[hobbit] Hobbit SUID's

Henrik Stoerner henrik at hswn.dk
Sun Jun 4 18:36:47 CEST 2006


On Sun, Jun 04, 2006 at 09:26:04AM -0700, Charles Jones wrote:
> So, correct me if I am wrong about any of these statements:
> 1. The ONLY hobbit binary that MUST be SUID root is "hobbitping" 
> (because only root can send ICMP ECHO  packets).

Correct.

> 2. "logfetch" is SUID root for ease of monitoring root-owned logfiles. 
> It does not need to be SUID if the monitored files are readable by the 
> hobbit user.

Correct.

> 3. "clientupdate" is SUID in order to restore the SUID bit of 
> "logfetch", when a client update is rolled out via the automated mechanism.

Correct.

> I should be able to convince the security folks to SUID hobbitping. Is 
> there anything special about hobbitping itself, or can "fping" be used 
> as a replacement?

You can use fping.

If you have problems convincing your security people, show them the
hobbitping code and point out where it does a "seteuid" call to drop
root privileges.


> The only other comment I have is, since the man page specifically says 
> that logfetch and clientupdate do not need to be SUID, either "make 
> install" should not fail because of the chown errors, or there should be 
> a --no-suid option to tell the installer not to attempt to make those SUID.

Until recenly it failed completely. Now it just complains. I'll see if
I can remove those errors.


Regards,
Henrik




More information about the Xymon mailing list