[Nagiosplug-devel] [RFC] Plugins config file
sean finney
seanius at seanius.net
Mon Oct 16 19:06:11 CEST 2006
hi gavin,
On Mon, 2006-10-16 at 21:13 +1000, Gavin Carr wrote:
> An obvious security problem with this is that the user must pass the
> database credentials on the command line, which typically means
> they're exposed to any local users via the process list for however
> long the plugin executes.
i've brought this up before, actually (though at the time it was
regardling snmp auth info, but same problem)
> This must be a problem for lots of other kinds of plugin too -
> anywhere you need to pass any kind of secret to a plugin. Is there a
> good way of dealing with this that I'm not aware of?
well, for the db plugin, assuming that it's a mysql program, why not
use the built-in functionality for reading in additional mysql
ini-format files? it should be possible to say something like
check_db_plugin --defaults-file=/etc/mysql/nagiosplugin.cnf
where you use getopt to get the defaults-file value, and pass it to the
mysql "load_defaults" function with the proper parameters.
> My suggestion is that we introduce a config file specifically for use
> by plugins (e.g. /etc/nagios/plugins.cfg or
> $NAGIOS_HOME/etc/plugins.cfg), for arbitrary per-plugin parameters we
> don't want to have to pass at the command line. Perhaps an INI-style
> format would make sense, with per-plugin sections, or arbitrary
> section names specified explicitly e.g.
i would be rather wary of this, because it's yet another point of
configuration/abstraction in an already complicated system. but that's
just mho.
sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
URL: <https://www.monitoring-plugins.org/archive/devel/attachments/20061016/55292951/attachment.sig>
More information about the Devel
mailing list