[Xymon] Potential bug in FILE analysis

Adam Goryachev mailinglists at websitemanagers.com.au
Tue May 27 02:32:18 CEST 2014


By far the simplest solution would be to allow group permissions, and 
add xymon to the group for the directory. Any other solution is likely 
to introduce failure modes that are unexpected, and/or introduce more 
security implications than you might think of...

eg, set the directory group to crash, then add xymon to that group, and 
set directory permissions to 750 or similar. Note, this works perfectly 
if the directory is currently 700, because you can create a new group 
solely for this purpose, so it doesn't give xymon any additional access 
other than this folder, and it doesn't give any other process additional 
access to the /var/crash folder.

If the folder is currently 750, and the existing group is used for other 
processes/files/folders, then you should assess the security 
implications of giving xymon access to all processes/files/folders.

Not quite what you wanted, but hopefully it will help

BTW, do ACL's provide a solution here? Shouldn't ACL's be able to 
provide access outside of the simplistic user/group/other scheme? Does 
your filesystem/OS support them? Personally, I've never used them on 
Linux, so can't comment there.

Regards,
Adam

On 27/05/14 10:01, Jeremy Laidman wrote:
> On 23 May 2014 11:21, Vernon Everett <everett.vernon at gmail.com 
> <mailto:everett.vernon at gmail.com>> wrote:
>
>     Anybody know of a way to give Xymon elevated access permissions
>     when it stats files it's checking?
>     I would prefer not to change the directory permissions if I can
>     avoid it.
>
>
> Apart from running Xymon as root, I don't think you can do this.
>
> An alternative* might be to have a script that creates hard links for 
> all files in /var/crash/ into another directory that the xymon user 
> can read.  For example:
>
> #!/bin/sh
> NEWDIR=/var/crash-monitor  # must be same filesystem as /var/crash
> rm -rf "$NEWDIR" || exit 1
> mkdir -f "$NEWDIR" || exit 1
> chown root:xymon "$NEWDIR"
> chmod 550 "$NEWDIR"
> cd /var/crash || exit 1
> for file in *; do ln "$f" "$NEWDIR/$f"; done
> ls "$NEWDIR"/*
>
> This creates a replica of /var/crash/ that Xymon can read (and stat 
> the files), without changing the original dir perms and ownership.
>
> This is run from within the "file:" backticks (using sudo), and so it 
> produces the hardlink names as its output.
>
> You could have run this script from root's cron, but you'd have a race 
> condition where sometimes Xymon will look at the replica directory 
> after it has been created but before the hard links have been created.
>
> *untested
>
> j
>


-- 
Adam Goryachev Website Managers www.websitemanagers.com.au
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20140527/966bd0ab/attachment.html>


More information about the Xymon mailing list