[Pkg-zenoss-team] Re: [Zenoss] #1446: Use of sudo introduces
unnecessary security risk
Zenoss
trac at zenoss.org
Fri May 11 16:15:31 UTC 2007
#1446: Use of sudo introduces unnecessary security risk
----------------------+-----------------------------------------------------
Reporter: zenoss | Owner: ecn
Type: defect | Status: new
Priority: blocker | Milestone: zenoss-2.0
Component: All | Version: 1.8.2
Resolution: | Keywords: security
----------------------+-----------------------------------------------------
Comment (by chris):
This doesn't solve the zenping problem but it addresses zentrap and
zensyslog...
What if you configured zentrap and zensyslog to bind to unprivileged ports
(1162 and 1514 for example)? Then they don't require root privileges at
all.
We could then use some other command or utility to set up a simple forward
from UDP:162 to UDP:1612 (and the same for syslog).
That proxy command is the only thing that needs to run as root.
It might not work tho depending on how zentrap/zensyslog interpret the
sender of the datagram. If zentrap/zensyslog look extract the sender of
the datagram and use that as the device ip address then it's not going to
work (because all the messages will appear to come from localhost).
Maybe there's an iptables rule we could use to forward the datagrams?
Just a few ideas of how we can approach it. It doesn't solve the zenping
issue at all tho... For that we'd probably need the ping daemon...
--
Ticket URL: <http://dev.zenoss.org/trac/ticket/1446#comment:4>
Zenoss <http://example.com/>
Zenoss Monitoring System
More information about the Pkg-zenoss-team
mailing list