logfetch workaround (sanity check?)
Cleaver, Japheth
jcleaver at soe.sony.com
Wed Jul 29 03:30:44 CEST 2009
I’ve come upon a simple and (seemingly) secure workaround for when you can’t loosen ownership privileges on a log file that you need automatically monitored by the Xymon client (or if you have multiple logs that may or may not get re-created by different users)… Set your copies of logfetch to setgid some neutral, but ever-present group… eg. “daemon”
In my case:
] chmod 2710 /usr/libexec/xymon-client/logfetch
] ls –la /usr/libexec/xymon-client/logfetch
-rwx--s--- 1 xymon daemon 84654 Jul 17 10:30 /usr/libexec/xymon-client/logfetch
Simply chgrp daemon and chmod g+r whatever log files you’re going to need to be examined.
The best someone can do now is read log files they wouldn’t otherwise be able to, but you won’t have to deal with the implications of superuser (supergroup?) privileges regardless of what future security vulnerabilities might be found. In my case, there are boxes that I can’t install a new user account o, or am running the xymon client via a passive SSH call, but I’m not especially worried about local log file reading. Here I can chmod 2711 logfetch, allowing any user to read logs (ie, run hobbitclient.sh) while not having to deal with setuid root concerns.
HTH,
Japheth Cleaver
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20090728/869ad2e2/attachment.html>
More information about the Xymon
mailing list