From a6611b1e19bf49a2c42f3087c980c5aad78d5fc2 Mon Sep 17 00:00:00 2001 From: Jan Wagner Date: Wed, 2 Jul 2014 13:54:23 +0200 Subject: [PATCH] check_icmp/check_dhcp: Implementing setcap --- debian/README.Debian | 18 ++++++++++++------ debian/control | 1 + debian/monitoring-plugins-basic.postinst | 17 +++++++++++++++++ 3 files changed, 30 insertions(+), 6 deletions(-) diff --git a/debian/README.Debian b/debian/README.Debian index a3f4378..b17f17a 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -65,14 +65,20 @@ example if you're installing nrpe or nsca on a remote host), try the monitoring-plugins-basic package. ================================================================================ -plugins needing root privilege +plugins needing root privilege or capabilities(7) set ================================================================================ -the check_dhcp, check_icmp and maybe others plugins require root privileges to -run, because of the low-level packet mangling that they perform. -but, in the interest of the "safe default", these plugins will not -be installed with the suid bit set. there are two recommended ways -about overriding this on your system: +the check_dhcp, check_icmp and maybe others plugins require root privileges or +capabilities(7) to run, because of the low-level packet mangling that they +perform. but, in the interest of the "safe default", these plugins will not +be installed with the suid bit set. +if setcap is able set the necessary capabilities, you are fine. if the setcap +binary is not installed or not able to set the capabilities, you need to +eighter set the capabilities (cap_net_raw+ep) for your own or provide root +privileges. + +there are two recommended ways about providing root privilegethis on your +system: - set the suid bit with dpkg-statoverride: diff --git a/debian/control b/debian/control index b32f2cc..a93ba0b 100644 --- a/debian/control +++ b/debian/control @@ -38,6 +38,7 @@ Description: Common files for plugins for nagios compatible monitoring Package: monitoring-plugins-basic Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, monitoring-plugins-common, procps, iputils-ping [linux-any], inetutils-ping (>= 2:1.9-1~) [kfreebsd-any hurd-any], ucf +Recommends: libcap2-bin [linux-any] Replaces: nagios-plugins-basic (<< 1.6-1~) Breaks: nagios-plugins-basic (<< 1.6-1~) Suggests: nagios3 | icinga diff --git a/debian/monitoring-plugins-basic.postinst b/debian/monitoring-plugins-basic.postinst index a753cba..2a68e0e 100644 --- a/debian/monitoring-plugins-basic.postinst +++ b/debian/monitoring-plugins-basic.postinst @@ -4,9 +4,26 @@ set -e templdir=/usr/share/monitoring-plugins/templates-basic . /usr/share/monitoring-plugins/dpkg/functions +plugindir=/usr/lib/nagios/plugins/ if [ "$1" = "configure" ]; then register_cfgs $2 + + # If we have setcap is installed, try setting cap_net_raw+ep, + # which allows us to make our binaries working without the + # setuid bit + if command -v setcap > /dev/null; then + if setcap cap_net_raw+ep ${plugindir}/check_icmp cap_net_raw+ep ${plugindir}/check_dhcp; then + echo "Setcap for check_icmp and check_dhcp worked!" + else + echo "Setcap for check_icmp and check_dhcp failed." >&2 + echo "Please refer README.Debian.gz for using plugins needing" >&2 + echo "higher privileges!" >&2 + fi + else + echo "Setcap is not installed, please refer README.Debian.gz for using" >&2 + echo "plugins needing higher privileges!" >&2 + fi fi #DEBHELPER#