4

Nagios has a plugin, check_dhcp, that does exactly what you'd think. It's widely suggested to install it setuid root, because it uses SO_BINDTODEVICE, which usually only root can do. Of course a similar thing can be accomplished with sudo as well, but it remains that check_dhcp would be executing with the whole of root privileges when it doesn't need them.

Unfortunately, check_dhcp seems to be rather stupidly written for this usage, and does not make any attempt to drop root privileges after doing what it needs to do. This leads to at least one known security problem, but just generally is bad practice and I'd like to not do it.

So I'm wondering, is there some way I can enable check_dhcp to do its necessary network interface frobbing, without granting it outright all root privileges? Perhaps something with capabilities, SELinux, AppArmor, or similar? Looking for a Linux solution -- Ubuntu 14.04 in particular.

Phil Frost
  • 637
  • 5
  • 18
  • Why wouldn't sudo work? – EEAA Jul 23 '14 at 13:37
  • @EEAA because just like setuid, it grants the process root privileges outright. `sudo` is *somewhat* better in that I can restrict which users can rootify the process, but the fact remains that most of `check_dhcp` will execute with root privileges when in fact it has no need for them after it has applied `SO_BINDTODEVICE` to the socket. sudo is also somewhat worse in that I have to modify the nagios configuration to invoke the plugin via sudo, and configure sudo in the first place. All possible for sure, but somewhat inconvenient. – Phil Frost Jul 23 '14 at 13:40

2 Answers2

10

SO_BINDTODEVICE requires CAP_NET_RAW. check_dhcp also wants to bind to port 68, which requires CAP_NET_BIND_SERVICE. See capabilities(7) for detailed descriptions of the available capabilities.

These two capabilities can be granted to the executable with setcap, like this:

setcap 'cap_net_raw,cap_net_bind_service=+ep' /usr/lib/nagios/plugins/check_dhcp

This should allow any user to run check_dhcp successfully, without possibly (if they can exploit check_dhcp) giving them full root privileges.

The plugin will still (rather stupidly) emit a warning:

$ ./check_dhcp 
Warning: This plugin must be either run as root or setuid root.
To run as root, you can use a tool like sudo.
To set the setuid permissions, use the command:
    chmod u+s yourpluginfile
OK: Received 2 DHCPOFFER(s), max lease time = 259200 sec.

To address this, you could:

  • Ignore it. Nagios will still look at the exit status to get the plugin state.
  • Remove the call to np_warn_if_not_root and recompile.
  • Use the monitoring-plugins.org fork of the Nagios plugins, which has fixed this issue. debmon.org has Debian packages available.
  • Modify the Nagios command definition to run the plugin through grep, removing the warning. Of course you must now take care to not alter the plugin's exit code, so maybe you want to wrap that up in a script:
#!/bin/bash
/usr/lib/nagios3/plugins/check_dhcp | egrep -v 'run as root|^To |chmod u\+s'
exit "${PIPESTATUS[0]}"
Phil Frost
  • 637
  • 5
  • 18
  • If only Nagios and its child projects could be relieved of their crappy old development methodologies, this would be pretty trivial to fix in a pull request, checking for the specific capability rather than just root or the setuid flag. – peelman Jul 23 '14 at 21:21
  • @peelman sounds like you want https://www.monitoring-plugins.org/ – Phil Frost Jul 23 '14 at 21:23
  • 1
    @peelman in fact, looks like someone [already did it](https://github.com/monitoring-plugins/monitoring-plugins/commit/ba21e26443385dd283d08e0419ff6ff25fedd0e8). – Phil Frost Jul 23 '14 at 21:24
  • Damn...its too easy to forget that site exists. – peelman Jul 23 '14 at 21:31
  • 1
    @peelman If only Debian and its child projects could be relieved of their crappy old development methodologies, this would be pretty trivial to fix in a pull request, replacing the crappy nagios-plugins package with a vastly superior fork. – Phil Frost Jul 23 '14 at 21:39
  • http://debmon.org/packages – Keith Jul 24 '14 at 15:42
2

With most of the standard (written in C) plugins, there are alternative (not C) implementations on Nagios Exchange.

For example, there's a perl check_dhcp that's really just a wrapper around dhcping. Of course, the dhcping binary demands to be run via root/sudo/setuid-root too, but perhaps that binary is less of a security concern for you than the stock check_dhcp plugin.

Keith
  • 4,627
  • 14
  • 25