section names specified explicitly e.g.

i would be rather wary of this, because it's yet another point of
configuration/abstraction in an already complicated system.  but that's
just mho.


	sean

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
URL: <https://www.monitoring-plugins.org/archive/devel/attachments/20061016/55292951/attachment.sig>