[Xymon] Potential bug in FILE analysis
Adam Goryachev
mailinglists at websitemanagers.com.au
Tue May 27 02:32:18 CEST 2014
By far the simplest solution would be to allow group permissions, and
add xymon to the group for the directory. Any other solution is likely
to introduce failure modes that are unexpected, and/or introduce more
security implications than you might think of...
eg, set the directory group to crash, then add xymon to that group, and
set directory permissions to 750 or similar. Note, this works perfectly
if the directory is currently 700, because you can create a new group
solely for this purpose, so it doesn't give xymon any additional access
other than this folder, and it doesn't give any other process additional
access to the /var/crash folder.
If the folder is currently 750, and the existing group is used for other
processes/files/folders, then you should assess the security
implications of giving xymon access to all processes/files/folders.
Not quite what you wanted, but hopefully it will help
BTW, do ACL's provide a solution here? Shouldn't ACL's be able to
provide access outside of the simplistic user/group/other scheme? Does
your filesystem/OS support them? Personally, I've never used them on
Linux, so can't comment there.
Regards,
Adam
On 27/05/14 10:01, Jeremy Laidman wrote:
> On 23 May 2014 11:21, Vernon Everett <everett.vernon at gmail.com
> <mailto:everett.vernon at gmail.com>> wrote:
>
> Anybody know of a way to give Xymon elevated access permissions
> when it stats files it's checking?
> I would prefer not to change the directory permissions if I can
> avoid it.
>
>
> Apart from running Xymon as root, I don't think you can do this.
>
> An alternative* might be to have a script that creates hard links for
> all files in /var/crash/ into another directory that the xymon user
> can read. For example:
>
> #!/bin/sh
> NEWDIR=/var/crash-monitor # must be same filesystem as /var/crash
> rm -rf "$NEWDIR" || exit 1
> mkdir -f "$NEWDIR" || exit 1
> chown root:xymon "$NEWDIR"
> chmod 550 "$NEWDIR"
> cd /var/crash || exit 1
> for file in *; do ln "$f" "$NEWDIR/$f"; done
> ls "$NEWDIR"/*
>
> This creates a replica of /var/crash/ that Xymon can read (and stat
> the files), without changing the original dir perms and ownership.
>
> This is run from within the "file:" backticks (using sudo), and so it
> produces the hardlink names as its output.
>
> You could have run this script from root's cron, but you'd have a race
> condition where sometimes Xymon will look at the replica directory
> after it has been created but before the hard links have been created.
>
> *untested
>
> j
>
--
Adam Goryachev Website Managers www.websitemanagers.com.au
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20140527/966bd0ab/attachment.html>
More information about the Xymon
mailing list