[Nagiosplug-devel] Antwort: Re: Security discussion - don't run as root plugins

Sascha.Runschke at gfkl.com Sascha.Runschke at gfkl.com
Mon Jul 21 10:27:53 CEST 2008


nagiosplug-devel-bounces at lists.sourceforge.net schrieb am 19.07.2008 
20:16:13:

> | I'd hate that idea, since all plugins would need to be suid root for 
this
> | to actually work if the user running them is anyone else than root or
> | is already the user supposed to run the plugin. It's stupid. Don't do 
it.
> |
> I'm with Andreas. If the Mainstream decide to do s.th. against the lazy
> unsecure people to make it harder to compromise security - you won't
> have a config line easily set to "run_as = root".

[...snip...]

> I guess this is more a political decision as a technical.

You know, that brings up something to my mind...
I'm pretty sure you know why most admins of unix-derivates have a deep 
hate
against Windows and Microsoft - because they try to be smarter then us.
They try to predict every possible failure we could make and try
to implement mechanics to prevent those failures. Which in turn results
in totally restricted systems, where the admin cannot do what the admin
wants to do - since the vendor thinks he was so smart to prevent me
from doing that thing. Not.

Don't do the same mistake and enforce your ideas on users.
If someone wants to run as root - whatever her reason may be - then
let her do so. If it was done by mistake - she learned something from
it now (hopefully).

The way to go is the un-intrusive way of privilege dropping.
If a program does not need root privileges, it should drop them and
in my opinion that's the responsibility of the author.

Regards
        Sascha

-- 
Sascha Runschke
Netzwerk-  und  Systemmanagement
Telefon : +49 (201) 102-1879 Mobil : +49 (173) 5419665 Fax : +49 (201) 
102-1102105



GFKL Financial Services AG
Vorstand: Dr. Peter Jänsch (Vors.), Jürgen Baltes, Dr. Till Ergenzinger, Dr. Tom Haverkamp
Vorsitzender des Aufsichtsrats: Dr. Georg F. Thoma
Sitz: Limbecker Platz 1, 45127 Essen, Amtsgericht Essen, HRB 13522
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-plugins.org/archive/devel/attachments/20080721/3f9e7803/attachment.html>


More information about the Devel mailing list