MRTG how safe is it?

Matthew Hawkins matthew at
Thu Sep 13 18:37:00 EST 2001

On Thu, 13 Sep 2001, Stephen Granger wrote:
> Running a shell script as nobody seems safe, what owneship, and other stuff
> could I do to improve the security?

Make sure the "nobody" user cannot read and definately not write to any
filesystem you don't want it to access

# su nobody
% find /

and fix permissions with chmod accordingly.

> After skimming the man for inetd.conf I didn't find anything that could help
> me out, and I'm not really sure where to start looking... or what to type
> into google :)

My first question after reading those scripts is "Why?".  I'm not sure
what the purpose of running from inetd is at all.  mrtg will quite
happily execute anything you permit it to, so the lines reading:

Target[]: `/usr/bin/nc 9052`

could quite easily be

Target[]: `/usr/local/sbin/mrtg-mailstats`

instead, and you can do away with using inetd altogether.  This seems
infinately more secure to me as you are not opening the script to any
outsiders via inetd or relying on features of certain inetd programs
(like rlinetd & xinetd) to protect you if you do anyway, there's two
less points of failure in the system (inetd & netcat), there's no
network traffic involved, ...


More information about the linux mailing list