[Nagiosplug-devel] Security discussion - don't run as root plugins

[Mikael Fridh]

On 7/20/08, Andreas Ericsson <ae at op5.se> wrote:
> Hendrik BŠäcker wrote:
> > I could imagine of a getopt optione like "--yes-run-as-root" without a
> > shortcut like "-r" for it. If the user has to type this into his command
> > definition he should know that he is doing.

What's next for a future plugin that's even more volatile then the current ones?

--yes-really-run-as-root --im-not-kidding-really-really-run-as-root

> Failed to read /proc/foo/var12: Permission denied
> This plugin requires access to the frotz interface, which it currently
> doesn't have. To grant such access, do <insert-recommended-reasonably-
> secure-way-here>"
>
> That would also serve as a small education to those who aren't aware of
> security issues, so it's a win-win-win situation imo.

Sure, that's up to each author or according to the guidelines for
plugin-writing.

I don't think nagios-plugins' job is to educate the users about the
fact that running everything as root might be a bad idea.
As long as the INSTALL and/or README contains or refers to _sane_
installation/setup instructions I think the nagios-plugins' authors
have done their jobs. And if some distributions/packagers do not keep
it as sane as upstream did, they are the ones to blame.

If I am logged in as root and run a command as root, I sure as hell do
not want it to change to another uid unless I tell it to! (via either
/etc/nagios/check_XXX.conf or a --user=XXX flag).

Let's privilege separate everything and have all plugins chroot
themselves too while trying to keep them easily audited, no? :)

--
Mike