[Nagiosplug-devel] Security discussion - don't run as root plugins

[Andreas Ericsson]

Thomas Guyot-Sionnest wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 18/07/08 02:46 PM, Hendrik Bäcker wrote:
>> Hi List,
>>
>> just a few moments ago I've read a question by a user if it would be a 
>> problem to run the nagios plugins with root right via check_by_ssh.
>>
>> Yes - I laughed too as I read that. But in the following discussion it 
>> clears up - they already have a spreaded root ssh key on most of their 
>> systems and are to lazy to establish an unprivileged 'nagios' user on 
>> their systems - so they would run them as root.
>>
>> I know, security awareness should be part of the persons who are using 
>> the tools, scripts and programs - but 80% of security holes came from 
>> people who didn't know what they are doing.
>>
>> Without starting a flame on this topic I would like to ask what do you 
>> think of some security benefits like:
>>
>> * don't run the code if UID is 0: Hard but effective - check uid and 
>> abort with a warning.
>> * try to drop the privileges to the givven user by the configure run as 
>> a hard coded option
> 
> This is indeed a good idea... I think all plugins could drop privileges
> if they are run as root. We should probably make it an option for both
> Perl (Nagios::Plugins) and C plugins, and turn it to default behaviour
> in a major release.
> 

Sensible. Just do setuid(geteuid()); in C, and whatever's equivalent in
perl.

> At the same time we would need a standard option to specify a user to
> run as, so that anyone requiring root (or any other user) privileges for
> some reason would still be able to.
> 

I'd hate that idea, since all plugins would need to be suid root for this
to actually work if the user running them is anyone else than root or
is already the user supposed to run the plugin. It's stupid. Don't do it.

> This could also help catching the typical permission problems where
> users succeed running plugins as root, but fails running them from Nagios.
> 

That can already be caught using mechanisms such as sudo. There's no way
of making bug-reports more accurate by trying to make plugin error reporting
fool-proof, so don't even try it. Let's make sure they fail in a predictable
way with an accurate error message if they don't have permissions instead. 

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231