Changing permissions of postfixs "local"

Daniel Pittman daniel at rimspace.net
Wed Dec 13 13:16:32 UTC 2006 

Ingo Lantschner <ingo.lists at vum.at> writes:

> I am using Ubuntu Server 6.06 as base os for a Nagios
> systemmonitor. Yesterday I was looking for a way to feed alerts send
> as emails from RAID-controllers like 3ware. First it was quite simple:
> Adding a line to /etc/aliases
>
> nagios: "|/usr/local/nagios/libexec/eventhandlers/handle-RAID-mail"
>
> Writing the script was not the problem, but the permissions
> were. Nagios uses a pipe which is for obvious reasons not writable by
> nobody:nogroup.
>
> In order to get around this problem I changed the user runing "local":
> $ sudo postconf -e default_privs=nagios
>
> Now the emails go straight into Nagios.
>
> BUT: What are the security implications of tampering with the
> permissions of postfix? Any input is welcome

Now *all* alias delivery, and unprivileged actions in Postfix, will
default to being done as the Nagios user.  That means that any security
flaw in code run by Postfix during delivery has the capability to access
Nagios data.

A more likely problem, though, is that you will propagate ownership of
files by Nagios where they shouldn't be, or that some accident will
cause problems by damaging Nagios data.


A better approach would be to have that one alias deliver through a
suitable setuid program that switches to the Nagios user for the one
process.

The easy way to do that, of course, is to use a pre-existing tool
designed for the purpose of changing userid.  One that is already well
integrated into Ubuntu and available to you:

Add to your sudoers file a line akin to this:

    nobody  ALL=(nagios) NOPASSWD: /usr/local/nagios/...

Then arrange for your alias to use sudo to change to the appropriate
user before running your script:

    nagios: "|/usr/bin/sudo -u nagios /usr/local/nagios/..."

I can't recall if alias delivery allows parameters, but I believe it
does.  If not wrap that in a trivial shell script.

Regards,
        Daniel
-- 
Digital Infrastructure Solutions -- making IT simple, stable and secure
Phone: 0401 155 707        email: contact at digital-infrastructure.com.au
                 http://digital-infrastructure.com.au/

More information about the ubuntu-server mailing list