[Nagiosplug-devel] Antwort: Security discussion - don't run as root plugins

[Andreas Ericsson]

Olivier 'Babar' Raginel wrote:
> On Mon, Jul 21, 2008 at 10:27:53AM +0200, Sascha.Runschke at gfkl.com wrote:
>>    Don't do the same mistake and enforce your ideas on users.
>>    If someone wants to run as root - whatever her reason may be - then
>>    let her do so. If it was done by mistake - she learned something from
>>    it now (hopefully).
>>    The way to go is the un-intrusive way of privilege dropping.
>>    If a program does not need root privileges, it should drop them and
>>    in my opinion that's the responsibility of the author.
> 
> I'd rather go the "munin" way:
> # /usr/bin/munin-cron
> You are running this program as root, which is neither smart nor necessary.
> If you really want to run it as root, use the --force-root option. Else, run
> it as the user "munin". Aborting.
> 
> Clear, self-explanatory, concise, but still flexible.
> 

And over-clever. Nagios fails to run as root unless one explicitly ask for
it, so they'll never be run as root under Nagios anyway (unless explcitly
asked for, in which case we have no reason what so ever complaining about
it).

To prevent user-errors while debugging, I could imagine doing something
like this (obviously with a more informative message):

end_of_real_output:
    if (!geteuid() && isatty(fileno(stdout))
        printf(stderr, "Don't debug plugins as root.\n");

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231