Changing permissions of postfixs "local"

Paul Schulz pschulz01 at gmail.com
Wed Dec 13 20:51:26 UTC 2006 

Hi Ingo,

Another method is to use a 'procmail' recepie for the nagios user, to
execute a script when it recieves. (I don't have a Ubuntu example, but
I have done this in the past with Debian.)

This gives you two benefits. 1. You don't need to change the owner of
postfix, together with the security implications. 2: You get finer
grained control on what scripts execute and when.

- Install the 'procmail' package..
- Create a '.procmailrc' file in the nagios account. see 'man 5
procmailrc' for details.

(I would guess you would need something that looks like..)
----
:0 w             # pass along all to script
| /path/to/nagios /usr/local/nagios/...
-----
Cheer,
Paul


On 12/13/06, Daniel Pittman <daniel at rimspace.net> wrote:
> Ingo Lantschner <ingo.lists at vum.at> writes:
>
> > I am using Ubuntu Server 6.06 as base os for a Nagios
> > systemmonitor. Yesterday I was looking for a way to feed alerts send
> > as emails from RAID-controllers like 3ware. First it was quite simple:
> > Adding a line to /etc/aliases
> >
> > nagios: "|/usr/local/nagios/libexec/eventhandlers/handle-RAID-mail"
> >
> > Writing the script was not the problem, but the permissions
> > were. Nagios uses a pipe which is for obvious reasons not writable by
> > nobody:nogroup.
> >
> > In order to get around this problem I changed the user runing "local":
> > $ sudo postconf -e default_privs=nagios
> >
> > Now the emails go straight into Nagios.
> >
> > BUT: What are the security implications of tampering with the
> > permissions of postfix? Any input is welcome
>
> Now *all* alias delivery, and unprivileged actions in Postfix, will
> default to being done as the Nagios user.  That means that any security
> flaw in code run by Postfix during delivery has the capability to access
> Nagios data.
>
> A more likely problem, though, is that you will propagate ownership of
> files by Nagios where they shouldn't be, or that some accident will
> cause problems by damaging Nagios data.
>
>
> A better approach would be to have that one alias deliver through a
> suitable setuid program that switches to the Nagios user for the one
> process.
>
> The easy way to do that, of course, is to use a pre-existing tool
> designed for the purpose of changing userid.  One that is already well
> integrated into Ubuntu and available to you:
>
> Add to your sudoers file a line akin to this:
>
>     nobody  ALL=(nagios) NOPASSWD: /usr/local/nagios/...
>
> Then arrange for your alias to use sudo to change to the appropriate
> user before running your script:
>
>     nagios: "|/usr/bin/sudo -u nagios /usr/local/nagios/..."
>
> I can't recall if alias delivery allows parameters, but I believe it
> does.  If not wrap that in a trivial shell script.
>
> Regards,
>         Daniel
> --
> Digital Infrastructure Solutions -- making IT simple, stable and secure
> Phone: 0401 155 707        email: contact at digital-infrastructure.com.au
>                  http://digital-infrastructure.com.au/
>
>
> --
> ubuntu-server mailing list
> ubuntu-server at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
>

More information about the ubuntu-server mailing list