check_icmp/check_dhcp: Implementing setcap
This commit is contained in:
parent
9c42541756
commit
a6611b1e19
3 changed files with 30 additions and 6 deletions
18
debian/README.Debian
vendored
18
debian/README.Debian
vendored
|
|
@ -65,14 +65,20 @@ example if you're installing nrpe or nsca on a remote host), try the
|
|||
monitoring-plugins-basic package.
|
||||
|
||||
================================================================================
|
||||
plugins needing root privilege
|
||||
plugins needing root privilege or capabilities(7) set
|
||||
================================================================================
|
||||
|
||||
the check_dhcp, check_icmp and maybe others plugins require root privileges to
|
||||
run, because of the low-level packet mangling that they perform.
|
||||
but, in the interest of the "safe default", these plugins will not
|
||||
be installed with the suid bit set. there are two recommended ways
|
||||
about overriding this on your system:
|
||||
the check_dhcp, check_icmp and maybe others plugins require root privileges or
|
||||
capabilities(7) to run, because of the low-level packet mangling that they
|
||||
perform. but, in the interest of the "safe default", these plugins will not
|
||||
be installed with the suid bit set.
|
||||
if setcap is able set the necessary capabilities, you are fine. if the setcap
|
||||
binary is not installed or not able to set the capabilities, you need to
|
||||
eighter set the capabilities (cap_net_raw+ep) for your own or provide root
|
||||
privileges.
|
||||
|
||||
there are two recommended ways about providing root privilegethis on your
|
||||
system:
|
||||
|
||||
- set the suid bit with dpkg-statoverride:
|
||||
|
||||
|
|
|
|||
1
debian/control
vendored
1
debian/control
vendored
|
|
@ -38,6 +38,7 @@ Description: Common files for plugins for nagios compatible monitoring
|
|||
Package: monitoring-plugins-basic
|
||||
Architecture: any
|
||||
Depends: ${shlibs:Depends}, ${misc:Depends}, monitoring-plugins-common, procps, iputils-ping [linux-any], inetutils-ping (>= 2:1.9-1~) [kfreebsd-any hurd-any], ucf
|
||||
Recommends: libcap2-bin [linux-any]
|
||||
Replaces: nagios-plugins-basic (<< 1.6-1~)
|
||||
Breaks: nagios-plugins-basic (<< 1.6-1~)
|
||||
Suggests: nagios3 | icinga
|
||||
|
|
|
|||
17
debian/monitoring-plugins-basic.postinst
vendored
17
debian/monitoring-plugins-basic.postinst
vendored
|
|
@ -4,9 +4,26 @@ set -e
|
|||
|
||||
templdir=/usr/share/monitoring-plugins/templates-basic
|
||||
. /usr/share/monitoring-plugins/dpkg/functions
|
||||
plugindir=/usr/lib/nagios/plugins/
|
||||
|
||||
if [ "$1" = "configure" ]; then
|
||||
register_cfgs $2
|
||||
|
||||
# If we have setcap is installed, try setting cap_net_raw+ep,
|
||||
# which allows us to make our binaries working without the
|
||||
# setuid bit
|
||||
if command -v setcap > /dev/null; then
|
||||
if setcap cap_net_raw+ep ${plugindir}/check_icmp cap_net_raw+ep ${plugindir}/check_dhcp; then
|
||||
echo "Setcap for check_icmp and check_dhcp worked!"
|
||||
else
|
||||
echo "Setcap for check_icmp and check_dhcp failed." >&2
|
||||
echo "Please refer README.Debian.gz for using plugins needing" >&2
|
||||
echo "higher privileges!" >&2
|
||||
fi
|
||||
else
|
||||
echo "Setcap is not installed, please refer README.Debian.gz for using" >&2
|
||||
echo "plugins needing higher privileges!" >&2
|
||||
fi
|
||||
fi
|
||||
|
||||
#DEBHELPER#
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue