[hobbit] How to run an arbitary script on the client end?

Charles Jones jonescr at cisco.com
Mon Jun 11 23:44:12 CEST 2007


I had a similar idea to this once:  see 
http://www.hswn.dk/hobbiton/2006/09/msg00537.html
It could be handy to be able to specify running an external command, the 
interval to run it at, and a tag name for it in client-data (and/or 
perhaps option for the output to be added to a specified column on the 
Hobbit display).

As for executing remote commands being a security risk, other monitoring 
programs like Nagios do this (over ssh), and as pointed out it is 
already possible via using backticks in the log directive.  Honestly if 
someone roots your hobbit server they wouldn't need much help getting 
into everything else. You should be running the hobbit clients as a 
non-privledged user, and could even put them in a chroot jail if you 
want to sleep better at night :)

-Charles

Haertig, David F (Dave) wrote:
> It doesn't matter to me if you add this new feature or not.  It might be
> nice, but it's not a deal-breaker.
>
> However, the ability to run arbitrary commands on the client as directed
> from the server end is already there.  Via the backticks in the log
> directive.  A new "addon" directive might make this easier to access an
> dgive it more visibility, but the ability to do remote damage already
> exists. 
>
> -----Original Message-----
> From: Henrik Stoerner [mailto:henrik at hswn.dk] 
> Sent: Monday, June 11, 2007 2:48 PM
> To: hobbit at hswn.dk
> Subject: Re: [hobbit] How to run an arbitary script on the client end?
>
> On Mon, Jun 11, 2007 at 04:22:08PM -0400, Kern, Thomas wrote:
>   
>> Would this new ADDON feature be configured at the server side or on 
>> each client?
>>     
>
> Server-side, in the client-local.cfg file.
>
>   
>> I have a gut reaction against some other server being able to 
>> arbitrarily execute commands on my systems
>>     
>
> I agree. When I wrote the client, I actually did think about doing
> something like this, but decided against it for that very reason.
>
> And if you're the only one who wants it, then I'll probably NOT
> implement it.
>
>   
>> but I know who runs our
>> hobbit server. I am also against having to modify each hobbit client 
>> that I run if I come up with a new nifty ADDON. I have not looked into
>>     
>
>   
>> the update/upgrade mechanism since I know the hobbit-server admin, but
>>     
>
>   
>> is there some authentication of the updates/upgrades/new_ADDONs that 
>> can be done so that they only come from a trusted source?
>>     
>
> Updates are only downloaded from the Hobbit server. But apart from that,
> there's no authentication of the new client code.
>
>
> Regards,
> Henrik
>
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20070611/ebb1a670/attachment.html>


More information about the Xymon mailing list