MRTG how safe is it?
Matthew Hawkins
matthew at topic.com.au
Thu Sep 13 18:37:00 EST 2001
On Thu, 13 Sep 2001, Stephen Granger wrote:
> http://portal.aphroland.org/mrtg-config/
>
> Running a shell script as nobody seems safe, what owneship, and other stuff
> could I do to improve the security?
Make sure the "nobody" user cannot read and definately not write to any
filesystem you don't want it to access
# su nobody
% find /
and fix permissions with chmod accordingly.
> After skimming the man for inetd.conf I didn't find anything that could help
> me out, and I'm not really sure where to start looking... or what to type
> into google :)
My first question after reading those scripts is "Why?". I'm not sure
what the purpose of running from inetd is at all. mrtg will quite
happily execute anything you permit it to, so the lines reading:
Target[mail.graphon.com.mailbytes]: `/usr/bin/nc mail.graphon.com 9052`
could quite easily be
Target[mail.graphon.com.mailbytes]: `/usr/local/sbin/mrtg-mailstats`
instead, and you can do away with using inetd altogether. This seems
infinately more secure to me as you are not opening the script to any
outsiders via inetd or relying on features of certain inetd programs
(like rlinetd & xinetd) to protect you if you do anyway, there's two
less points of failure in the system (inetd & netcat), there's no
network traffic involved, ...
--
Matt
More information about the linux
mailing list