[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [hobbit] localhost, clamd, rights

To: hobbit (at) hswn.dk
Subject: Re: [hobbit] localhost, clamd, rights
From: henrik (at) hswn.dk (Henrik Stoerner)
Date: Thu, 17 Aug 2006 12:13:17 +0200
References: <Pine.LNX.4.44.0608171018460.14528-100000@ns2261.ovh.net>
User-agent: Mutt/1.5.11

On Thu, Aug 17, 2006 at 10:56:48AM +0200, John GALLET wrote:
>  
> 1) I am running as many daemons as possible on 127.0.0.1 in case I make a 
> mistake in my iptables rules and as a general security rule anyway. I 
> added a 127.0.0.1 localhost line in etc/bb-hosts to monitor them. Is this 
> the correct/preferred way to do it or can I monitor them on a single line 
> with the public ip of the host ? 

If you want to make sure that the ONLY run on 127.0.0.1, I'd setup two
sets of tests: One with the public IP, and one with 127.0.0.1. Then you
can check the same services on both, with one of them being a "negative"
test (i.e. something which must NOT be available). Eg. if smtp should
only be listening locally:

   127.0.0.1     myserver-local  # testip smtp
   12.34.56.78   myserver-public # testip !smtp

The "testip" makes Hobbit use the IP-address from the bb-hosts file,
instead of trying to determine the IP from the hostname.

> 2) I configured clamd so that it uses /tmp/clamd for communications. Can I
> still monitor it with Hobbit ? I can't check the process (see question 3).
> I tried /tmp/clamd as a port in bb-services and saw an atoi() must be 
> called on it ;-)

"clamd" and the other tests in bb-services only work for network tests,
so - no, Hobbit cannot monitor a service communicating via a local unix
socket.

> 3) Not directly Hobbit related but might need a turnaround.
>  
> My kernel is patched with -grsec, which implies only root can access /proc
> or see other user's processes in a "ps" command. The result is that the
> hobbit-client log is filled with "access denied" on /proc/net/snmp (which
> I don't really mind) but also that the stats about users and especially
> number of processes is totally and utterly wrong, and I'd need this
> information (I have some random load peaks to diagnose). Do I need to run
> parts of hobbit as root ? Which ones ? What's the risk involved ?  

As Charles writes, you can use "sudo" to permit the hobbit user to run
the privileged commands with root privs. The risk in doing that
obviously is that if a user manages to break into your box and get 
shell access as the "hobbit" user, then he can run those same commands
with root privileges.

Regards,
Henrik

Follow-Ups:
- Re: [hobbit] localhost, clamd, rights
  - From: John GALLET

References:
- localhost, clamd, rights
  - From: John GALLET

Prev by Date: Re: [hobbit] localhost, clamd, rights
Next by Date: Re: [hobbit] localhost, clamd, rights
Previous by thread: Re: [hobbit] localhost, clamd, rights
Next by thread: Re: [hobbit] localhost, clamd, rights
Index(es):
- Date
- Thread